JBoss EAP 7.2 on Ubuntu 16.04 Kerberos SSO with W2016 AD/KDC server

Posted on

Hello,
I have been trying for several days to get this working. So far I am getting the error "Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96", though sometimes with a ktpass change I the error refers to 128.
I have been through "Chapter 2. How to Set Up SSO for JBoss EAP with Kerberos", and read many (many, many) posts.
Originally I was using Tomcat 8 with the sourceforge SPNEGO project and I got that working with my GWT (2.8.2) project. No luck as yet though the JBoss.
In the ktpass below I have tried /kvno 0 and 1, 2, 3, 4, but it made no difference, except that (I think) the error message complained (alternately) about AES128 and then 256.
I get this error when trying with Firefox. If I use IE 11 I don't get that, it prompts for a user and password (which was a surprise). If I enter my credentials it doesn't give the error, it just says:

Debug is  true storeKey false useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /home/user1/dev/spnego.keytab refreshKrb5Config is true principal is HTTP/u1604ecm@MYCOMP.CO.UK tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Refreshing Kerberos configuration
principal is HTTP/u1604ecm@MYCOMP.CO.UK
Will use keytab
Commit Succeeded 

        [Krb5LoginModule]: Entering logout
        [Krb5LoginModule]: logged out Subject

My config is below. If anyone can spot anything I have wrong I would be most grateful:

Standalone.xml (things that I added):

<system-properties>
    <property name="java.security.krb5.kdc" value="mykdc.mycomp.co.uk"/>
    <property name="java.security.krb5.realm" value="MYCOMP.CO.UK"/>
    <property name="java.security.krb5.conf" value="/home/user1/dev/krb5.conf"/>
    <property name="jboss.security.disable.secdomain.option" value="true"/>
    <property name="java.security.krb5.debug" value="true"/>
</system-properties>

<security-domain name="host" cache-type="default">
    <authentication>
    <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
<module-option name="storekey" value="true"/>
<module-option name="refreshKrb5Config" value="true"/>
<module-option name="useKeyTab" value="true"/>
<module-option name="principal" value="HTTP/u1604ecm@MYCOMP.CO.UK"/>
         <module-option name="keyTab" value="/home/user1/dev/spnego.keytab"/>
<module-option name="doNotPrompt" value="true"/>
<module-option name="debug" value="true"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="app-spnego" cache-type="default">
<authentication>
<login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule" flag="requisite">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="serverSecurityDomain" value="host"/>
</login-module>
</authentication>
</security-domain>

Krb5.conf:

[libdefaults]
default_realm = MYCOMP.CO.UK
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
permitted_enctypes   = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96

[realms]
MYCOMP.CO.UK  = {
kdc = mykdc.mycomp.co.uk
}

[domain_realm]
MYCOMP.CO.UK = MYCOMP.CO.UK
.MYCOMP.CO.UK = MYCOMP.CO.UK

Jboss-web.xml:

<jboss-web xmlns="http://www.jboss.com/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee http://www.jboss.org/j2ee/schema/jboss-web_10_0.xsd">
<security-domain>app-spnego</security-domain>
<jacc-star-role-allow>true</jacc-star-role-allow>
</jboss-web>

Web.xml:

<security-constraint>
<display-name>Security Constraint on Conversation</display-name>
<web-resource-collection>
<web-resource-name>ivwb</web-resource-name>
<url-pattern>*.html</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>All</role-name>
</auth-constraint>
</security-constraint>
<!-- Define the Login Configuration for this Application -->
<login-config>
<auth-method>SPNEGO</auth-method>
<realm-name>SPNEGO</realm-name>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<description>Role required to log in to the Application</description>
<role-name>All</role-name>
</security-role>

Ktpass:

ktpass -princ HTTP/u1604ecm@MYCOMP.CO.UK -pass mypass -mapuser authcheck@MYCOMP.CO.UK -out c:\spnego.keytab -ptype KRB5_NT_PRINCIPAL -crypto All

C:\Users\administrator.GTOS>setspn -l authcheck
Registered ServicePrincipalNames for CN=Authentication User,CN=Users,DC=mycomp,DC=co,DC=uk:
        HTTP/u1604ecm
        HTTP/u1604ecm.mycomp.co.uk
        HTTP/u1604ecm@MYCOMP.CO.UK

C:\Users\administrator.GTOS>setspn -l u1604ecm
Registered ServicePrincipalNames for CN=U1604ECM,CN=Computers,DC=mycomp,DC=co,DC=uk:

Thank you, Mark.