[jboss-user] [Security & JAAS/JBoss] - Kerberos / JBoss Negotiate issues and questions
ejb3workshop
do-not-reply at jboss.com
Thu Sep 18 04:59:10 EDT 2008
I have deployed JBoss Negotiate onto JBoss 4.2.3. Initially I tried to create the server users account using a generic name such as JBoss instead of the hostname of the machine. I couldn't get this working. After creating a username whose name matched the hostname of the JBoss server I was able to complete the Basic Negotiation and the Security Domain Test from another client. I am still not able to perform those from the server itself. IE works from the other clients, but neither IE, nor Firefox work on my client.
I read some suggestions to clear the cache, but I haven't found instructions on doing this.
When I try the Secured test I get the exception below. I wonder if there is a problem on my system which also runs the JBoss server which could be causing this ?
| 09:54:39,905 TRACE [UsersRolesLoginModule] Properties file=file:/C:/jboss-4.2.3.GA/server/default/conf/props/spnego-roles.properties, defaults=null
| 09:54:39,905 DEBUG [UsersRolesLoginModule] Loaded properties, users=[operator, ahartner at TH.local, vreddy at TH, user, ahartner at TH, jamesm at TH, other, vreddy at TH.local, jamesm at TH.local, sysop]
| 09:54:39,905 TRACE [UsersRolesLoginModule] abort
| 09:54:39,920 TRACE [SPNEGO] Login failure
| javax.security.auth.login.LoginException: Continuation Required.
| at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:156)
| at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
| at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
| at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
| at java.lang.reflect.Method.invoke(Method.java:597)
| at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
| at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
| at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
| at java.security.AccessController.doPrivileged(Native Method)
| at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
| at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
| at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603)
| at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537)
| at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
| at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491)
| at org.jboss.security.negotiation.spnego.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:103)
| at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
| at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
| at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
| at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
| at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
| at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
| at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
| at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
| at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
| at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
| at java.lang.Thread.run(Thread.java:619)
| 09:54:40,030 TRACE [SPNEGO] End isValid, false
| 09:54:40,030 DEBUG [SPNEGOAuthenticator] authenticated principal = null
| 09:54:40,030 TRACE [SPNEGOContext] clear 31752641
| 09:54:40,030 TRACE [SecurityAssociation] clear, server=true
| 09:54:40,045 TRACE [SPNEGOAuthenticator] Authenticating user
| 09:54:40,045 INFO [SPNEGOAuthenticator] Header - Negotiate oYIF2zCCBdeiggXTBIIFz2CCBcsGCSqGSIb3EgECAgEAboIFujCCBbagAwIBBaEDAgEOogcDBQAgAAAAo4IE5WGCBOEwggTdoAMCAQWhChsIVEguTE9DQUyiITAfoAMCAQKhGDAWGwRI
|
...
| 0xcf 0x0e 0x1a 0x1b 0xbd 0xaa 0xa1 0x63
| 09:54:40,546 DEBUG [SPNEGOLoginModule] Creating new GSSContext.
| 09:54:40,686 TRACE [SPNEGOLoginModule] Result - GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
| 09:54:40,686 ERROR [SPNEGOLoginModule] Unable to authenticate
| GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
| at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
| at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
| at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
| at org.jboss.security.negotiation.spnego.SPNEGOLoginModule$AcceptSecContext.run(SPNEGOLoginModule.java:295)
| at java.security.AccessController.doPrivileged(Native Method)
| at javax.security.auth.Subject.doAs(Subject.java:337)
| at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:113)
| at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
| at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
| at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
| at java.lang.reflect.Method.invoke(Method.java:597)
| at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
| at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
| at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
| at java.security.AccessController.doPrivileged(Native Method)
| at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
| at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
| at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603)
| at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537)
| at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
| at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491)
| at org.jboss.security.negotiation.spnego.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:103)
| at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
| at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
| at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
| at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
| at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
| at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
| at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
| at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
| at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
| at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
| at java.lang.Thread.run(Thread.java:619)
| Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC
| at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:262)
| at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
| at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
| at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
| ... 32 more
| 09:54:40,827 INFO [STDOUT] [Krb5LoginModule]: Entering logout
| 09:54:40,843 INFO [STDOUT] [Krb5LoginModule]: logged out Subject
| 09:54:40,843 TRACE [SPNEGOLoginModule] abort
| 09:54:40,843 TRACE [UsersRolesLoginModule] initialize, instance=@12914915
| 09:54:40,843 TRACE [UsersRolesLoginModule] Security domain: SPNEGO
| 09:54:40,858 TRACE [UsersRolesLoginModule] findResource: null
| 09:54:40,858 TRACE [UsersRolesLoginModule] Properties file=file:/C:/jboss-4.2.3.GA/server/default/conf/props/spnego-users.properties, defaults=null
| 09:54:40,858 DEBUG [UsersRolesLoginModule] Loaded properties, users=[]
| 09:54:40,858 TRACE [UsersRolesLoginModule] findResource: null
| 09:54:40,858 TRACE [UsersRolesLoginModule] Properties file=file:/C:/jboss-4.2.3.GA/server/default/conf/props/spnego-roles.properties, defaults=null
| 09:54:40,874 DEBUG [UsersRolesLoginModule] Loaded properties, users=[operator, ahartner at TH.local, vreddy at TH, user, ahartner at TH, jamesm at TH, other, vreddy at TH.local, jamesm at TH.local, sysop]
| 09:54:40,874 TRACE [UsersRolesLoginModule] abort
| 09:54:40,874 TRACE [SPNEGO] Login failure
| javax.security.auth.login.LoginException: Unable to authenticate - Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
| at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:136)
| at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
| at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
| at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
| at java.lang.reflect.Method.invoke(Method.java:597)
| at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
| at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
| at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
| at java.security.AccessController.doPrivileged(Native Method)
| at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
| at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
| at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603)
| at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537)
| at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
| at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491)
| at org.jboss.security.negotiation.spnego.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:103)
| at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
| at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
| at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
| at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
| at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
| at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
| at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
| at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
| at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
| at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
| at java.lang.Thread.run(Thread.java:619)
| 09:54:40,999 TRACE [SPNEGO] End isValid, false
| 09:54:40,999 DEBUG [SPNEGOAuthenticator] authenticated principal = null
|
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4177326#4177326
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4177326
More information about the jboss-user
mailing list