Sayali S Dehedkar

Greenhorn
+ Follow
since Jul 12, 2010
Merit badge: grant badges
For More
Cows and Likes
Cows
Total received
0
In last 30 days
0
Total given
0
Likes
Total received
0
Received in last 30 days
0
Total given
0
Given in last 30 days
0
Forums and Threads
Scavenger Hunt
expand Ranch Hand Scavenger Hunt
expand Greenhorn Scavenger Hunt

Recent posts by Sayali S Dehedkar

Access log on when accessed from server 2008 (Unauthorized):
IP - - [13/Sep/2010:01:09:30 -0500] "GET /jboss-negotiation-toolkit/Secured HTTP/1.1" 401 948

Access log on when accessed from XP (Forbidden):
IP - user@domain [13/Sep/2010:01:09:30 -0500] "GET /jboss-negotiation-toolkit/Secured HTTP/1.1" 403 1102

When accessed from XP, even though i have user-roles.properties containing the user who is acessing the servlet it is giving me 403. But that's not an issue as my application doesn't need it. I need to get 403 on Server 2008.




13 years ago
For third test case of negotiation toolkit, with Windows Server 2008 R2 as OS and IE8 as client I am getting a blank page without any error.

For the same application with Windows XP SP2, it is working.

Any pointers would be great help.
13 years ago
It worked with DES-CBC-CRC encryption type with 'Use DES encryption types for this account' checked for the server user account.
13 years ago
My conf file which i have specified in run.bat contains

[libdefaults]
default_tkt_enctypes = aes128-cts des-cbc-md5 des-cbc-crc rc4-hmac des3-cbc-sha1
default_tgs_enctypes = aes128-cts des-cbc-md5 des-cbc-crc rc4-hmac des3-cbc-sha1
permitted_enctypes = aes128-cts des-cbc-md5 des-cbc-crc rc4-hmac des3-cbc-sha1
default_realm = TESTDOMAIN.COM
[realms]
TESTDOMAIN.COM = {
kdc = kdc.testdomain.com
default_domain = testdomain.com
}
[domain_realm]
.testdomain.com = TESTDOMAIN.COM

Please point me out where I am getting wrong.
13 years ago
No. For ktpass i am specifying crypto option as DES-CBC-MD5. When I am saying it is working fine for RC4-HMAC, the crypto option is given as RC4-HMAC-NT.

Even I tried with specifying 'Use DES encryption type for this account' for the service account user. But with this the first test case is also failing, giving an error as 'Warning, this is NTLM, only SPNEGO is supported!'
13 years ago
Its windows 2003 service pack2 and DES-CBC-MD5 is available as option for compatibility.

When I use this encryption type it is giving me error as javax.security.auth.login.LoginException: Unable to authenticate - Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC).

For RC4-HMAC it is working fine.

So I was wondering if RC4-HMAC is the only encryption type SPNEGO uses.
13 years ago
The above solution may not work in all scenarios.

The service account created on active directory for JBOSS should have same logon name as the machine name on which the server is running. On Active Directory there will be an entry for this machine under CN=Computers and also under CN=Users for the account having logon name as [machine name]. When we execute the command "setspn -a [service principal name] [machine name]", [service principal name] gets assigned to the account under CN=Computers, and when we execute ktpass command with SPN as [service principal name] to generate keytab, [service principal name] gets added to the account under CN=Users. So the same service principal name will be mapped to the accounts this way and therefore authentication fails.

We should add the SPN to the account under CN=Users from ADSI Edit window by adding the service principal name to servicePrincipalName attribute of the account. And there should be two service principal names HTTP/[machine name] and HTTP/[machine name].[domain name].

I have a doubt here if we can get SSO working with DES-CBC-MD5 encryption type. Any pointers would be of great help.
13 years ago
I could resolve the following error.
Unable to authenticate - Failure unpecified at GSS-API level (Mechanism level: Checksum failed)

The only SPN it was expecting was HTTP/{machine name}.

Initially I had two SPNs HTTP/{machine name} and HTTP/{machine name}.{domain} and it was giving this exception.

Just removed other SPN and kept only HTTP/{machine name} and it worked

Some what surprising.

13 years ago
Hi all,

Can we implement SSO with SPNEGO in JBOSS 4.2.2 with Java 5? After some googling we found that Active Directory (Kerberos) by default uses RC4-HMAC encryption, but Java 5 doesn't support RC4.

If we use DES encryption while executing KTPASS command to generate keytab file, for third servlet test in JBOSS negotiation toolkit we get error as
javax.security.auth.login.LoginException: Unable to authenticate - Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:141)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603)
at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537)
at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491)
at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:127)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:562)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
at java.lang.Thread.run(Thread.java:595)

For above case, following are the options given in conf file
[libdefaults]
default_tkt_enctypes = aes128-cts des-cbc-crc rc4-hmac des-cbc-md5 des3-cbc-sha1
default_tgs_enctypes = aes128-cts des-cbc-crc rc4-hmac des-cbc-md5 des3-cbc-sha1
permitted_enctypes = aes128-cts des-cbc-crc rc4-hmac des-cbc-md5 des3-cbc-sha1

If I use Java 6 with rc4-hmac encryption enforced, i get following error:

javax.security.auth.login.LoginException: Unable to authenticate - Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:141)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603)
at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537)
at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491)
at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:127)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:562)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
at java.lang.Thread.run(Thread.java:619)

Any pointers would be of great help.

- Sayali.

13 years ago