JBoss EAP 7.2 on Ubuntu 16.04 Kerberos SSO with W2016 AD/KDC server
Hello,
I have been trying for several days to get this working. So far I am getting the error "Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96", though sometimes with a ktpass change I the error refers to 128.
I have been through "Chapter 2. How to Set Up SSO for JBoss EAP with Kerberos", and read many (many, many) posts.
Originally I was using Tomcat 8 with the sourceforge SPNEGO project and I got that working with my GWT (2.8.2) project. No luck as yet though the JBoss.
In the ktpass below I have tried /kvno 0 and 1, 2, 3, 4, but it made no difference, except that (I think) the error message complained (alternately) about AES128 and then 256.
I get this error when trying with Firefox. If I use IE 11 I don't get that, it prompts for a user and password (which was a surprise). If I enter my credentials it doesn't give the error, it just says:
Debug is true storeKey false useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /home/user1/dev/spnego.keytab refreshKrb5Config is true principal is HTTP/u1604ecm@MYCOMP.CO.UK tryFirstPass is false useFirstPass is false storePass is false clearPass is false Refreshing Kerberos configuration principal is HTTP/u1604ecm@MYCOMP.CO.UK Will use keytab Commit Succeeded [Krb5LoginModule]: Entering logout [Krb5LoginModule]: logged out Subject
My config is below. If anyone can spot anything I have wrong I would be most grateful:
Standalone.xml (things that I added):
Krb5.conf:
[libdefaults] default_realm = MYCOMP.CO.UK default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 [realms] MYCOMP.CO.UK = { kdc = mykdc.mycomp.co.uk } [domain_realm] MYCOMP.CO.UK = MYCOMP.CO.UK .MYCOMP.CO.UK = MYCOMP.CO.UK
Jboss-web.xml:
app-spnego true
Web.xml:
Security Constraint on Conversation ivwb *.html All SPNEGO SPNEGO Role required to log in to the Application All
Ktpass:
ktpass -princ HTTP/u1604ecm@MYCOMP.CO.UK -pass mypass -mapuser authcheck@MYCOMP.CO.UK -out c:\spnego.keytab -ptype KRB5_NT_PRINCIPAL -crypto All C:\Users\administrator.GTOS>setspn -l authcheck Registered ServicePrincipalNames for CN=Authentication User,CN=Users,DC=mycomp,DC=co,DC=uk: HTTP/u1604ecm HTTP/u1604ecm.mycomp.co.uk HTTP/u1604ecm@MYCOMP.CO.UK C:\Users\administrator.GTOS>setspn -l u1604ecm Registered ServicePrincipalNames for CN=U1604ECM,CN=Computers,DC=mycomp,DC=co,DC=uk:
Thank you, Mark.
Responses