• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

SSO using SPNEGO in JBOSS 4.2.2

 
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi all,

Can we implement SSO with SPNEGO in JBOSS 4.2.2 with Java 5? After some googling we found that Active Directory (Kerberos) by default uses RC4-HMAC encryption, but Java 5 doesn't support RC4.

If we use DES encryption while executing KTPASS command to generate keytab file, for third servlet test in JBOSS negotiation toolkit we get error as
javax.security.auth.login.LoginException: Unable to authenticate - Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:141)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603)
at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537)
at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491)
at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:127)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:562)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
at java.lang.Thread.run(Thread.java:595)

For above case, following are the options given in conf file
[libdefaults]
default_tkt_enctypes = aes128-cts des-cbc-crc rc4-hmac des-cbc-md5 des3-cbc-sha1
default_tgs_enctypes = aes128-cts des-cbc-crc rc4-hmac des-cbc-md5 des3-cbc-sha1
permitted_enctypes = aes128-cts des-cbc-crc rc4-hmac des-cbc-md5 des3-cbc-sha1

If I use Java 6 with rc4-hmac encryption enforced, i get following error:

javax.security.auth.login.LoginException: Unable to authenticate - Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:141)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603)
at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537)
at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491)
at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:127)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:562)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
at java.lang.Thread.run(Thread.java:619)

Any pointers would be of great help.

- Sayali.

 
Sayali S Dehedkar
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I could resolve the following error.
Unable to authenticate - Failure unpecified at GSS-API level (Mechanism level: Checksum failed)

The only SPN it was expecting was HTTP/{machine name}.

Initially I had two SPNs HTTP/{machine name} and HTTP/{machine name}.{domain} and it was giving this exception.

Just removed other SPN and kept only HTTP/{machine name} and it worked

Some what surprising.

 
Sheriff
Posts: 10445
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thank you for posting the solution here
 
Sayali S Dehedkar
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The above solution may not work in all scenarios.

The service account created on active directory for JBOSS should have same logon name as the machine name on which the server is running. On Active Directory there will be an entry for this machine under CN=Computers and also under CN=Users for the account having logon name as [machine name]. When we execute the command "setspn -a [service principal name] [machine name]", [service principal name] gets assigned to the account under CN=Computers, and when we execute ktpass command with SPN as [service principal name] to generate keytab, [service principal name] gets added to the account under CN=Users. So the same service principal name will be mapped to the accounts this way and therefore authentication fails.

We should add the SPN to the account under CN=Users from ADSI Edit window by adding the service principal name to servicePrincipalName attribute of the account. And there should be two service principal names HTTP/[machine name] and HTTP/[machine name].[domain name].

I have a doubt here if we can get SSO working with DES-CBC-MD5 encryption type. Any pointers would be of great help.
 
Bartender
Posts: 10336
Hibernate Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You should be able to. Is this Windows 2008 r2? The DES encryption types are off by default (see this).
 
Sayali S Dehedkar
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Its windows 2003 service pack2 and DES-CBC-MD5 is available as option for compatibility.

When I use this encryption type it is giving me error as javax.security.auth.login.LoginException: Unable to authenticate - Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC).

For RC4-HMAC it is working fine.

So I was wondering if RC4-HMAC is the only encryption type SPNEGO uses.
 
Paul Sturrock
Bartender
Posts: 10336
Hibernate Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It shouldn't be - the RC4 enc types are a Microsoft extension and not part of the GSS standard though Java does support them. Are you specifying RC4 in your keytab file?
 
Sayali S Dehedkar
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
No. For ktpass i am specifying crypto option as DES-CBC-MD5. When I am saying it is working fine for RC4-HMAC, the crypto option is given as RC4-HMAC-NT.

Even I tried with specifying 'Use DES encryption type for this account' for the service account user. But with this the first test case is also failing, giving an error as 'Warning, this is NTLM, only SPNEGO is supported!'
 
Sayali S Dehedkar
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
My conf file which i have specified in run.bat contains

[libdefaults]
default_tkt_enctypes = aes128-cts des-cbc-md5 des-cbc-crc rc4-hmac des3-cbc-sha1
default_tgs_enctypes = aes128-cts des-cbc-md5 des-cbc-crc rc4-hmac des3-cbc-sha1
permitted_enctypes = aes128-cts des-cbc-md5 des-cbc-crc rc4-hmac des3-cbc-sha1
default_realm = TESTDOMAIN.COM
[realms]
TESTDOMAIN.COM = {
kdc = kdc.testdomain.com
default_domain = testdomain.com
}
[domain_realm]
.testdomain.com = TESTDOMAIN.COM

Please point me out where I am getting wrong.
 
Sayali S Dehedkar
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It worked with DES-CBC-CRC encryption type with 'Use DES encryption types for this account' checked for the server user account.
 
Sayali S Dehedkar
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
For third test case of negotiation toolkit, with Windows Server 2008 R2 as OS and IE8 as client I am getting a blank page without any error.

For the same application with Windows XP SP2, it is working.

Any pointers would be great help.
 
Jaikiran Pai
Sheriff
Posts: 10445
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Sayali S Dehedkar wrote:For third test case of negotiation toolkit, with Windows Server 2008 R2 as OS and IE8 as client I am getting a blank page without any error.



What HTTP return code do you see in the response?
 
Sayali S Dehedkar
Greenhorn
Posts: 9
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Access log on when accessed from server 2008 (Unauthorized):
IP - - [13/Sep/2010:01:09:30 -0500] "GET /jboss-negotiation-toolkit/Secured HTTP/1.1" 401 948

Access log on when accessed from XP (Forbidden):
IP - user@domain [13/Sep/2010:01:09:30 -0500] "GET /jboss-negotiation-toolkit/Secured HTTP/1.1" 403 1102

When accessed from XP, even though i have user-roles.properties containing the user who is acessing the servlet it is giving me 403. But that's not an issue as my application doesn't need it. I need to get 403 on Server 2008.




 
Jaikiran Pai
Sheriff
Posts: 10445
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Sayali S Dehedkar wrote:Access log on when accessed from server 2008 (Unauthorized):
IP - - [13/Sep/2010:01:09:30 -0500] "GET /jboss-negotiation-toolkit/Secured HTTP/1.1" 401 948



A 401 indicates that the authentication credentials for a restricted resource as being requested by the server. The client is expected to send back the credentials in the response header. Looks like for some reason, it isn't doing that. And looking at this forum discussion, it appears to be a known bug. The issue has been marked as fixed, so make sure you upgrade (recommended) to that version or apply the fix mentioned here.
 
Jaikiran Pai
Sheriff
Posts: 10445
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Jaikiran Pai wrote:The issue has been marked as fixed, so make sure you upgrade (recommended) to that version


Hmm, the version (Negotiation_2.0.3.SP3) in which this issue is fixed hasn't yet been released. So you'll have to patch the fix yourself or build from source.
 
reply
    Bookmark Topic Watch Topic
  • New Topic