JBoss EAP 7.2 on Ubuntu 16.04 Kerberos SSO with W2016 AD/KDC server

Latest response

Hello,
I have been trying for several days to get this working. So far I am getting the error "Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96", though sometimes with a ktpass change I the error refers to 128.
I have been through "Chapter 2. How to Set Up SSO for JBoss EAP with Kerberos", and read many (many, many) posts.
Originally I was using Tomcat 8 with the sourceforge SPNEGO project and I got that working with my GWT (2.8.2) project. No luck as yet though the JBoss.
In the ktpass below I have tried /kvno 0 and 1, 2, 3, 4, but it made no difference, except that (I think) the error message complained (alternately) about AES128 and then 256.
I get this error when trying with Firefox. If I use IE 11 I don't get that, it prompts for a user and password (which was a surprise). If I enter my credentials it doesn't give the error, it just says:

Debug is  true storeKey false useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /home/user1/dev/spnego.keytab refreshKrb5Config is true principal is HTTP/u1604ecm@MYCOMP.CO.UK tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Refreshing Kerberos configuration
principal is HTTP/u1604ecm@MYCOMP.CO.UK
Will use keytab
Commit Succeeded 

        [Krb5LoginModule]: Entering logout
        [Krb5LoginModule]: logged out Subject

My config is below. If anyone can spot anything I have wrong I would be most grateful:

Standalone.xml (things that I added):

<system-properties>
    <property name="java.security.krb5.kdc" value="mykdc.mycomp.co.uk"/>
    <property name="java.security.krb5.realm" value="MYCOMP.CO.UK"/>
    <property name="java.security.krb5.conf" value="/home/user1/dev/krb5.conf"/>
    <property name="jboss.security.disable.secdomain.option" value="true"/>
    <property name="java.security.krb5.debug" value="true"/>
</system-properties>

<security-domain name="host" cache-type="default">
    <authentication>
    <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
<module-option name="storekey" value="true"/>
<module-option name="refreshKrb5Config" value="true"/>
<module-option name="useKeyTab" value="true"/>
<module-option name="principal" value="HTTP/u1604ecm@MYCOMP.CO.UK"/>
         <module-option name="keyTab" value="/home/user1/dev/spnego.keytab"/>
<module-option name="doNotPrompt" value="true"/>
<module-option name="debug" value="true"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="app-spnego" cache-type="default">
<authentication>
<login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule" flag="requisite">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="serverSecurityDomain" value="host"/>
</login-module>
</authentication>
</security-domain>

Krb5.conf:

[libdefaults]
default_realm = MYCOMP.CO.UK
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
permitted_enctypes   = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96

[realms]
MYCOMP.CO.UK  = {
kdc = mykdc.mycomp.co.uk
}

[domain_realm]
MYCOMP.CO.UK = MYCOMP.CO.UK
.MYCOMP.CO.UK = MYCOMP.CO.UK

Jboss-web.xml:

<jboss-web xmlns="http://www.jboss.com/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee http://www.jboss.org/j2ee/schema/jboss-web_10_0.xsd">
<security-domain>app-spnego</security-domain>
<jacc-star-role-allow>true</jacc-star-role-allow>
</jboss-web>

Web.xml:

<security-constraint>
<display-name>Security Constraint on Conversation</display-name>
<web-resource-collection>
<web-resource-name>ivwb</web-resource-name>
<url-pattern>*.html</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>All</role-name>
</auth-constraint>
</security-constraint>
<!-- Define the Login Configuration for this Application -->
<login-config>
<auth-method>SPNEGO</auth-method>
<realm-name>SPNEGO</realm-name>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<description>Role required to log in to the Application</description>
<role-name>All</role-name>
</security-role>

Ktpass:

ktpass -princ HTTP/u1604ecm@MYCOMP.CO.UK -pass mypass -mapuser authcheck@MYCOMP.CO.UK -out c:\spnego.keytab -ptype KRB5_NT_PRINCIPAL -crypto All

C:\Users\administrator.GTOS>setspn -l authcheck
Registered ServicePrincipalNames for CN=Authentication User,CN=Users,DC=mycomp,DC=co,DC=uk:
        HTTP/u1604ecm
        HTTP/u1604ecm.mycomp.co.uk
        HTTP/u1604ecm@MYCOMP.CO.UK

C:\Users\administrator.GTOS>setspn -l u1604ecm
Registered ServicePrincipalNames for CN=U1604ECM,CN=Computers,DC=mycomp,DC=co,DC=uk:

Thank you, Mark.

MW
Log in to join the conversation

Responses

AM Red Hat Newbie 18 points
14 November 2019 5:22 PM

This problem may be related to cryptographic restrictions on the JVM. To use AES 256, you will need to update the Java Cryptography Extension (JCE) Policy files to the Unlimited Strength Jurisdiction policy version.

See this link for JVM 8: https://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html