Vlada
Reputation: 667
WildFly 10 running on Windows with kerberos authentication
I have to configure wildfly 10 to support SSO against Microsoft Active Directory. Server is running at Windows Server 2012 R2.
I have tried several configurations and recommendations found by google.
Each time I get
PBOX00206: Login failure: javax.security.auth.login.LoginException: Continuation Required.
This doesn't have to be error, because it is displayed only when DEBUG is on.
Web browser gets 401 - Unauthorized.
I get stuck on it.
Do you have any idea what's wrong or what I can do now?
standalone.xml (parts only)
<system-properties>
<property name="jboss.security.disable.secdomain.option" value="true" />
<property name="sun.security.krb5.debug" value="true" />
<property name="java.security.krb5.kdc" value="dns.xxx.cz" />
<property name="java.security.krb5.realm" value="XXX.CZ" />
<property name="java.security.krb5.conf" value="d:\\krb5.conf" />
</system-properties>
<security-domain name="host" cache-type="default">
<authentication>
<login-module code="Kerberos" flag="required">
<module-option name="debug" value="true"/>
<module-option name="storeKey" value="true"/>
<module-option name="refreshKrb5Config" value="true"/>
<module-option name="useKeyTab" value="true"/>
<module-option name="doNotPrompt" value="true"/>
<module-option name="keytab" value="d:\\web.keytab"/>
<module-option name="principal" value="HTTP/[email protected]"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="SPNEGO" cache-type="default">
<authentication>
<login-module code="SPNEGOUsers" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="serverSecurityDomain" value="host"/>
</login-module>
<login-module code="AdvancedLdap" flag="requisite">
<module-option name="jaasSecurityDomain" value="host"/>
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="java.naming.provider.url" value="ldap://192.168.1.1:3268"/>
<module-option name="bindDN" value="CN=svc,DC=xxx,DC=cz"/>
<module-option name="bindCredential" value="password"/>
<module-option name="baseCtxDN" value="DC=xxx,DC=cz"/>
<module-option name="baseFilter" value="(userPrincipalName={0})"/>
<module-option name="rolesCtxDN" value="DC=xxx,DC=cz"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="roleAttributeID" value="memberOf"/>
<module-option name="roleNameAttributeID" value="cn"/>
<module-option name="recurseRoles" value="true"/>
<module-option name="allowEmptyPassword" value="false"/>
</login-module>
</authentication>
</security-domain>
WildFly output
2016-03-29 13:51:26,011 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) removeRealmFromPrincipal=false
2016-03-29 13:51:26,026 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) serverSecurityDomain=host
2016-03-29 13:51:26,026 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) usernamePasswordDomain=null
2016-03-29 13:51:26,026 INFO [stdout] (default task-4) Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is HTTP/[email protected] tryFirstPass is false useFirstPass is false storePass is false clearPass is false
2016-03-29 13:51:26,026 INFO [stdout] (default task-4) Java config name: d:\\krb5.conf
2016-03-29 13:51:26,026 INFO [stdout] (default task-4) Loaded from Java config
2016-03-29 13:51:26,026 INFO [stdout] (default task-4) >>> KeyTabInputStream, readName(): xxx.CZ
2016-03-29 13:51:26,026 INFO [stdout] (default task-4) >>> KeyTabInputStream, readName(): HTTP
2016-03-29 13:51:26,042 INFO [stdout] (default task-4) >>> KeyTabInputStream, readName(): server.xxx.cz
2016-03-29 13:51:26,042 INFO [stdout] (default task-4) >>> KeyTab: load() entry length: 55; type: 1
2016-03-29 13:51:26,042 INFO [stdout] (default task-4) >>> KeyTabInputStream, readName(): xxx.CZ
2016-03-29 13:51:26,042 INFO [stdout] (default task-4) >>> KeyTabInputStream, readName(): HTTP
2016-03-29 13:51:26,042 INFO [stdout] (default task-4) >>> KeyTabInputStream, readName(): server.xxx.cz
2016-03-29 13:51:26,042 INFO [stdout] (default task-4) >>> KeyTab: load() entry length: 55; type: 3
2016-03-29 13:51:26,042 INFO [stdout] (default task-4) >>> KeyTabInputStream, readName(): xxx.CZ
2016-03-29 13:51:26,042 INFO [stdout] (default task-4) >>> KeyTabInputStream, readName(): HTTP
2016-03-29 13:51:26,042 INFO [stdout] (default task-4) >>> KeyTabInputStream, readName(): server.xxx.cz
2016-03-29 13:51:26,042 INFO [stdout] (default task-4) >>> KeyTab: load() entry length: 63; type: 23
2016-03-29 13:51:26,042 INFO [stdout] (default task-4) >>> KeyTabInputStream, readName(): xxx.CZ
2016-03-29 13:51:26,042 INFO [stdout] (default task-4) >>> KeyTabInputStream, readName(): HTTP
2016-03-29 13:51:26,042 INFO [stdout] (default task-4) >>> KeyTabInputStream, readName(): server.xxx.cz
2016-03-29 13:51:26,042 INFO [stdout] (default task-4) >>> KeyTab: load() entry length: 79; type: 18
2016-03-29 13:51:26,042 INFO [stdout] (default task-4) >>> KeyTabInputStream, readName(): xxx.CZ
2016-03-29 13:51:26,042 INFO [stdout] (default task-4) >>> KeyTabInputStream, readName(): HTTP
2016-03-29 13:51:26,042 INFO [stdout] (default task-4) >>> KeyTabInputStream, readName(): server.xxx.cz
2016-03-29 13:51:26,042 INFO [stdout] (default task-4) >>> KeyTab: load() entry length: 63; type: 17
2016-03-29 13:51:26,042 INFO [stdout] (default task-4) Looking for keys for: HTTP/[email protected]
2016-03-29 13:51:26,042 INFO [stdout] (default task-4) Added key: 17version: 4
2016-03-29 13:51:26,058 INFO [stdout] (default task-4) Added key: 18version: 4
2016-03-29 13:51:26,058 INFO [stdout] (default task-4) Added key: 23version: 4
2016-03-29 13:51:26,058 INFO [stdout] (default task-4) Found unsupported keytype (3) for HTTP/[email protected]
2016-03-29 13:51:26,058 INFO [stdout] (default task-4) Found unsupported keytype (1) for HTTP/[email protected]
2016-03-29 13:51:26,058 INFO [stdout] (default task-4) >>> KdcAccessibility: reset
2016-03-29 13:51:26,058 INFO [stdout] (default task-4) Looking for keys for: HTTP/[email protected]
2016-03-29 13:51:26,058 INFO [stdout] (default task-4) Added key: 17version: 4
2016-03-29 13:51:26,058 INFO [stdout] (default task-4) Added key: 18version: 4
2016-03-29 13:51:26,058 INFO [stdout] (default task-4) Added key: 23version: 4
2016-03-29 13:51:26,058 INFO [stdout] (default task-4) Found unsupported keytype (3) for HTTP/[email protected]
2016-03-29 13:51:26,058 INFO [stdout] (default task-4) Found unsupported keytype (1) for HTTP/[email protected]
2016-03-29 13:51:26,058 INFO [stdout] (default task-4) default etypes for default_tkt_enctypes: 23 18 17 16.
2016-03-29 13:51:26,058 INFO [stdout] (default task-4) >>> KrbAsReq creating message
2016-03-29 13:51:26,073 INFO [stdout] (default task-4) >>> KrbKdcReq send: kdc=adsrv.xxx.cz UDP:88, timeout=30000, number of retries =3, #bytes=145
2016-03-29 13:51:26,073 INFO [stdout] (default task-4) >>> KDCCommunication: kdc=adsrv.xxx.cz UDP:88, timeout=30000,Attempt =1, #bytes=145
2016-03-29 13:51:26,073 INFO [stdout] (default task-4) >>> KrbKdcReq send: #bytes read=182
2016-03-29 13:51:26,073 INFO [stdout] (default task-4) >>>Pre-Authentication Data:
2016-03-29 13:51:26,073 INFO [stdout] (default task-4) PA-DATA type = 19
2016-03-29 13:51:26,089 INFO [stdout] (default task-4) PA-ETYPE-INFO2 etype = 18, salt = XXX.CZHTTPserver.xxx.cz, s2kparams = null
2016-03-29 13:51:26,089 INFO [stdout] (default task-4) PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
2016-03-29 13:51:26,089 INFO [stdout] (default task-4)
2016-03-29 13:51:26,089 INFO [stdout] (default task-4) >>>Pre-Authentication Data:
2016-03-29 13:51:26,089 INFO [stdout] (default task-4) PA-DATA type = 2
2016-03-29 13:51:26,089 INFO [stdout] (default task-4) PA-ENC-TIMESTAMP
2016-03-29 13:51:26,089 INFO [stdout] (default task-4) >>>Pre-Authentication Data:
2016-03-29 13:51:26,089 INFO [stdout] (default task-4) PA-DATA type = 16
2016-03-29 13:51:26,089 INFO [stdout] (default task-4)
2016-03-29 13:51:26,089 INFO [stdout] (default task-4) >>>Pre-Authentication Data:
2016-03-29 13:51:26,089 INFO [stdout] (default task-4) PA-DATA type = 15
2016-03-29 13:51:26,089 INFO [stdout] (default task-4)
2016-03-29 13:51:26,089 INFO [stdout] (default task-4) >>> KdcAccessibility: remove adsrv.xxx.cz
2016-03-29 13:51:26,089 INFO [stdout] (default task-4) >>> KDCRep: init() encoding tag is 126 req type is 11
2016-03-29 13:51:26,089 INFO [stdout] (default task-4) >>>KRBError:
2016-03-29 13:51:26,089 INFO [stdout] (default task-4) sTime is Tue Mar 29 13:51:26 CEST 2016 1459252286000
2016-03-29 13:51:26,089 INFO [stdout] (default task-4) suSec is 834289
2016-03-29 13:51:26,089 INFO [stdout] (default task-4) error code is 25
2016-03-29 13:51:26,089 INFO [stdout] (default task-4) error Message is Additional pre-authentication required
2016-03-29 13:51:26,089 INFO [stdout] (default task-4) sname is krbtgt/[email protected]
2016-03-29 13:51:26,089 INFO [stdout] (default task-4) eData provided.
2016-03-29 13:51:26,105 INFO [stdout] (default task-4) msgType is 30
2016-03-29 13:51:26,105 INFO [stdout] (default task-4) >>>Pre-Authentication Data:
2016-03-29 13:51:26,105 INFO [stdout] (default task-4) PA-DATA type = 19
2016-03-29 13:51:26,105 INFO [stdout] (default task-4) PA-ETYPE-INFO2 etype = 18, salt = XXX.CZHTTPserver.xxx.cz, s2kparams = null
2016-03-29 13:51:26,105 INFO [stdout] (default task-4) PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
2016-03-29 13:51:26,105 INFO [stdout] (default task-4)
2016-03-29 13:51:26,105 INFO [stdout] (default task-4) >>>Pre-Authentication Data:
2016-03-29 13:51:26,105 INFO [stdout] (default task-4) PA-DATA type = 2
2016-03-29 13:51:26,105 INFO [stdout] (default task-4) PA-ENC-TIMESTAMP
2016-03-29 13:51:26,105 INFO [stdout] (default task-4) >>>Pre-Authentication Data:
2016-03-29 13:51:26,105 INFO [stdout] (default task-4) PA-DATA type = 16
2016-03-29 13:51:26,105 INFO [stdout] (default task-4)
2016-03-29 13:51:26,105 INFO [stdout] (default task-4) >>>Pre-Authentication Data:
2016-03-29 13:51:26,105 INFO [stdout] (default task-4) PA-DATA type = 15
2016-03-29 13:51:26,105 INFO [stdout] (default task-4)
2016-03-29 13:51:26,105 INFO [stdout] (default task-4) KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
2016-03-29 13:51:26,105 INFO [stdout] (default task-4) default etypes for default_tkt_enctypes: 23 18 17 16.
2016-03-29 13:51:26,105 INFO [stdout] (default task-4) Looking for keys for: HTTP/[email protected]
2016-03-29 13:51:26,105 INFO [stdout] (default task-4) Added key: 17version: 4
2016-03-29 13:51:26,105 INFO [stdout] (default task-4) Added key: 18version: 4
2016-03-29 13:51:26,105 INFO [stdout] (default task-4) Added key: 23version: 4
2016-03-29 13:51:26,120 INFO [stdout] (default task-4) Found unsupported keytype (3) for HTTP/[email protected]
2016-03-29 13:51:26,120 INFO [stdout] (default task-4) Found unsupported keytype (1) for HTTP/[email protected]
2016-03-29 13:51:26,120 INFO [stdout] (default task-4) Looking for keys for: HTTP/[email protected]
2016-03-29 13:51:26,120 INFO [stdout] (default task-4) Added key: 17version: 4
2016-03-29 13:51:26,120 INFO [stdout] (default task-4) Added key: 18version: 4
2016-03-29 13:51:26,120 INFO [stdout] (default task-4) Added key: 23version: 4
2016-03-29 13:51:26,120 INFO [stdout] (default task-4) Found unsupported keytype (3) for HTTP/[email protected]
2016-03-29 13:51:26,120 INFO [stdout] (default task-4) Found unsupported keytype (1) for HTTP/[email protected]
2016-03-29 13:51:26,120 INFO [stdout] (default task-4) default etypes for default_tkt_enctypes: 23 18 17 16.
2016-03-29 13:51:26,120 INFO [stdout] (default task-4) >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
2016-03-29 13:51:26,120 INFO [stdout] (default task-4) >>> KrbAsReq creating message
2016-03-29 13:51:26,120 INFO [stdout] (default task-4) >>> KrbKdcReq send: kdc=adsrv.xxx.cz UDP:88, timeout=30000, number of retries =3, #bytes=232
2016-03-29 13:51:26,120 INFO [stdout] (default task-4) >>> KDCCommunication: kdc=adsrv.xxx.cz UDP:88, timeout=30000,Attempt =1, #bytes=232
2016-03-29 13:51:26,136 INFO [stdout] (default task-4) >>> KrbKdcReq send: #bytes read=84
2016-03-29 13:51:26,136 INFO [stdout] (default task-4) >>> KrbKdcReq send: kdc=adsrv.xxx.cz TCP:88, timeout=30000, number of retries =3, #bytes=232
2016-03-29 13:51:26,136 INFO [stdout] (default task-4) >>> KDCCommunication: kdc=adsrv.xxx.cz TCP:88, timeout=30000,Attempt =1, #bytes=232
2016-03-29 13:51:26,151 INFO [stdout] (default task-4) >>>DEBUG: TCPClient reading 1478 bytes
2016-03-29 13:51:26,151 INFO [stdout] (default task-4) >>> KrbKdcReq send: #bytes read=1478
2016-03-29 13:51:26,151 INFO [stdout] (default task-4) >>> KdcAccessibility: remove adsrv.xxx.cz
2016-03-29 13:51:26,151 INFO [stdout] (default task-4) Looking for keys for: HTTP/[email protected]
2016-03-29 13:51:26,151 INFO [stdout] (default task-4) Added key: 17version: 4
2016-03-29 13:51:26,151 INFO [stdout] (default task-4) Added key: 18version: 4
2016-03-29 13:51:26,151 INFO [stdout] (default task-4) Added key: 23version: 4
2016-03-29 13:51:26,151 INFO [stdout] (default task-4) Found unsupported keytype (3) for HTTP/[email protected]
2016-03-29 13:51:26,151 INFO [stdout] (default task-4) Found unsupported keytype (1) for HTTP/[email protected]
2016-03-29 13:51:26,151 INFO [stdout] (default task-4) >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
2016-03-29 13:51:26,151 INFO [stdout] (default task-4) >>> KrbAsRep cons in KrbAsReq.getReply HTTP/server.xxx.cz
2016-03-29 13:51:26,151 INFO [stdout] (default task-4) principal is HTTP/[email protected]
2016-03-29 13:51:26,151 INFO [stdout] (default task-4) Will use keytab
2016-03-29 13:51:26,151 INFO [stdout] (default task-4) Commit Succeeded
2016-03-29 13:51:26,167 INFO [stdout] (default task-4)
2016-03-29 13:51:26,167 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) Subject = Subject:
Principal: HTTP/[email protected]
Private Credential: Ticket (hex) =
0000: 61 82 04 50 30 82 04 4C A0 03 02 01 05 A1 08 1B a..P0..L........
0010: 06 41 4E 53 2E 43 5A A2 1B 30 19 A0 03 02 01 02 .XXX.CZ..0......
0020: A1 12 30 10 1B 06 6B 72 62 74 67 74 1B 06 41 4E ..0...krbtgt..AN
0030: 53 2E 43 5A A3 82 04 1C 30 82 04 18 A0 03 02 01 S.CZ....0.......
0040: 12 A1 03 02 01 03 A2 82 04 0A 04 82 04 06 F6 70 ...............p
0050: 6C 89 66 60 B0 8D 98 60 81 3A 13 49 C0 C8 92 96 l.f`...`.:.I....
0060: BE 05 0D 59 F1 98 2C CA AD 7D C2 0E 89 17 1F 36 ...Y..,........6
0070: 55 0B D0 BE 74 E1 45 E9 78 E5 A0 EF A3 0B 7E AA U...t.E.x.......
0080: F7 8D 47 35 EA BE 1F 52 0D 05 77 05 CA 19 FE 4E ..G5...R..w....N
0090: D2 FE 46 DD 70 79 DC 40 D4 AE 70 25 BA BA 48 11 [email protected]%..H.
00A0: EB 1E 5C 4E F0 73 33 D2 98 47 F8 17 F1 0E 9C D2 ..\N.s3..G......
00B0: 23 BD B8 7B 69 C5 FF 43 1E 13 CB 8F 96 C7 3F D1 #...i..C......?.
00C0: 24 4A 5E E0 69 70 2D E3 D0 45 3B 09 0C 4B CA FD $J^.ip-..E;..K..
00D0: 08 97 20 BC BB 71 58 B0 5A 00 D2 C4 7D 3A 0F 26 .. ..qX.Z....:.&
00E0: 56 B3 6C D3 FF FC 6C 4E 51 1D B9 DF BE 02 D0 7B V.l...lNQ.......
00F0: E0 0C B0 21 AA 54 71 07 63 6A 6D 65 34 08 4F 9F ...!.Tq.cjme4.O.
0100: 22 7C 37 70 CF 40 C5 77 56 10 C8 C2 B4 5B 5D BB "[email protected]....[].
0110: FA C0 51 05 E8 14 04 AE 52 8D 80 AA 31 66 6E 7F ..Q.....R...1fn.
0120: 28 3E 49 35 9E A4 5A ED 21 0A FE D9 B1 96 15 A6 (>I5..Z.!.......
0130: 51 0A A6 AA BB 1D 22 B9 FC 2D 87 65 42 FB 5E 17 Q....."..-.eB.^.
0140: 94 32 2F BA 94 06 7C 3A 9E 56 73 52 59 FE F1 3C .2/....:.VsRY..<
0150: D0 19 5F B3 B3 E3 0D F4 0C 51 1A E2 CF 19 50 61 .._......Q....Pa
0160: BA 55 6A 57 F8 9F 8F F7 43 D7 2B B8 62 22 6E F4 .UjW....C.+.b"n.
0170: B2 A8 CC 09 A9 3B A4 C2 5D D8 75 EA 99 7E 20 93 .....;..].u... .
0180: 33 ED 8B BF 40 CC 82 49 69 F5 05 3D 30 1A 5D D4 [email protected]..=0.].
0190: CD E2 A3 DE 36 77 94 63 D2 B4 DE 44 AA 35 BD C9 ....6w.c...D.5..
01A0: 5D 57 4D 10 E6 51 A7 D9 A5 A6 EB 9A A1 2D 88 2C ]WM..Q.......-.,
01B0: 27 F1 C8 8E E9 1B 14 90 88 E7 4E 70 3C 53 EC E7 '.........Np<S..
01C0: 29 84 DA 1C 7E 33 A2 99 9D C5 85 3B 63 67 CE 84 )....3.....;cg..
01D0: 73 41 75 67 9D 6E BC E9 80 0B 1C B4 56 0C AB 92 sAug.n......V...
01E0: 13 79 D2 4D D9 B8 15 91 51 48 ED 7D 30 8B 16 ED .y.M....QH..0...
01F0: C4 AB CE 0D D7 F6 0D 41 7F BA 99 E1 9E 51 8D 82 .......A.....Q..
0200: 2D 2D B9 1B C8 92 71 22 28 43 B2 AD FC 67 A0 10 --....q"(C...g..
0210: 3E 85 61 52 48 C1 2C A7 CC 49 70 7B 1E 32 27 22 >.aRH.,..Ip..2'"
0220: 30 04 DD 4E 6E 45 F3 0B 0F E2 F6 EB 8E CF 0D B7 0..NnE..........
0230: 32 F4 2D 47 E6 B3 13 97 E3 C2 D0 53 84 ED FC 7C 2.-G.......S....
0240: 40 60 52 AC FC 0C C8 C9 D7 D3 C6 C6 F0 33 34 1B @`R..........34.
0250: 8E 6E 12 3B AB 30 34 0C 99 29 11 67 A2 01 75 BB .n.;.04..).g..u.
0260: 8F C2 8F A9 47 71 63 EF 58 17 95 46 57 69 8C 4F ....Gqc.X..FWi.O
0270: 2B 47 50 2E D9 C2 B6 3C 2A FF BD 0E DF FB 72 DF +GP....<*.....r.
0280: 76 58 9A DF 8A 94 DC 7C ED 99 BB D5 DF 27 88 F8 vX...........'..
0290: 65 A2 5F 16 C0 A2 43 FA F3 E7 88 DF 88 62 20 F8 e._...C......b .
02A0: 4A 6C C3 8D 36 3F 82 F4 0C 37 6B BB C1 89 20 12 Jl..6?...7k... .
02B0: 36 9E E2 48 D0 BE 30 09 36 1B 7E 4C 8F 90 D8 C2 6..H..0.6..L....
02C0: 6F 64 E8 DE D4 BE B9 B4 CD 53 F2 B1 29 AF 19 0B od.......S..)...
02D0: 09 93 20 6D CE 92 7D EE DB 38 19 46 04 C1 E4 CE .. m.....8.F....
02E0: DC 05 60 DF 48 30 89 41 3D CA 2A 91 02 5E C5 FA ..`.H0.A=.*..^..
02F0: B0 07 25 E1 06 92 4F CD 61 B9 EB 79 2B E3 31 70 ..%...O.a..y+.1p
0300: CF 9D 30 35 61 E0 ED 17 88 08 87 67 CB E8 B3 05 ..05a......g....
0310: E6 80 2C 2E D7 B8 4B 31 06 64 E5 2D 29 98 64 84 ..,...K1.d.-).d.
0320: B2 97 59 D5 7E B4 38 7D C0 87 B6 79 3A 8E AD 28 ..Y...8....y:..(
0330: E3 01 83 DE E6 9C E2 A6 A2 42 88 2F 13 E6 DF 4A .........B./...J
0340: D4 1A 2D 08 B8 87 7C B3 EF D6 CD 26 CF F3 E9 7C ..-........&....
0350: 97 39 43 6C 38 BC C4 02 53 27 D9 5A 8A BA 8A DF .9Cl8...S'.Z....
0360: 73 48 19 04 6E 7F B7 6D 5D B5 ED A3 0A 1A 2A B8 sH..n..m].....*.
0370: F1 22 A8 AF 82 08 D1 5D 74 04 F8 87 81 55 39 8B .".....]t....U9.
0380: 40 BF C3 26 4F 5C 56 05 C8 9F 2A 3A F2 3D A7 2B @..&O\V...*:.=.+
0390: 48 F3 0A 60 AD 8B 53 A0 8A 86 6F 54 54 1D 84 67 H..`..S...oTT..g
03A0: 23 B4 0F 59 A4 73 94 9F FE 43 63 DF 68 7A F1 8D #..Y.s...Cc.hz..
03B0: B4 B2 C4 CC 42 F0 23 3E 50 5F 64 C1 AD 1C EC 2A ....B.#>P_d....*
03C0: 2D F2 1F 52 F1 81 33 D7 B1 85 D8 98 A7 38 22 7F -..R..3......8".
03D0: 42 00 7E 1F 8C 8D 32 00 B9 F9 61 F2 86 59 4C 69 B.....2...a..YLi
03E0: E0 19 AC 5D 75 E1 98 A6 83 A2 5F 4E C2 6D D9 69 ...]u....._N.m.i
03F0: EC 3B 5D E5 A3 10 F5 24 95 B0 EC E2 FF FC CF 54 .;]....$.......T
0400: BC 2B 43 AD 4A D6 77 A2 1B 54 AE 52 AC 5A E2 75 .+C.J.w..T.R.Z.u
0410: 59 38 C7 64 15 0C CE 18 50 1D 24 9C FE FB 3C 4A Y8.d....P.$...<J
0420: 33 31 4B C6 65 40 F7 8B 4A 35 75 67 1B DD 1F 60 [email protected]...`
0430: 10 CF C2 AB 05 8B AD 43 2A 95 FE AA 94 80 98 38 .......C*......8
0440: D8 3C 6A 15 21 40 34 E8 0B 42 73 5A 9A B4 4F D4 .<[email protected].
0450: 17 57 30 D1 .W0.
Client Principal = HTTP/[email protected]
Server Principal = krbtgt/[email protected]
Session Key = EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: 10 A6 39 17 84 65 5E 8C 5B 39 22 E4 2A 9E 95 97 ..9..e^.[9".*...
Forwardable Ticket false
Forwarded Ticket false
Proxiable Ticket false
Proxy Ticket false
Postdated Ticket false
Renewable Ticket false
Initial Ticket false
Auth Time = Tue Mar 29 13:51:26 CEST 2016
Start Time = Tue Mar 29 13:51:26 CEST 2016
End Time = Tue Mar 29 23:51:26 CEST 2016
Renew Till = null
Client Addresses Null
Private Credential: Default keytab for HTTP/[email protected]
2016-03-29 13:51:26,198 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) Logged in 'host' LoginContext
2016-03-29 13:51:26,198 INFO [stdout] (default task-4) [Krb5LoginModule]: Entering logout
2016-03-29 13:51:26,198 INFO [stdout] (default task-4) [Krb5LoginModule]: logged out Subject
2016-03-29 13:51:26,198 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) NegotiationContext.setContinuationRequired(true)
2016-03-29 13:51:26,214 DEBUG [org.jboss.security] (default task-4) PBOX00206: Login failure: javax.security.auth.login.LoginException: Continuation Required.
at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:192)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:406)
at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345)
at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:333)
at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146)
at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verifyCredential(JAASIdentityManagerImpl.java:123)
at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verify(JAASIdentityManagerImpl.java:96)
at org.jboss.security.negotiation.NegotiationMechanism.authenticate(NegotiationMechanism.java:99)
at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233)
at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250)
at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219)
at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121)
at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96)
at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
2016-03-29 13:51:26,625 TRACE [org.jboss.security] (default task-3) PBOX00201: End isValid, result = false
2016-03-29 13:51:26,625 TRACE [org.jboss.security.negotiation.common.NegotiationContext] (default task-3) clear 35ec8348
2016-03-29 13:51:26,641 TRACE [org.jboss.security] (default task-3) PBOX00354: Setting security roles ThreadLocal: null
Upvotes: 0
Views: 5000
Answers (2)
Matej Liszka
Reputation: 1
I confirm that with the latest jboss-negotiation module (version 3.0.3) and WildFly 10.0.0 it is possible to use Kerberos authentication. The "Continuation Required" exception is still thrown but it is masked in the log (unless log category org.jboss.security is set to DEBUG). I made some more tests with WildFly 10.1.0 and confirm that Kerberos authentication works out-of-the-box there (it is shipped with jboss-negotiation module 3.0.2), it is however better to patch to jboss-negotiation 3.0.3 as well if you are going to use LDAP for role mapping (because of LDAP bug fixes in that version).
Upvotes: 0
Martin Choma
Reputation: 124
You hit https://issues.jboss.org/browse/JBEAP-3709, which will be repaired in wildfly once https://github.com/wildfly/wildfly/pull/8816 will be merged.
Solution is to upgrade org.jboss.security.negotiation to version 3.0.2.Final, which you can achieve by rebuilding wildfly with aforementioned pull request incorporated or changing jars in directory modules/system/layers/base/org/jboss/security/negotiation/main
Upvotes: 2
Related Questions
- Error in Spring Security Kerberos windows authentication
- Unable to authenticate using Kerberos Keytab and kinit cache
- Connecting to Kerberrized HDFS , java.lang.IllegalArgumentException: Failed to specify server's Kerberos principal name;
- Spring Security Kerberos, Kerberos + AD - Error: Access Denied, No key to store
- Java 8 update 161 breaks HTTPClient Kerberos authentication
- How does GSSManager.createCredential get the Kerberos key and TGT?
- Squid kerberos authentication
- Kerberos Cached Ticket