JBoss EAP 7.2 on Ubuntu 16.04 Kerberos SSO with W2016 AD/KDC server

Posted on

I have been trying for several days to get this working. So far I am getting the error "Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96", though sometimes with a ktpass change I the error refers to 128.
I have been through "Chapter 2. How to Set Up SSO for JBoss EAP with Kerberos", and read many (many, many) posts.
Originally I was using Tomcat 8 with the sourceforge SPNEGO project and I got that working with my GWT (2.8.2) project. No luck as yet though the JBoss.
In the ktpass below I have tried /kvno 0 and 1, 2, 3, 4, but it made no difference, except that (I think) the error message complained (alternately) about AES128 and then 256.
I get this error when trying with Firefox. If I use IE 11 I don't get that, it prompts for a user and password (which was a surprise). If I enter my credentials it doesn't give the error, it just says:

Debug is  true storeKey false useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /home/user1/dev/spnego.keytab refreshKrb5Config is true principal is HTTP/u1604ecm@MYCOMP.CO.UK tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Refreshing Kerberos configuration
principal is HTTP/u1604ecm@MYCOMP.CO.UK
Will use keytab
Commit Succeeded 

        [Krb5LoginModule]: Entering logout
        [Krb5LoginModule]: logged out Subject

My config is below. If anyone can spot anything I have wrong I would be most grateful:

Standalone.xml (things that I added):

    <property name="java.security.krb5.kdc" value="mykdc.mycomp.co.uk"/>
    <property name="java.security.krb5.realm" value="MYCOMP.CO.UK"/>
    <property name="java.security.krb5.conf" value="/home/user1/dev/krb5.conf"/>
    <property name="jboss.security.disable.secdomain.option" value="true"/>
    <property name="java.security.krb5.debug" value="true"/>

<security-domain name="host" cache-type="default">
    <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
<module-option name="storekey" value="true"/>
<module-option name="refreshKrb5Config" value="true"/>
<module-option name="useKeyTab" value="true"/>
<module-option name="principal" value="HTTP/u1604ecm@MYCOMP.CO.UK"/>
         <module-option name="keyTab" value="/home/user1/dev/spnego.keytab"/>
<module-option name="doNotPrompt" value="true"/>
<module-option name="debug" value="true"/>
<security-domain name="app-spnego" cache-type="default">
<login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule" flag="requisite">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="serverSecurityDomain" value="host"/>


default_realm = MYCOMP.CO.UK
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
permitted_enctypes   = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96

kdc = mykdc.mycomp.co.uk



<jboss-web xmlns="http://www.jboss.com/xml/ns/javaee"
    xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee http://www.jboss.org/j2ee/schema/jboss-web_10_0.xsd">


<display-name>Security Constraint on Conversation</display-name>
<!-- Define the Login Configuration for this Application -->
<!-- Security roles referenced by this web application -->
<description>Role required to log in to the Application</description>


ktpass -princ HTTP/u1604ecm@MYCOMP.CO.UK -pass mypass -mapuser authcheck@MYCOMP.CO.UK -out c:\spnego.keytab -ptype KRB5_NT_PRINCIPAL -crypto All

C:\Users\administrator.GTOS>setspn -l authcheck
Registered ServicePrincipalNames for CN=Authentication User,CN=Users,DC=mycomp,DC=co,DC=uk:

C:\Users\administrator.GTOS>setspn -l u1604ecm
Registered ServicePrincipalNames for CN=U1604ECM,CN=Computers,DC=mycomp,DC=co,DC=uk:

Thank you, Mark.