JBoss SPNEGO configuring GSSAPI

Issue

When trying to make the SPNEGO login module to use the AdvancedAdLdap login module with GSSAPI authentication the following exceptions can be seen.Java 1.6.0_XX and several other versions of Java 1.6 are used for the tests.

The following configuration is used:

                <security-domain name="host">
                    <authentication>
                        <login-module code="Kerberos" flag="required">
                            <module-option name="storeKey" value="true"/>
                            <module-option name="useKeyTab" value="true"/>
                            <module-option name="doNotPrompt" value="true"/>
                            <module-option name="debug" value="true"/>
                            <module-option name="keyTab" value="/path/to/my.keytab"/>
                            <module-option name="principal" value="HTTP/adserver.domain.com@DOMAIN.COM"/>
                        </login-module>
                    </authentication>
                </security-domain>
                <security-domain name="SPNEGO">
                    <authentication>
                        <login-module code="SPNEGOUsers" flag="requisite">
                            <module-option name="password-stacking" value="useFirstPass"/>
                            <module-option name="serverSecurityDomain" value="host"/>
                            <module-option name="removeRealmFromPrincipal" value="true"/>
                        </login-module>
                        <login-module code="AdvancedAdLdap" flag="requisite">
                            <module-option name="bindAuthentication" value="GSSAPI"/>
                            <module-option name="jaasSecurityDomain" value="host"/>
                            <module-option name="password-stacking" value="useFirstPass"/>
                            <module-option name="allowEmptyPassword" value="true"/>
                            <module-option name="java.naming.provider.url" value="ldap://adserver.domain.com:389"/>
                            <module-option name="baseCtxDN" value="CN=Users,DC=domain,DC=com"/>
                            <module-option name="baseFilter" value="(sAMAccountName={0})"/>
                            <module-option name="rolesCtxDN" value="CN=Users,DC=domain,DC=com"/>
                            <module-option name="roleAttributeID" value="memberOf"/>
                            <module-option name="roleAttributeIsDN" value="true"/>
                            <module-option name="roleNameAttributeID" value="cn"/>
                            <module-option name="recurseRoles" value="true"/>
                            <module-option name="throwValidateError" value="true"/>
                        </login-module>
                    </authentication>
                </security-domain>

When the following is replaced

<module-option name="bindAuthentication" value="GSSAPI"/>
<module-option name="jaasSecurityDomain" value="host"/>

with

<module-option name="bindDN" value="user"/>
<module-option name="bindCredential" value="password"/>

then everything works fine.

But using GSSAPI, following exceptions can be seen:

ERROR [org.jboss.security] (http-jbossserver.domain.com/10.33.1.221:8080-1) PBOX000206: Login failure: javax.security.auth.login.LoginException: Unable to create new InitialLdapContext
        at org.jboss.security.negotiation.AdvancedLdapLoginModule.constructLdapContext(AdvancedLdapLoginModule.java:414) [jboss-negotiation-extras-2.2.1.Final-redhat-1.jar:2.2.1.Final-redhat-1]
        at org.jboss.security.negotiation.AdvancedLdapLoginModule.innerLogin(AdvancedLdapLoginModule.java:325) [jboss-negotiation-extras-2.2.1.Final-redhat-1.jar:2.2.1.Final-redhat-1]
        at org.jboss.security.negotiation.AdvancedLdapLoginModule$AuthorizeAction.run(AdvancedLdapLoginModule.java:699) [jboss-negotiation-extras-2.2.1.Final-redhat-1.jar:2.2.1.Final-redhat-1]
        at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.6.0_33]
        at javax.security.auth.Subject.doAs(Subject.java:337) [rt.jar:1.6.0_33]
        at org.jboss.security.negotiation.AdvancedLdapLoginModule.login(AdvancedLdapLoginModule.java:270) [jboss-negotiation-extras-2.2.1.Final-redhat-1.jar:2.2.1.Final-redhat-1]
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.6.0_33]
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [rt.jar:1.6.0_33]
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [rt.jar:1.6.0_33]
        at java.lang.reflect.Method.invoke(Method.java:597) [rt.jar:1.6.0_33]
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) [rt.jar:1.6.0_33]
        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) [rt.jar:1.6.0_33]
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) [rt.jar:1.6.0_33]
        at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.6.0_33]
        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) [rt.jar:1.6.0_33]
        at javax.security.auth.login.LoginContext.login(LoginContext.java:579) [rt.jar:1.6.0_33]
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:408) [picketbox-infinispan-4.0.14.Final-redhat-2.jar:4.0.14.Final-redhat-2]
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345) [picketbox-infinispan-4.0.14.Final-redhat-2.jar:4.0.14.Final-redhat-2]
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:333) [picketbox-infinispan-4.0.14.Final-redhat-2.jar:4.0.14.Final-redhat-2]
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146) [picketbox-infinispan-4.0.14.Final-redhat-2.jar:4.0.14.Final-redhat-2]
        at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:215) [jboss-as-web-7.1.3.Final-redhat-4.jar:7.1.3.Final-redhat-4]
        at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:193) [jboss-negotiation-common-2.2.1.Final-redhat-1.jar:2.2.1.Final-redhat-1]
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:455) [jbossweb-7.0.17.Final-redhat-1.jar:]
        at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.1.3.Final-redhat-4.jar:7.1.3.Final-redhat-4]
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.17.Final-redhat-1.jar:]
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.17.Final-redhat-1.jar:]
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.17.Final-redhat-1.jar:]
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:372) [jbossweb-7.0.17.Final-redhat-1.jar:]
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.17.Final-redhat-1.jar:]
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:679) [jbossweb-7.0.17.Final-redhat-1.jar:]
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:931) [jbossweb-7.0.17.Final-redhat-1.jar:]
        at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_33]
Caused by: javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]]
        at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:150) [rt.jar:1.6.0_33]
        at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:212) [rt.jar:1.6.0_33]
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2720) [rt.jar:1.6.0_33]
        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:296) [rt.jar:1.6.0_33]
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175) [rt.jar:1.6.0_33]
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193) [rt.jar:1.6.0_33]
        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136) [rt.jar:1.6.0_33]
        at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66) [rt.jar:1.6.0_33]
        at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667) [rt.jar:1.6.0_33]
        at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288) [rt.jar:1.6.0_33]
        at javax.naming.InitialContext.init(InitialContext.java:223) [rt.jar:1.6.0_33]
        at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134) [rt.jar:1.6.0_33]
        at org.jboss.security.negotiation.AdvancedLdapLoginModule.constructLdapContext(AdvancedLdapLoginModule.java:410) [jboss-negotiation-extras-2.2.1.Final-redhat-1.jar:2.2.1.Final-redhat-1]
        ... 31 more
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
        at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:194) [rt.jar:1.6.0_33]
        at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:105) [rt.jar:1.6.0_33]
        ... 43 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))
        at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:663) [rt.jar:1.6.0_33]
        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230) [rt.jar:1.6.0_33]
        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162) [rt.jar:1.6.0_33]
        at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:175) [rt.jar:1.6.0_33]
        ... 44 more
Caused by: KrbException: Server not found in Kerberos database (7)
        at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:61) [rt.jar:1.6.0_33]
        at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185) [rt.jar:1.6.0_33]
        at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294) [rt.jar:1.6.0_33]
        at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106) [rt.jar:1.6.0_33]
        at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:557) [rt.jar:1.6.0_33]
        at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594) [rt.jar:1.6.0_33]
        ... 47 more
Caused by: KrbException: Identifier doesn't match expected value (906)
        at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133) [rt.jar:1.6.0_33]
        at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58) [rt.jar:1.6.0_33]
        at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53) [rt.jar:1.6.0_33]
        at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46) [rt.jar:1.6.0_33]
        ... 52 more

We have a second machine setup in different network, and are getting a different error there:

ERROR [org.jboss.security] (http-jbossserver.domain.com/10.33.1.221:8080-1) PBOX000206: Login failure: javax.security.auth.login.LoginException: Unable to create new InitialLdapContext
        at org.jboss.security.negotiation.AdvancedLdapLoginModule.constructLdapContext(AdvancedLdapLoginModule.java:414) [jboss-negotiation-extras-2.2.1.Final-redhat-1.jar:2.2.1.Final-redhat-1]
        at org.jboss.security.negotiation.AdvancedLdapLoginModule.innerLogin(AdvancedLdapLoginModule.java:325) [jboss-negotiation-extras-2.2.1.Final-redhat-1.jar:2.2.1.Final-redhat-1]
        at org.jboss.security.negotiation.AdvancedLdapLoginModule$AuthorizeAction.run(AdvancedLdapLoginModule.java:699) [jboss-negotiation-extras-2.2.1.Final-redhat-1.jar:2.2.1.Final-redhat-1]
        at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.6.0_33]
        at javax.security.auth.Subject.doAs(Subject.java:337) [rt.jar:1.6.0_33]
        at org.jboss.security.negotiation.AdvancedLdapLoginModule.login(AdvancedLdapLoginModule.java:270) [jboss-negotiation-extras-2.2.1.Final-redhat-1.jar:2.2.1.Final-redhat-1]
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.6.0_33]
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [rt.jar:1.6.0_33]
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [rt.jar:1.6.0_33]
        at java.lang.reflect.Method.invoke(Method.java:597) [rt.jar:1.6.0_33]
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) [rt.jar:1.6.0_33]
        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) [rt.jar:1.6.0_33]
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) [rt.jar:1.6.0_33]
        at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.6.0_33]
        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) [rt.jar:1.6.0_33]
        at javax.security.auth.login.LoginContext.login(LoginContext.java:579) [rt.jar:1.6.0_33]
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:408) [picketbox-infinispan-4.0.14.Final-redhat-2.jar:4.0.14.Final-redhat-2]
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345) [picketbox-infinispan-4.0.14.Final-redhat-2.jar:4.0.14.Final-redhat-2]
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:333) [picketbox-infinispan-4.0.14.Final-redhat-2.jar:4.0.14.Final-redhat-2]
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146) [picketbox-infinispan-4.0.14.Final-redhat-2.jar:4.0.14.Final-redhat-2]
        at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:215) [jboss-as-web-7.1.3.Final-redhat-4.jar:7.1.3.Final-redhat-4]
        at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:193) [jboss-negotiation-common-2.2.1.Final-redhat-1.jar:2.2.1.Final-redhat-1]
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:455) [jbossweb-7.0.17.Final-redhat-1.jar:]
        at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.1.3.Final-redhat-4.jar:7.1.3.Final-redhat-4]
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.17.Final-redhat-1.jar:]
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.17.Final-redhat-1.jar:]
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.17.Final-redhat-1.jar:]
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:372) [jbossweb-7.0.17.Final-redhat-1.jar:]
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.17.Final-redhat-1.jar:]
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:679) [jbossweb-7.0.17.Final-redhat-1.jar:]
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:931) [jbossweb-7.0.17.Final-redhat-1.jar:]
        at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_33]
Caused by: javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: Final handshake failed [Caused by GSSException: Token had invalid integrity check (Mechanism level: Corrupt checksum in Wrap token)]]
        at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:150) [rt.jar:1.6.0_33]
        at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:212) [rt.jar:1.6.0_33]
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2720) [rt.jar:1.6.0_33]
        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:296) [rt.jar:1.6.0_33]
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175) [rt.jar:1.6.0_33]
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193) [rt.jar:1.6.0_33]
        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136) [rt.jar:1.6.0_33]
        at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66) [rt.jar:1.6.0_33]
        at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667) [rt.jar:1.6.0_33]
        at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288) [rt.jar:1.6.0_33]
        at javax.naming.InitialContext.init(InitialContext.java:223) [rt.jar:1.6.0_33]
        at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134) [rt.jar:1.6.0_33]
        at org.jboss.security.negotiation.AdvancedLdapLoginModule.constructLdapContext(AdvancedLdapLoginModule.java:410) [jboss-negotiation-extras-2.2.1.Final-redhat-1.jar:2.2.1.Final-redhat-1]
        ... 31 more
Caused by: javax.security.sasl.SaslException: Final handshake failed [Caused by GSSException: Token had invalid integrity check (Mechanism level: Corrupt checksum in Wrap token)]
        at com.sun.security.sasl.gsskerb.GssKrb5Client.doFinalHandshake(GssKrb5Client.java:310) [rt.jar:1.6.0_33]
        at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:169) [rt.jar:1.6.0_33]
        at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:114) [rt.jar:1.6.0_33]
        ... 43 more
Caused by: GSSException: Token had invalid integrity check (Mechanism level: Corrupt checksum in Wrap token)
        at sun.security.jgss.krb5.WrapToken_v2.getDataFromBuffer(WrapToken_v2.java:257) [rt.jar:1.6.0_33]
        at sun.security.jgss.krb5.WrapToken_v2.getData(WrapToken_v2.java:189) [rt.jar:1.6.0_33]
        at sun.security.jgss.krb5.WrapToken_v2.getData(WrapToken_v2.java:164) [rt.jar:1.6.0_33]
        at sun.security.jgss.krb5.Krb5Context.unwrap(Krb5Context.java:946) [rt.jar:1.6.0_33]
        at sun.security.jgss.GSSContextImpl.unwrap(GSSContextImpl.java:384) [rt.jar:1.6.0_33]
        at com.sun.security.sasl.gsskerb.GssKrb5Client.doFinalHandshake(GssKrb5Client.java:216) [rt.jar:1.6.0_33]
        ... 45 more

Environment

Red Hat JBoss Enterprise Application Platform (EAP)
- 5.x
- 6.x
Java
- Oracle JDK 1.6.0_XX
- OpenJDK 1.6.0_XX

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Select Your Language

Issue

Environment

Subscriber exclusive content

Current Customers and Partners

New to Red Hat?

Using a Red Hat product through a public cloud?

Quick Links

Help

Site Info

Related Sites

About

Red Hat legal and privacy links

Red Hat legal and privacy links

Issue

Environment

Subscriber exclusive content

Current Customers and Partners

New to Red Hat?

Using a Red Hat product through a public cloud?

Quick Links

Help

Site Info

Related Sites

Systems Status

About

Red Hat legal and privacy links

Red Hat legal and privacy links