[jboss-user] [Security & JAAS/JBoss] - Some more SPNEGO problems

noFreak do-not-reply at jboss.com
Tue Sep 30 14:45:41 EDT 2008

Hi all,
i have added the SPNEGO Authenticator to my JBoss. I have followed the instructions in the userguide exactly. I have read this http://www.jboss.com/index.html?module=bb&op=viewtopic&t=140328 and other related SPNEGO topics.

First my Scenario:

On my Win2k3 Server runs the Kerberos KDC. I have added two users "client" and "jboss". The user "Administrator" comes build in with Win2k3 server. For the user "jboss" i followed the instructions in the userguide to get it work as service combinde with a computer account. On the win2k3 server are the Browsers IE 7 and Firefox 3 installed. I have added the url for my jboss correctly in the "trusted sites" for both Browsers.
Furthermore  i have a computer named "ActiveDirTest". The OS there is winXP. The Browsers are Firefox 2.0.0 and IE 6. In both browsers i have added the JBoss ULR as "trusted sites". On this machine i succesfull logged in with the user client at the correct domain (in the os, not the browsers). Also my JBoss is running on this machine. It uses the SPN for the user jboss "host/jboss at DOMAIN" and uses the generatet keytab file. Like described in the userguide.

Know my problems and questions:

In the win2k server browsers the first and second jboss-negotiation-toolkit test are succesfull, but the third fails with "HTTP Status 403 - Access to the requested resource has been denied". I have correctly added the user and the role in the spnego-roles.properties. It looks following: client at DOMAIN=Users.

The second problem is, that the first test fails at the computer ActiveDirTest. Both the IE 6 and Firefox negotiation fails. The Firefox with "HTTP Status 401" and the IE with "Unsupported negotiation mechanism, possibly NTLM!". Perhaps because its the same machine on which the Jboss is running? I think i have correct configured the both browsers.
Any ideas to fix this problems? I dont have more ideas :(...

Maybe i should try a third machine, without jboss...

But there is an other question, is it possible to use the SPNEGO toolkit from a machine which is not added to the Win2k3 AD? In the way, i enter the user and password?

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4179650#4179650

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4179650

More information about the jboss-user mailing list