[keycloak-user] Exception in Kerberos Credential Delegation example
Nirmal Kumar
nirmal.kumar at impetus.co.in
Fri Jun 9 01:53:04 EDT 2017
Hi Mark,
Thanks for the reply.
I now used the following MIT Kerberos Client on Windows 10 and things started working [?]
https://web.mit.edu/kerberos/dist/kfw/4.1/kfw-4.1-amd64.msi
One thing though I had to change on Firefox was network.auth.use-sspi to set as false to get rid of the below exceptions:
: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:68)
at org.keycloak.federation.kerberos.KerberosFederationProvider.authenticate(KerberosFederationProvider.java:194)
at org.keycloak.credential.UserCredentialStoreManager.authenticate(UserCredentialStoreManager.java:282)
at org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:90)
at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:191)
at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:792)
at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:667)
at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:123)
at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:317)
at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:125)
at sun.reflect.GeneratedMethodAccessor327.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.establishContext(SPNEGOAuthenticator.java:172)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:135)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:125)
... 60 more
Earlier I had problem with Windows 8.1 and kfw-4.0.1-amd64.msi combination, not sure why, may some environment issue at my end?
Thanks,
-Nirmal
________________________________
From: Marek Posolda <mposolda at redhat.com>
Sent: Thursday, June 8, 2017 1:42:50 AM
To: Nirmal Kumar; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Exception in Kerberos Credential Delegation example
You can try to enable some additional logging as mentioned in the
"troubleshooting" section of the Kerberos docs.
One thing, which looks a bit strange to me, is the name of HTTP
principal with the IP address in it. Does it work with same principal
for your N1 and N2 machines? I would try to use the name instead of IP
address instead. But not 100% sure the issue is really this...
Marek
On 07/06/17 13:37, Nirmal Kumar wrote:
> Hi Keycloak,
>
> I setup the keycloak-demo-3.0.0 standalone server with the Kerberos example(kerberos-portal.war) on an *Ubuntu machine(N1)*.
> Next on another *Ubuntu machine(N2)* I setup the Kerberos client (did a kinit) and did the required config changes in Firefox and is able to access the url : http://N1:8080/kerberos-portal/ and the login page is bypassed as expected.
>
> However, when using another *Windows 8.1 machine (N3)* where I have setup the MIT Kerberos Client (did a kinit) + required config changes in Firefox, I am getting the Login page.
> The browser though gets the challenge response header WWW-Authenticate: Negotiate and then the again sends the Authorization: Negotiate YII but somehow I end up with the Login page and see the below error on the Wildfly logs.
>
> 2017-06-07 10:46:04,332 INFO [stdout] (default task-42) Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is /home/impetus/nirmal/http.keytab_71 refreshKrb5Config is false principal is HTTP/192.168.xx.xx at IMPETUS.CO.IN tryFirstPass is false useFirstPass is false storePass is false clearPass is false
> 2017-06-07 10:46:04,334 INFO [stdout] (default task-42) principal is HTTP/192.168.xx.xx at IMPETUS.CO.IN
> 2017-06-07 10:46:04,334 INFO [stdout] (default task-42) Will use keytab
> 2017-06-07 10:46:04,335 INFO [stdout] (default task-42) Commit Succeeded
> 2017-06-07 10:46:04,335 INFO [stdout] (default task-42)
> *2017-06-07 10:46:04,337 WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (default task-42) GSS Context accepted, but no context initiator recognized. Check your kerberos configuration and reverse DNS lookup configuration*
> 2017-06-07 10:46:04,337 INFO [stdout] (default task-42) [Krb5LoginModule]: Entering logout
> 2017-06-07 10:46:04,338 INFO [stdout] (default task-42) [Krb5LoginModule]: logged out Subject
>
> I troubles hooted for quite a long time but cannot understand where the problem is.
> Can you please give me some pointers to look for?
>
> Thanks,
> -Nirmal
>
>
> ________________________________
>
>
>
>
>
>
> NOTE: This message may contain information that is confidential, proprietary, privileged or otherwise protected by law. The message is intended solely for the named addressee. If received in error, please destroy and notify the sender. Any use of this email is prohibited when received in error. Impetus does not represent, warrant and/or guarantee, that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
________________________________
NOTE: This message may contain information that is confidential, proprietary, privileged or otherwise protected by law. The message is intended solely for the named addressee. If received in error, please destroy and notify the sender. Any use of this email is prohibited when received in error. Impetus does not represent, warrant and/or guarantee, that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference.
More information about the keycloak-user
mailing list