[30873] in Kerberos
RE: JBoss Negotiate
daemon@ATHENA.MIT.EDU (Krishnawat, Nagendra)
Mon Mar 16 16:18:24 2009
From: "Krishnawat, Nagendra" <Nagendra.Krishnawat@westernasset.com>
To: "'Thomas Maslen'" <Thomas.Maslen@quest.com>
Date: Mon, 16 Mar 2009 11:55:08 -0700
Message-ID: <CD466582FA6D3D4E8896E91AE7483C5D63BBA17538@PASEXCCMS1.wam.westernasset.local>
In-Reply-To: <723530449330F342A68634ADF3CE8DE2033D50DA9B@alvxmbw02.prod.quest.corp>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_006_CD466582FA6D3D4E8896E91AE7483C5D63BBA17538PASEXCCMS1wam_"
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Errors-To: kerberos-bounces@mit.edu
--_006_CD466582FA6D3D4E8896E91AE7483C5D63BBA17538PASEXCCMS1wam_
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Hi,=0D=0AThank you very much for the reply=2E=0D=0A=0D=0AI am using SPNEGO =
for silent authentication=2E Referring https://www=2Ejboss=2Eorg/community/=
docs/DOC-10680=0D=0A=0D=0AEnvironment specification:=0D=0A=0D=0AServer Mach=
ine: Microsoft windows server 2003 R2 (Name: PASKTABSVR1, Domain: wamtest=
=2Ewa=2Elocal, FullName:PASKTABSVR1=2Ewamtest=2Ewa=2Elocal)=0D=0AKDC =
: windows server 2003 R2, In my case server and KDC are same machin=
e=2E (Name: PASKTABSVR1, Domain: wamtest=2Ewa=2Elocal =
FullName:PASKTABSVR1=2Ewamtest=2Ewa=2Elocal)=0D=0AClient Machine: Microsoft=
windows XP professional (Name: PASKTABCL1, Domain: wamtest=2Ewa=2Elocal F=
ullName:PASKTABCL1=2Ewamtest=2Ewa=2Elocal)=0D=0A=0D=0A=0D=0AI basically fol=
lowed the pdf document userguide downloaded from above link (https://www=2E=
jboss=2Eorg/community/docs/DOC-10680)=0D=0A=0D=0AUser properties are in mai=
l attachment (properties=2Ejpg)=2E=0D=0A=0D=0ASPN setting:=0D=0A=0D=0AC:\Pr=
ogram Files\Support Tools>setspn -l PASKTABSVR1=0D=0ARegistered ServicePrin=
cipalNames for CN=3DPASKTABSVR1,OU=3DDomain Controllers,DC=3Dwamtest,DC=3Dw=
a,DC=3Dlocal:=0D=0A HTTP/PASKTABSVR1=2Ewamtest=2Ewa=2Elocal=0D=0A NtF=
rs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/PASKTABSVR1=2Ewamtest=2Ewa=2Elocal=
=0D=0A ldap/PASKTABSVR1=2Ewamtest=2Ewa=2Elocal/ForestDnsZones=2Ewamtest=
=2Ewa=2Elocal=0D=0A GC/PASKTABSVR1=2Ewamtest=2Ewa=2Elocal/wamtest=2Ewa=
=2Elocal=0D=0A HOST/PASKTABSVR1=2Ewamtest=2Ewa=2Elocal/WAMTEST=0D=0A =
HOST/PASKTABSVR1=0D=0A HOST/PASKTABSVR1=2Ewamtest=2Ewa=2Elocal=0D=0A =
HOST/PASKTABSVR1=2Ewamtest=2Ewa=2Elocal/wamtest=2Ewa=2Elocal=0D=0A E3514=
235-4B06-11D1-AB04-00C04FC2DCD2/c97c1681-4636-4d4a-b7fe-94f6bf0567cf/wamtes=
t=2Ewa=2Elocal=0D=0A ldap/c97c1681-4636-4d4a-b7fe-94f6bf0567cf=2E_msdcs=
=2Ewamtest=2Ewa=2Elocal=0D=0A ldap/PASKTABSVR1=2Ewamtest=2Ewa=2Elocal/WA=
MTEST=0D=0A ldap/PASKTABSVR1=0D=0A ldap/PASKTABSVR1=2Ewamtest=2Ewa=2E=
local=0D=0A ldap/PASKTABSVR1=2Ewamtest=2Ewa=2Elocal/DomainDnsZones=2Ewam=
test=2Ewa=2Elocal=0D=0A ldap/PASKTABSVR1=2Ewamtest=2Ewa=2Elocal/wamtest=
=2Ewa=2Elocal=0D=0A DNS/PASKTABSVR1=2Ewamtest=2Ewa=2Elocal=0D=0A=0D=0A=
=0D=0ACommand used to create keytab file:=0D=0A=0D=0AC:\Program Files\Suppo=
rt Tools>ktpass -crypto DES-CBC-CRC -princ host/PASKTABSVR1@WAMTEST=2EWA=2E=
LOCAL -pass Autumn08 -mapus=0D=0Aer WAMTEST\PASKTABSVR1 -out C:\pasktabsvr1=
=2Ehost=2Ekeytab=0D=0A=0D=0A=0D=0A=0D=0ALogin moduoles from Jboss(login-con=
fig=2Exml):=0D=0A=2E=0D=0A=2E=2E=0D=0A=2E=2E=2E=2E=2E=2E=0D=0A<application-=
policy name=3D"host">=0D=0A <authentication>=0D=0A =
<login-module code=3D"com=2Esun=2Esecurity=2Eauth=2Emodule=2EKrb5Logi=
nModule" flag=3D"required">=0D=0A <module-option nam=
e=3D"storeKey">true</module-option>=0D=0A <module-op=
tion name=3D"useKeyTab">true</module-option>=0D=0A <=
module-option name=3D"principal">host/PASKTABSVR1@WAMTEST=2EWA=2ELOCAL</mod=
ule-option>=0D=0A <module-option name=3D"keyTab">C:/=
pasktabsvr1=2Ehost=2Ekeytab</module-option>=0D=0A <m=
odule-option name=3D"doNotPrompt">true</module-option>=0D=0A =
<module-option name=3D"debug">true</module-option>=0D=0A =
</login-module>=0D=0A </authentication>=0D=0A <=
/application-policy>=0D=0A=0D=0A <application-policy name=3D"SPNEGO"=
>=0D=0A <authentication>=0D=0A <login=
-module code=3D"org=2Ejboss=2Esecurity=2Enegotiation=2Espnego=2ESPNEGOLogin=
Module" flag=3D"requisite">=0D=0A <module-op=
tion name=3D"password-stacking">useFirstPass</module-option>=0D=0A =
<module-option name=3D"serverSecurityDomain">host</m=
odule-option>=0D=0A </login-module>=0D=0A =
<login-module code=3D"org=2Ejboss=2Esecurity=2Eauth=2Espi=2EUs=
ersRolesLoginModule" flag=3D"required">=0D=0A =
<module-option name=3D"password-stacking">useFirstPass</module-option>=0D=
=0A <module-option name=3D"usersProperties">=
props/spnego-users=2Eproperties</module-option>=0D=0A =
<module-option name=3D"rolesProperties">props/spnego-roles=2Eprop=
erties</module-option>=0D=0A </login-module>=0D=0A =
</authentication>=0D=0A </application-policy>=
=0D=0A=2E=2E=2E=2E=2E=0D=0A=2E=2E=0D=0A=2E=0D=0A=0D=0A=0D=0AAs per document=
there are three tests (Attachment: Negotiation_test=2Ejpg)=0D=0A=0D=0AResu=
lts of test in my environment (test_results=2Ejpg):=0D=0A=0D=0AFirst and se=
cond test passes, ie the client browser gets the token, in second test host=
login module gets authenticated ie the second test passes=2E=0D=0AThe fina=
l test, ie "secured" which is the integrated test of both client and server=
fails with following exception:=0D=0A=0D=0ACaused by: KrbException: Invali=
d argument (400) - Cannot find key of appropriate type to decrypt AP REP - =
RC4 with HMAC=0D=0A at sun=2Esecurity=2Ekrb5=2EKrbApReq=2Eauthentica=
te(KrbApReq=2Ejava:262)=0D=0A at sun=2Esecurity=2Ekrb5=2EKrbApReq=2E=
<init>(KrbApReq=2Ejava:134)=0D=0A at sun=2Esecurity=2Ejgss=2Ekrb5=2E=
InitSecContextToken=2E<init>(InitSecContextToken=2Ejava:79)=0D=0A=0D=0A=0D=
=0AAs per your mail I mapped different SPN, I tried:=0D=0A=0D=0AC:\Program =
Files\Support Tools>setspn=2Eexe -a HTTP/PASKTABSVR1=2Ewamtest=2Ewa=2Elocal=
PASKTABSVR1=0D=0AC:\Program Files\Support Tools>setspn=2Eexe -a HTTP/paskt=
absvr1=2Ewamtest=2Ewa=2Elocal PASKTABSVR1 (Small case pasktansvr1)=0D=
=0A=0D=0ABut it didn't help, I got same exception "Invalid argument (400) -=
Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC"=0D=
=0A=0D=0AAm I doing anything fundamentally wrong=2E=0D=0A=0D=0A-Nagendra=0D=
=0A=0D=0A=0D=0A=0D=0A=0D=0A=0D=0A=0D=0A=0D=0A=0D=0A-----Original Message---=
--=0D=0AFrom: Thomas Maslen [mailto:Thomas=2EMaslen@quest=2Ecom]=0D=0ASent:=
Saturday, March 14, 2009 7:21 PM=0D=0ATo: kerberos@mit=2Eedu=0D=0ACc: Kris=
hnawat, Nagendra=0D=0ASubject: Re: JBoss Negotiate=0D=0A=0D=0ALet me guess=
=2E=2E=2E you're probably running JBoss on a Windows machine that is joine=
d to the Active Directory domain?=0D=0A=0D=0AIf so, then the problem is: y=
ou have got your SPN mappings wrong=2E (i=2Ee=2E the hostname in the URL t=
hat you are using in the browser doesn't match any SPN mapping that you hav=
e set up)=2E=0D=0A=0D=0ASo, when the browser asks AD for a Kerberos service=
ticket to HTTP/foo=2Eexample=2Ecom, AD doesn't find an explicit SPN mappin=
g on your service object, so it doesn't use your service object=2E If AD d=
oesn't find an explicit SPN mapping for HTTP/foo=2Eexample=2Ecom, it implic=
itly maps HTTP/foo=2Eexample=2Ecom to the AD Computer object for foo=2Eexam=
ple=2Ecom (equivalently, HOST/foo=2Eexample=2Ecom)=2E This works nicely fo=
r Microsoft IIS but for other SPNEGO implementations it produces the rather=
nonobvious error that you are seeing at present=2E=0D=0A=0D=0A=0D=0A******=
****************************************************************=0D=0AE-mai=
l sent through the Internet is not secure=2E Western Asset=0Atherefore reco=
mmends that you do not send any confidential or=0Asensitive information to =
us via electronic mail, including social=0Asecurity numbers, account number=
s, or personal identification=0Anumbers=2E Delivery, and or timely delivery=
of Internet mail is not=0Aguaranteed=2E Western Asset therefore recommends=
that you do not send=0Atime sensitive or action-oriented messages to us vi=
a electronic=0Amail=2E =0D=0A**********************************************=
************************=0D=0A
--_006_CD466582FA6D3D4E8896E91AE7483C5D63BBA17538PASEXCCMS1wam_
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--_006_CD466582FA6D3D4E8896E91AE7483C5D63BBA17538PASEXCCMS1wam_--
