JBoss SPNEGO configuring GSSAPI
Issue
- When trying to make the SPNEGO login module to use the AdvancedAdLdap login module with GSSAPI authentication the following exceptions can be seen.Java 1.6.0_XX and several other versions of Java 1.6 are used for the tests.
The following configuration is used:
<security-domain name="host">
<authentication>
<login-module code="Kerberos" flag="required">
<module-option name="storeKey" value="true"/>
<module-option name="useKeyTab" value="true"/>
<module-option name="doNotPrompt" value="true"/>
<module-option name="debug" value="true"/>
<module-option name="keyTab" value="/path/to/my.keytab"/>
<module-option name="principal" value="HTTP/adserver.domain.com@DOMAIN.COM"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="SPNEGO">
<authentication>
<login-module code="SPNEGOUsers" flag="requisite">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="serverSecurityDomain" value="host"/>
<module-option name="removeRealmFromPrincipal" value="true"/>
</login-module>
<login-module code="AdvancedAdLdap" flag="requisite">
<module-option name="bindAuthentication" value="GSSAPI"/>
<module-option name="jaasSecurityDomain" value="host"/>
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="allowEmptyPassword" value="true"/>
<module-option name="java.naming.provider.url" value="ldap://adserver.domain.com:389"/>
<module-option name="baseCtxDN" value="CN=Users,DC=domain,DC=com"/>
<module-option name="baseFilter" value="(sAMAccountName={0})"/>
<module-option name="rolesCtxDN" value="CN=Users,DC=domain,DC=com"/>
<module-option name="roleAttributeID" value="memberOf"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="roleNameAttributeID" value="cn"/>
<module-option name="recurseRoles" value="true"/>
<module-option name="throwValidateError" value="true"/>
</login-module>
</authentication>
</security-domain>
- When the following is replaced
<module-option name="bindAuthentication" value="GSSAPI"/>
<module-option name="jaasSecurityDomain" value="host"/>
with
<module-option name="bindDN" value="user"/>
<module-option name="bindCredential" value="password"/>
then everything works fine.
But using GSSAPI, following exceptions can be seen:
ERROR [org.jboss.security] (http-jbossserver.domain.com/10.33.1.221:8080-1) PBOX000206: Login failure: javax.security.auth.login.LoginException: Unable to create new InitialLdapContext
at org.jboss.security.negotiation.AdvancedLdapLoginModule.constructLdapContext(AdvancedLdapLoginModule.java:414) [jboss-negotiation-extras-2.2.1.Final-redhat-1.jar:2.2.1.Final-redhat-1]
at org.jboss.security.negotiation.AdvancedLdapLoginModule.innerLogin(AdvancedLdapLoginModule.java:325) [jboss-negotiation-extras-2.2.1.Final-redhat-1.jar:2.2.1.Final-redhat-1]
at org.jboss.security.negotiation.AdvancedLdapLoginModule$AuthorizeAction.run(AdvancedLdapLoginModule.java:699) [jboss-negotiation-extras-2.2.1.Final-redhat-1.jar:2.2.1.Final-redhat-1]
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.6.0_33]
at javax.security.auth.Subject.doAs(Subject.java:337) [rt.jar:1.6.0_33]
at org.jboss.security.negotiation.AdvancedLdapLoginModule.login(AdvancedLdapLoginModule.java:270) [jboss-negotiation-extras-2.2.1.Final-redhat-1.jar:2.2.1.Final-redhat-1]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.6.0_33]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [rt.jar:1.6.0_33]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [rt.jar:1.6.0_33]
at java.lang.reflect.Method.invoke(Method.java:597) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) [rt.jar:1.6.0_33]
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext.login(LoginContext.java:579) [rt.jar:1.6.0_33]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:408) [picketbox-infinispan-4.0.14.Final-redhat-2.jar:4.0.14.Final-redhat-2]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345) [picketbox-infinispan-4.0.14.Final-redhat-2.jar:4.0.14.Final-redhat-2]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:333) [picketbox-infinispan-4.0.14.Final-redhat-2.jar:4.0.14.Final-redhat-2]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146) [picketbox-infinispan-4.0.14.Final-redhat-2.jar:4.0.14.Final-redhat-2]
at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:215) [jboss-as-web-7.1.3.Final-redhat-4.jar:7.1.3.Final-redhat-4]
at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:193) [jboss-negotiation-common-2.2.1.Final-redhat-1.jar:2.2.1.Final-redhat-1]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:455) [jbossweb-7.0.17.Final-redhat-1.jar:]
at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.1.3.Final-redhat-4.jar:7.1.3.Final-redhat-4]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.17.Final-redhat-1.jar:]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.17.Final-redhat-1.jar:]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.17.Final-redhat-1.jar:]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:372) [jbossweb-7.0.17.Final-redhat-1.jar:]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.17.Final-redhat-1.jar:]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:679) [jbossweb-7.0.17.Final-redhat-1.jar:]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:931) [jbossweb-7.0.17.Final-redhat-1.jar:]
at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_33]
Caused by: javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]]
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:150) [rt.jar:1.6.0_33]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:212) [rt.jar:1.6.0_33]
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2720) [rt.jar:1.6.0_33]
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:296) [rt.jar:1.6.0_33]
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175) [rt.jar:1.6.0_33]
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193) [rt.jar:1.6.0_33]
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136) [rt.jar:1.6.0_33]
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66) [rt.jar:1.6.0_33]
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667) [rt.jar:1.6.0_33]
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288) [rt.jar:1.6.0_33]
at javax.naming.InitialContext.init(InitialContext.java:223) [rt.jar:1.6.0_33]
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134) [rt.jar:1.6.0_33]
at org.jboss.security.negotiation.AdvancedLdapLoginModule.constructLdapContext(AdvancedLdapLoginModule.java:410) [jboss-negotiation-extras-2.2.1.Final-redhat-1.jar:2.2.1.Final-redhat-1]
... 31 more
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:194) [rt.jar:1.6.0_33]
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:105) [rt.jar:1.6.0_33]
... 43 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:663) [rt.jar:1.6.0_33]
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230) [rt.jar:1.6.0_33]
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162) [rt.jar:1.6.0_33]
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:175) [rt.jar:1.6.0_33]
... 44 more
Caused by: KrbException: Server not found in Kerberos database (7)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:61) [rt.jar:1.6.0_33]
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185) [rt.jar:1.6.0_33]
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294) [rt.jar:1.6.0_33]
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106) [rt.jar:1.6.0_33]
at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:557) [rt.jar:1.6.0_33]
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594) [rt.jar:1.6.0_33]
... 47 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133) [rt.jar:1.6.0_33]
at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58) [rt.jar:1.6.0_33]
at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53) [rt.jar:1.6.0_33]
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46) [rt.jar:1.6.0_33]
... 52 more
We have a second machine setup in different network, and are getting a different error there:
ERROR [org.jboss.security] (http-jbossserver.domain.com/10.33.1.221:8080-1) PBOX000206: Login failure: javax.security.auth.login.LoginException: Unable to create new InitialLdapContext
at org.jboss.security.negotiation.AdvancedLdapLoginModule.constructLdapContext(AdvancedLdapLoginModule.java:414) [jboss-negotiation-extras-2.2.1.Final-redhat-1.jar:2.2.1.Final-redhat-1]
at org.jboss.security.negotiation.AdvancedLdapLoginModule.innerLogin(AdvancedLdapLoginModule.java:325) [jboss-negotiation-extras-2.2.1.Final-redhat-1.jar:2.2.1.Final-redhat-1]
at org.jboss.security.negotiation.AdvancedLdapLoginModule$AuthorizeAction.run(AdvancedLdapLoginModule.java:699) [jboss-negotiation-extras-2.2.1.Final-redhat-1.jar:2.2.1.Final-redhat-1]
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.6.0_33]
at javax.security.auth.Subject.doAs(Subject.java:337) [rt.jar:1.6.0_33]
at org.jboss.security.negotiation.AdvancedLdapLoginModule.login(AdvancedLdapLoginModule.java:270) [jboss-negotiation-extras-2.2.1.Final-redhat-1.jar:2.2.1.Final-redhat-1]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.6.0_33]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [rt.jar:1.6.0_33]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [rt.jar:1.6.0_33]
at java.lang.reflect.Method.invoke(Method.java:597) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) [rt.jar:1.6.0_33]
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext.login(LoginContext.java:579) [rt.jar:1.6.0_33]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:408) [picketbox-infinispan-4.0.14.Final-redhat-2.jar:4.0.14.Final-redhat-2]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345) [picketbox-infinispan-4.0.14.Final-redhat-2.jar:4.0.14.Final-redhat-2]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:333) [picketbox-infinispan-4.0.14.Final-redhat-2.jar:4.0.14.Final-redhat-2]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146) [picketbox-infinispan-4.0.14.Final-redhat-2.jar:4.0.14.Final-redhat-2]
at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:215) [jboss-as-web-7.1.3.Final-redhat-4.jar:7.1.3.Final-redhat-4]
at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:193) [jboss-negotiation-common-2.2.1.Final-redhat-1.jar:2.2.1.Final-redhat-1]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:455) [jbossweb-7.0.17.Final-redhat-1.jar:]
at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.1.3.Final-redhat-4.jar:7.1.3.Final-redhat-4]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.17.Final-redhat-1.jar:]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.17.Final-redhat-1.jar:]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.17.Final-redhat-1.jar:]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:372) [jbossweb-7.0.17.Final-redhat-1.jar:]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.17.Final-redhat-1.jar:]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:679) [jbossweb-7.0.17.Final-redhat-1.jar:]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:931) [jbossweb-7.0.17.Final-redhat-1.jar:]
at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_33]
Caused by: javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: Final handshake failed [Caused by GSSException: Token had invalid integrity check (Mechanism level: Corrupt checksum in Wrap token)]]
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:150) [rt.jar:1.6.0_33]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:212) [rt.jar:1.6.0_33]
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2720) [rt.jar:1.6.0_33]
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:296) [rt.jar:1.6.0_33]
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175) [rt.jar:1.6.0_33]
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193) [rt.jar:1.6.0_33]
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136) [rt.jar:1.6.0_33]
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66) [rt.jar:1.6.0_33]
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667) [rt.jar:1.6.0_33]
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288) [rt.jar:1.6.0_33]
at javax.naming.InitialContext.init(InitialContext.java:223) [rt.jar:1.6.0_33]
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134) [rt.jar:1.6.0_33]
at org.jboss.security.negotiation.AdvancedLdapLoginModule.constructLdapContext(AdvancedLdapLoginModule.java:410) [jboss-negotiation-extras-2.2.1.Final-redhat-1.jar:2.2.1.Final-redhat-1]
... 31 more
Caused by: javax.security.sasl.SaslException: Final handshake failed [Caused by GSSException: Token had invalid integrity check (Mechanism level: Corrupt checksum in Wrap token)]
at com.sun.security.sasl.gsskerb.GssKrb5Client.doFinalHandshake(GssKrb5Client.java:310) [rt.jar:1.6.0_33]
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:169) [rt.jar:1.6.0_33]
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:114) [rt.jar:1.6.0_33]
... 43 more
Caused by: GSSException: Token had invalid integrity check (Mechanism level: Corrupt checksum in Wrap token)
at sun.security.jgss.krb5.WrapToken_v2.getDataFromBuffer(WrapToken_v2.java:257) [rt.jar:1.6.0_33]
at sun.security.jgss.krb5.WrapToken_v2.getData(WrapToken_v2.java:189) [rt.jar:1.6.0_33]
at sun.security.jgss.krb5.WrapToken_v2.getData(WrapToken_v2.java:164) [rt.jar:1.6.0_33]
at sun.security.jgss.krb5.Krb5Context.unwrap(Krb5Context.java:946) [rt.jar:1.6.0_33]
at sun.security.jgss.GSSContextImpl.unwrap(GSSContextImpl.java:384) [rt.jar:1.6.0_33]
at com.sun.security.sasl.gsskerb.GssKrb5Client.doFinalHandshake(GssKrb5Client.java:216) [rt.jar:1.6.0_33]
... 45 more
Environment
- Red Hat JBoss Enterprise Application Platform (EAP)
- 5.x
- 6.x
- Java
- Oracle JDK 1.6.0_XX
- OpenJDK 1.6.0_XX
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.