aspose file tools*
The moose likes JBoss/WildFly and the fly likes SSO using SPNEGO in JBOSS 4.2.2 Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » JBoss/WildFly
Bookmark "SSO using SPNEGO in JBOSS 4.2.2" Watch "SSO using SPNEGO in JBOSS 4.2.2" New topic
Author

SSO using SPNEGO in JBOSS 4.2.2

Sayali S Dehedkar
Greenhorn

Joined: Jul 12, 2010
Posts: 9
Hi all,

Can we implement SSO with SPNEGO in JBOSS 4.2.2 with Java 5? After some googling we found that Active Directory (Kerberos) by default uses RC4-HMAC encryption, but Java 5 doesn't support RC4.

If we use DES encryption while executing KTPASS command to generate keytab file, for third servlet test in JBOSS negotiation toolkit we get error as
javax.security.auth.login.LoginException: Unable to authenticate - Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:141)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603)
at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537)
at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491)
at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:127)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:562)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
at java.lang.Thread.run(Thread.java:595)

For above case, following are the options given in conf file
[libdefaults]
default_tkt_enctypes = aes128-cts des-cbc-crc rc4-hmac des-cbc-md5 des3-cbc-sha1
default_tgs_enctypes = aes128-cts des-cbc-crc rc4-hmac des-cbc-md5 des3-cbc-sha1
permitted_enctypes = aes128-cts des-cbc-crc rc4-hmac des-cbc-md5 des3-cbc-sha1

If I use Java 6 with rc4-hmac encryption enforced, i get following error:

javax.security.auth.login.LoginException: Unable to authenticate - Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:141)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603)
at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537)
at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491)
at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:127)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:562)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
at java.lang.Thread.run(Thread.java:619)

Any pointers would be of great help.

- Sayali.

Sayali S Dehedkar
Greenhorn

Joined: Jul 12, 2010
Posts: 9
I could resolve the following error.
Unable to authenticate - Failure unpecified at GSS-API level (Mechanism level: Checksum failed)

The only SPN it was expecting was HTTP/{machine name}.

Initially I had two SPNs HTTP/{machine name} and HTTP/{machine name}.{domain} and it was giving this exception.

Just removed other SPN and kept only HTTP/{machine name} and it worked

Some what surprising.

Jaikiran Pai
Marshal

Joined: Jul 20, 2005
Posts: 10263
    
168

Thank you for posting the solution here

[My Blog] [JavaRanch Journal]
Sayali S Dehedkar
Greenhorn

Joined: Jul 12, 2010
Posts: 9
The above solution may not work in all scenarios.

The service account created on active directory for JBOSS should have same logon name as the machine name on which the server is running. On Active Directory there will be an entry for this machine under CN=Computers and also under CN=Users for the account having logon name as [machine name]. When we execute the command "setspn -a [service principal name] [machine name]", [service principal name] gets assigned to the account under CN=Computers, and when we execute ktpass command with SPN as [service principal name] to generate keytab, [service principal name] gets added to the account under CN=Users. So the same service principal name will be mapped to the accounts this way and therefore authentication fails.

We should add the SPN to the account under CN=Users from ADSI Edit window by adding the service principal name to servicePrincipalName attribute of the account. And there should be two service principal names HTTP/[machine name] and HTTP/[machine name].[domain name].

I have a doubt here if we can get SSO working with DES-CBC-MD5 encryption type. Any pointers would be of great help.
Paul Sturrock
Bartender

Joined: Apr 14, 2004
Posts: 10336

You should be able to. Is this Windows 2008 r2? The DES encryption types are off by default (see this).


JavaRanch FAQ HowToAskQuestionsOnJavaRanch
Sayali S Dehedkar
Greenhorn

Joined: Jul 12, 2010
Posts: 9
Its windows 2003 service pack2 and DES-CBC-MD5 is available as option for compatibility.

When I use this encryption type it is giving me error as javax.security.auth.login.LoginException: Unable to authenticate - Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC).

For RC4-HMAC it is working fine.

So I was wondering if RC4-HMAC is the only encryption type SPNEGO uses.
Paul Sturrock
Bartender

Joined: Apr 14, 2004
Posts: 10336

It shouldn't be - the RC4 enc types are a Microsoft extension and not part of the GSS standard though Java does support them. Are you specifying RC4 in your keytab file?
Sayali S Dehedkar
Greenhorn

Joined: Jul 12, 2010
Posts: 9
No. For ktpass i am specifying crypto option as DES-CBC-MD5. When I am saying it is working fine for RC4-HMAC, the crypto option is given as RC4-HMAC-NT.

Even I tried with specifying 'Use DES encryption type for this account' for the service account user. But with this the first test case is also failing, giving an error as 'Warning, this is NTLM, only SPNEGO is supported!'
Sayali S Dehedkar
Greenhorn

Joined: Jul 12, 2010
Posts: 9
My conf file which i have specified in run.bat contains

[libdefaults]
default_tkt_enctypes = aes128-cts des-cbc-md5 des-cbc-crc rc4-hmac des3-cbc-sha1
default_tgs_enctypes = aes128-cts des-cbc-md5 des-cbc-crc rc4-hmac des3-cbc-sha1
permitted_enctypes = aes128-cts des-cbc-md5 des-cbc-crc rc4-hmac des3-cbc-sha1
default_realm = TESTDOMAIN.COM
[realms]
TESTDOMAIN.COM = {
kdc = kdc.testdomain.com
default_domain = testdomain.com
}
[domain_realm]
.testdomain.com = TESTDOMAIN.COM

Please point me out where I am getting wrong.
Sayali S Dehedkar
Greenhorn

Joined: Jul 12, 2010
Posts: 9
It worked with DES-CBC-CRC encryption type with 'Use DES encryption types for this account' checked for the server user account.
Sayali S Dehedkar
Greenhorn

Joined: Jul 12, 2010
Posts: 9
For third test case of negotiation toolkit, with Windows Server 2008 R2 as OS and IE8 as client I am getting a blank page without any error.

For the same application with Windows XP SP2, it is working.

Any pointers would be great help.
Jaikiran Pai
Marshal

Joined: Jul 20, 2005
Posts: 10263
    
168

Sayali S Dehedkar wrote:For third test case of negotiation toolkit, with Windows Server 2008 R2 as OS and IE8 as client I am getting a blank page without any error.



What HTTP return code do you see in the response?
Sayali S Dehedkar
Greenhorn

Joined: Jul 12, 2010
Posts: 9
Access log on when accessed from server 2008 (Unauthorized):
IP - - [13/Sep/2010:01:09:30 -0500] "GET /jboss-negotiation-toolkit/Secured HTTP/1.1" 401 948

Access log on when accessed from XP (Forbidden):
IP - user@domain [13/Sep/2010:01:09:30 -0500] "GET /jboss-negotiation-toolkit/Secured HTTP/1.1" 403 1102

When accessed from XP, even though i have user-roles.properties containing the user who is acessing the servlet it is giving me 403. But that's not an issue as my application doesn't need it. I need to get 403 on Server 2008.




Jaikiran Pai
Marshal

Joined: Jul 20, 2005
Posts: 10263
    
168

Sayali S Dehedkar wrote:Access log on when accessed from server 2008 (Unauthorized):
IP - - [13/Sep/2010:01:09:30 -0500] "GET /jboss-negotiation-toolkit/Secured HTTP/1.1" 401 948



A 401 indicates that the authentication credentials for a restricted resource as being requested by the server. The client is expected to send back the credentials in the response header. Looks like for some reason, it isn't doing that. And looking at this forum discussion, it appears to be a known bug. The issue has been marked as fixed, so make sure you upgrade (recommended) to that version or apply the fix mentioned here.
Jaikiran Pai
Marshal

Joined: Jul 20, 2005
Posts: 10263
    
168

Jaikiran Pai wrote:The issue has been marked as fixed, so make sure you upgrade (recommended) to that version

Hmm, the version (Negotiation_2.0.3.SP3) in which this issue is fixed hasn't yet been released. So you'll have to patch the fix yourself or build from source.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: SSO using SPNEGO in JBOSS 4.2.2