Translated message

A translation of this page exists in English.

RH-SSO Kerberos 認証エラー: SPNEGO login failed: java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)

Solution Unverified - Updated -

Issue

  • 認証が失敗する
  • RH-SSO が次のエラーをログに記録する

    2017-12-06 16:08:52,977 WARN  [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (default task-2) SPNEGO login failed: java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:422)
        at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:68)
        at org.keycloak.storage.ldap.LDAPStorageProvider.authenticate(LDAPStorageProvider.java:617)
        at org.keycloak.credential.UserCredentialStoreManager.authenticate(UserCredentialStoreManager.java:282)
        at org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:90)
        at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:191)
        at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:792)
        at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:667)
        at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:123)
        at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:317)
        at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:125)
        ...
        ...
    Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
        at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
        at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.establishContext(SPNEGOAuthenticator.java:172)
        at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:135)
        at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:125)
        ... 61 more
    

Environment

  • Red Hat Single Sign-On (RH-SSO)
    • 7
  • Microsoft Active Directory
  • "Allow Kerberos authentication" を有効にして、RH-SSO で AD LDAP プロバイダーを設定
  • LB (ロードバランサー) 経由でアクセスするリソース URL

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content