5 Replies Latest reply: Mar 1, 2012 9:14 AM by Tanya Ruttenberg RSS

Can not get SPNEGO kerberos ldap to work in AS 7.1.0.Final

Tanya Ruttenberg Expert

Hi, we use kerberos to authenticate and ldap to lookup roles. Here is my configuration from login-config.xml from AS 5.1.

 

<application-policy name="host">
    <authentication>
      <login-module code="com.sun.security.auth.module.Krb5LoginModule"
                    flag="required">
        <module-option name="storeKey">true</module-option>
        <module-option name="useKeyTab">true</module-option>
        <module-option name="principal">HTTP/s00c208.ba.ssa.gov@BA.AD.SSA.GOV</module-option>
        <module-option name="keyTab">/etc/krb5/909739DES.keytab</module-option>
        <module-option name="doNotPrompt">true</module-option>
        <module-option name="debug">true</module-option>
      </login-module>
    </authentication>
  </application-policy>

  <!-- SPNEGO -->
  <application-policy name="SPNEGO">
    <authentication>
      <login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule"
                    flag="required">
        <module-option name="password-stacking">useFirstPass</module-option>
        <module-option name="serverSecurityDomain">host</module-option>
      </login-module>

      <login-module
          code="org.jboss.security.negotiation.AdvancedLdapLoginModule"
          flag="required">
        <module-option name="password-stacking">useFirstPass</module-option>
        <!-- <module-option name="bindAuthentication">GSSAPI</module-option> -->
        <!-- <module-option name="jaasSecurityDomain">host</module-option> -->

        <module-option name="java.naming.provider.url">ldap://ldapauth.lb.ssa.gov:3268</module-option>
        <module-option name="baseCtxDN">DC=ad,DC=ssa,DC=gov</module-option>
        <module-option name="baseFilter">(userPrincipalName={0})</module-option>
        <module-option name="roleAttributeID">memberOf</module-option>
        <module-option name="roleAttributeIsDN">true</module-option>
        <module-option name="roleNameAttributeID">cn</module-option>
        <module-option name="recurseRoles">true</module-option>
        <module-option name="bindDN">BA\287058</module-option>
        <module-option name="bindCredential">XXXXXXXX</module-option>

      </login-module>

    </authentication>
  </application-policy>

 

 

Note the commented out part.  I think I am having now the problem we had then that was FIXED by commenting out those two module-options.  Here is the AS 7 analog from standalone.xml

 

<security-domain name="host" cache-type="default">

    <authentication>

        <login-module code="Kerberos" flag="required">

            <module-option name="storeKey" value="true"/>

            <module-option name="useKeyTab" value="true"/>

            <module-option name="principal" value="HTTP/s00c208.ba.ssa.gov@BA.AD.SSA.GOV"/>

            <module-option name="keyTab" value="/etc/krb5/909739DES.keytab"/>

            <module-option name="doNotPrompt" value="true"/>

            <module-option name="debug" value="false"/>

        </login-module>

    </authentication>

</security-domain>

<security-domain name="SPNEGO" cache-type="default">

    <authentication>

        <login-module code="SPNEGO" flag="requisite">

            <module-option name="password-stacking" value="useFirstPass"/>

            <module-option name="serverSecurityDomain" value="host"/>

        </login-module>

        <login-module code="AdvancedLdap" flag="required">

            <module-option name="password-stacking" value="useFirstPass"/>

            <module-option name="java.naming.provider.url" value="ldap://ldapauth.lb.ssa.gov:3268"/>

            <module-option name="baseCtxDN" value="DC=ad,DC=ssa,DC=gov"/>

            <module-option name="baseFilter" value="userPrincipalName={0}"/>

            <module-option name="roleAttributeID" value="memberOf"/>

            <module-option name="roleAttributeIsDN" value="true"/>

            <module-option name="roleNameAttributeID" value="cn"/>

            <module-option name="recurseRoles" value="true"/>

            <module-option name="bindDN" value="BA\287058"/>

            <module-option name="bindCredential" value="XXXXXXXX"/>

        </login-module>

    </authentication>

</security-domain>

 

I'm appending my logfile.  I can successfully do both the basic negotation and secure domain test from the negotiation toolkit.  But when I try the secured servlet, it bombs.  To me it looks like the client or server or whatever - "it" - does not know I am authenticated so it attempts to authenticate using NTLM.  But the logs tell the complete story.  I have tried this with bindAuthentication and jaasSecurityDomain set, but it still didn't work.

 

FTR here is my jboss-web.xml

 

<jboss-web>

  <security-domain>SPNEGO</security-domain>

  <valve>

      <class-name>org.jboss.security.negotiation.NegotiationAuthenticator</class-name>

  </valve>

  <context-root>/</context-root>

</jboss-web>

 

Can anyone explain why this is not working?  I'm new to this -- my colleague set this up -- but trying very hard to understand.

 

Thanks,

TDR

  • 1. Re: Can not get SPNEGO kerberos ldap to work in AS 7.1.0.Final
    Tanya Ruttenberg Expert

    A friend took a look at this with me.  It seems that kerberos authentication IS working, but the ldap connection is never attempted.

     

    Help?

  • 2. Re: Can not get SPNEGO kerberos ldap to work in AS 7.1.0.Final
    Darran Lofthouse Master

    Are you running on the AS 7 instance on the same host as you were running the AS 5 instance? 

     

    Looking at your log it appears that although the browser initially trusts the server to attempt a SPNEGO negotation once the server sends back a challenge the server is no longer trusted which is why it then tries to switch to NTLM.

  • 3. Re: Can not get SPNEGO kerberos ldap to work in AS 7.1.0.Final
    Tanya Ruttenberg Expert

    Yes, I am running AS 7 on the same host.  Why would this behavior be any different on the new server?

     

    I cannot access the negotiation tool by the hostname, only the IP address. I can't figure out why this would be the case.  Maybe related?

     

    I'm running with these options

     

    -Djava.security.krb5.kdc=DS-GC-BA-02.ba.ad.ssa.gov

    -Djava.security.krb5.realm=BA.AD.SSA.GOV

    -Djava.security.krb5.conf=/etc/krb5.conf

    -Djava.security.krb5.debug=true

    -Dgov.ssa.dne.nmst.ldap_url=ldap://ldapauth.lb.ssa.gov:3268

    -Dgov.ssa.dne.nmst.ldap_user=BA\287058

    -Dgov.ssa.dne.nmst.ldap_pass=XXXXXXXX

     

    here is how my interfaces are defined

     

        <interfaces>
            <interface name="management">
                <inet-address value="${jboss.bind.address.management:172.17.187.208}"/>
            </interface>
            <interface name="public">
              <inet-address value="${jboss.bind.address:172.17.187.208}"/>

            </interface>
        </interfaces>

    Grasping at straws. Darran if you can point me in a direction or give me some other way to gather more information or debug this, I'd be appreciative.

     

    TDR

  • 4. Re: Can not get SPNEGO kerberos ldap to work in AS 7.1.0.Final
    Darran Lofthouse Master

    The SPNEGO Negotiation is fundamentally based on the address used to connect to the server, it is this address that is the basis for all trust in the process.  This is the reason that 'which host' question is important as you can not take a working configuration from one host and set it up on a second host.

     

    You say you can only access the toolkit using the IP address, that is possibly related as you are changing the expect identity of the server - are you able to access the AS 5 installation by host name?  Also how are you keeping the two installations separate?  Are you starting them independently, binding to different addresses or using different port ranges?

  • 5. Re: Can not get SPNEGO kerberos ldap to work in AS 7.1.0.Final
    Tanya Ruttenberg Expert

    I'm going to investigate further today why I cannot access the toolkit using the hostname.

     

    The apps on teh AS 5 installation are set up on virtual servers all aliased to the main hostname.  That gives me the idea to set up the AS 7 installation to use the same virtual hostnames.

     

    The two installations run simultaneously on different ports on the same IP address.  AS 5 on 80 and AS 7 on 8080.

     

    If I figure it out I will post back here.  Meanwhile I'm interestedin hearing any more ideas.