[jboss-user] [Security & JAAS/JBoss] - Kerberos / JBoss Negotiate issues and questions

Thu Sep 18 04:59:10 EDT 2008

I have deployed JBoss Negotiate onto JBoss 4.2.3. Initially I tried to create the server users account using a generic name such as JBoss instead of the hostname of the machine. I couldn't get this working. After creating a username whose name matched the hostname of the JBoss server I was able to complete the Basic Negotiation and the Security Domain Test from another client. I am still not able to perform those from the server itself. IE works from the other clients, but neither IE, nor Firefox work on my client.

I read some suggestions to clear the cache, but I haven't found instructions on doing this.

When I try the Secured test I get the exception below. I wonder if there is a problem on my system which also runs the JBoss server which could be causing this ?

  | 09:54:39,905 TRACE [UsersRolesLoginModule] Properties file=file:/C:/jboss-4.2.3.GA/server/default/conf/props/spnego-roles.properties, defaults=null
  | 09:54:39,905 DEBUG [UsersRolesLoginModule] Loaded properties, users=[operator, ahartner at TH.local, vreddy at TH, user, ahartner at TH, jamesm at TH, other, vreddy at TH.local, jamesm at TH.local, sysop]
  | 09:54:39,905 TRACE [UsersRolesLoginModule] abort
  | 09:54:39,920 TRACE [SPNEGO] Login failure
  | javax.security.auth.login.LoginException: Continuation Required.
  |         at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:156)
  |         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  |         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  |         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  |         at java.lang.reflect.Method.invoke(Method.java:597)
  |         at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
  |         at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
  |         at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
  |         at java.security.AccessController.doPrivileged(Native Method)
  |         at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
  |         at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
  |         at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603)
  |         at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537)
  |         at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
  |         at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491)
  |         at org.jboss.security.negotiation.spnego.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:103)
  |         at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
  |         at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
  |         at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
  |         at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
  |         at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
  |         at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
  |         at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
  |         at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
  |         at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
  |         at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
  |         at java.lang.Thread.run(Thread.java:619)
  | 09:54:40,030 TRACE [SPNEGO] End isValid, false
  | 09:54:40,030 DEBUG [SPNEGOAuthenticator] authenticated principal = null
  | 09:54:40,030 TRACE [SPNEGOContext] clear 31752641
  | 09:54:40,030 TRACE [SecurityAssociation] clear, server=true
  | 09:54:40,045 TRACE [SPNEGOAuthenticator] Authenticating user
  | 09:54:40,045 INFO  [SPNEGOAuthenticator] Header - Negotiate oYIF2zCCBdeiggXTBIIFz2CCBcsGCSqGSIb3EgECAgEAboIFujCCBbagAwIBBaEDAgEOogcDBQAgAAAAo4IE5WGCBOEwggTdoAMCAQWhChsIVEguTE9DQUyiITAfoAMCAQKhGDAWGwRI
  | 
...

  |  0xcf 0x0e 0x1a 0x1b 0xbd 0xaa 0xa1 0x63
  | 09:54:40,546 DEBUG [SPNEGOLoginModule] Creating new GSSContext.
  | 09:54:40,686 TRACE [SPNEGOLoginModule] Result - GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
  | 09:54:40,686 ERROR [SPNEGOLoginModule] Unable to authenticate
  | GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
  |         at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
  |         at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
  |         at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
  |         at org.jboss.security.negotiation.spnego.SPNEGOLoginModule$AcceptSecContext.run(SPNEGOLoginModule.java:295)
  |         at java.security.AccessController.doPrivileged(Native Method)
  |         at javax.security.auth.Subject.doAs(Subject.java:337)
  |         at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:113)
  |         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  |         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  |         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  |         at java.lang.reflect.Method.invoke(Method.java:597)
  |         at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
  |         at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
  |         at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
  |         at java.security.AccessController.doPrivileged(Native Method)
  |         at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
  |         at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
  |         at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603)
  |         at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537)
  |         at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
  |         at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491)
  |         at org.jboss.security.negotiation.spnego.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:103)
  |         at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
  |         at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
  |         at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
  |         at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
  |         at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
  |         at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
  |         at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
  |         at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
  |         at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
  |         at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
  |         at java.lang.Thread.run(Thread.java:619)
  | Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC
  |         at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:262)
  |         at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
  |         at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
  |         at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
  |         ... 32 more
  | 09:54:40,827 INFO  [STDOUT]             [Krb5LoginModule]: Entering logout
  | 09:54:40,843 INFO  [STDOUT]             [Krb5LoginModule]: logged out Subject
  | 09:54:40,843 TRACE [SPNEGOLoginModule] abort
  | 09:54:40,843 TRACE [UsersRolesLoginModule] initialize, instance=@12914915
  | 09:54:40,843 TRACE [UsersRolesLoginModule] Security domain: SPNEGO
  | 09:54:40,858 TRACE [UsersRolesLoginModule] findResource: null
  | 09:54:40,858 TRACE [UsersRolesLoginModule] Properties file=file:/C:/jboss-4.2.3.GA/server/default/conf/props/spnego-users.properties, defaults=null
  | 09:54:40,858 DEBUG [UsersRolesLoginModule] Loaded properties, users=[]
  | 09:54:40,858 TRACE [UsersRolesLoginModule] findResource: null
  | 09:54:40,858 TRACE [UsersRolesLoginModule] Properties file=file:/C:/jboss-4.2.3.GA/server/default/conf/props/spnego-roles.properties, defaults=null
  | 09:54:40,874 DEBUG [UsersRolesLoginModule] Loaded properties, users=[operator, ahartner at TH.local, vreddy at TH, user, ahartner at TH, jamesm at TH, other, vreddy at TH.local, jamesm at TH.local, sysop]
  | 09:54:40,874 TRACE [UsersRolesLoginModule] abort
  | 09:54:40,874 TRACE [SPNEGO] Login failure
  | javax.security.auth.login.LoginException: Unable to authenticate - Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
  |         at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:136)
  |         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  |         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  |         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  |         at java.lang.reflect.Method.invoke(Method.java:597)
  |         at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
  |         at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
  |         at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
  |         at java.security.AccessController.doPrivileged(Native Method)
  |         at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
  |         at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
  |         at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603)
  |         at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537)
  |         at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
  |         at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491)
  |         at org.jboss.security.negotiation.spnego.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:103)
  |         at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
  |         at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
  |         at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
  |         at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
  |         at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
  |         at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
  |         at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
  |         at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
  |         at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
  |         at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
  |         at java.lang.Thread.run(Thread.java:619)
  | 09:54:40,999 TRACE [SPNEGO] End isValid, false
  | 09:54:40,999 DEBUG [SPNEGOAuthenticator] authenticated principal = null
  | 

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4177326#4177326

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4177326