[jboss-user] [Security & JAAS/JBoss] - JBoss Negotiation SPNEGO Problem

hr_aru do-not-reply at jboss.com
Fri Jul 31 07:21:03 EDT 2009 

Hi All,

since a week I am trying to configure SSO in JBoss. I tried the User Guide for JBoss Negotiation, a couple of Howtos found by google, and a few more.
Im a little bit frustrated now and i think im going to change my job. Iceman is a nice job I think. 
Okay seriously:

I have a win2008 SP2 AD Domain and 2 Win XP SP2 Client.

AD:   pdc.test.net
Jboss webserver.test.net with jboss-4.2.3.GA

I add a new User "webserver" to the AD. 

I also done the following commands successful:

setspn -a HTTP/webserver.test.net
ktpass -princ HTTP/webserver.test.net at TES.NET -mapuser webserver -pass "Password
ktab.exe -k c:\webserver.host.keytab -a HTTP/webserver.test.net

Kinit works on the AD and Webserver Server.

I look at the User properties for the User "webserver" and the Account Name change into HTTP/webserver.test.net. I also can see that delegation in allowed at the Delegation tab. 

The Webserver:

The jboss-negotiation-2.0.3.GA.jar is stored in default/lib 
I configured the properties-service.xml, the jboss-service.xml, login.xml

So if I running the Server and start my Firefox 3.10 or the Ie7 (configured for sso) and click the Basic Negotiation i just get to see is 

"Warning, this is: NTLM Negotiation
  | WWW-Authenticate - Negotiate TlRMTVNTUAABAAAAB7IIogQABAAxAAAACQAJACgAAAAFASgKAAAAD1dFQlNFUlZFUlRFU1Q= 
  | 
  | NTLM - Negotiate_Message
  | Warning, this is NTLM, only SPNEGO is supported!
  | Negotiate Flags - (encryption56Bit)(sessionKeyExchange128Bit)(negotiateVersion)(ntlm2)(alwaysSign)(oemWorkstationSupplied)(oemDomainSupplied)(ntlm)(requestTarget)(oem)(unicode)
  | 
  | Jboss: 
  | 
  | 
11:55:48,494 INFO  [BasicNegotiationServlet] Authorization header received - decoding token.
  | 11:55:48,509 INFO  [NTLMNegotiationServlet] Authorization header received - decoding token.
  | 11:55:48,509 INFO  [NTLMNegotiationServlet] Using existing message.

If I click on SecurityDomainTest it works. I get a Ticket.  So Kerberos works (or not), but its look like i dont get a SPNEGO Ticket. 

With wfetch.exe i get the same Result.
I tested the Troubleshooting Things list in the Userguide but I did not get more Informations.  So any Ideas?

P.S. I know my english isn t  perfekt.

View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4247226#4247226

Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4247226

More information about the jboss-user mailing list