Kerberos sql server datasource in Wildfly 8.2

Question

I have a problem setting up integrated authentication with Kerberos towards a MS Sql Server on Wildfly 8.2.0.

Here's what I've done so far:

• Managed to get it going on Wildfly 9.0.2, simply because Wildfly 9 contains the "new" login module class org.jboss.security.negotiation.KerberosLoginModule. A security domain configured like this:

  <login-module code="org.jboss.security.negotiation.KerberosLoginModule" flag="required" module="org.jboss.security.negotiation">
       <module-option name="storeKey" value="false"/>
       <module-option name="useKeyTab" value="false"/>
       <module-option name="principal" value="app-srv@REALM"/>
       <module-option name="useTicketCache" value="true"/>
       <module-option name="debug" value="true"/>
       <module-option name="refreshKrb5Config" value="true"/>
       <module-option name="isInitiator" value="true"/>
       <module-option name="addGSSCredential" value="true"/>
       <module-option name="delegationCredential" value="USE"/>
   </login-module>
  

  works perfectly fine. Before I added "addGSSCredential" to "true" I was getting the error "No matching credentials in Subject!" but then I read what this guy was saying here: https://developer.jboss.org/message/913652#913652.

Now, the problem is that I don't want Wildfly 9, I want to have it set up on Wildfly 8.2. Should be possible right?

So, on Wildfly 8.2:

1. Wildfly 8.2 does not have the KerberosLoginModule. It instead uses the sun provided login module (com.sun.security.auth.module.Krb5LoginModule) as specified here
2. Once I got Wildfly 8 to use this login module from Sun (does NOT work out of the box - which makes me wonder if the guys from JBoss actually ever tested this?- ...because the module that loads the login class (org.picketbox) does not depend on sun.jdk module and it fails wonderfully with a classnotfoundexception), I stumbled upon the same error I was getting on Wildfly 9 before adding the addGSSCredentials option: "No matching credentials in Subject!"
3. Problem is, addGSSCredentials is not supported by the Sun login module class.

So, has anybody ever set up Kerberos for a datasource on Wildfly 8.2 using the Sun class? Or must I upgrade the libraries to get the KerberosLoginModule from jboss-negotiation?

Answer 1

The only way I can get this to work in WildFly 8.2.1.Final is to update the jboss-negotiation-common-<version>.jar and jboss-negotiation-extras-<version>.jar from 2.2.7.Final to 3.0.2.Final, the version supplied with WildFly 10.1.0.Final (sorry, I didn't try with those from WildFly 9).

You need to update modules\system\layers\base\org\jboss\security\negotiation\main\ to reference the new jars.

Alternatively, you can just replace the entirety of the org.jboss.security.negotiation module with the version included with WildFly 10.1.0.Final.

For reference, my login module in standalone.xml is:

<login-module code="org.jboss.security.negotiation.KerberosLoginModule" flag="required" module="org.jboss.security.negotiation">
    <module-option name="useTicketCache" value="true"/>
    <module-option name="debug" value="true"/>
    <module-option name="refreshKrb5Config" value="true"/>
    <module-option name="addGSSCredential" value="true"/>
</login-module>

I found that I didn't need to set the isInitiator or delegationCredential options.

PS. Thanks for posting this question! I had a lot of problems with Kerberos authentication because I was setting storeKey to true until I came across this.

PSS. I should add that I am not connecting to a MS SQL Server, but to an Apache Phoenix data source, which may explain why I don't need to set some login options.