5 Replies Latest reply: Dec 13, 2012 9:56 AM by guillaume cornet RSS

Continuation Required exception

Oved Ourfali Newbie

Hi Darren,

We are trying to configure SPNEGO auth for my web application and hitting some kerberos related problems.

 

We've been following the 'User Guide for JBoss Negotiation' with the relevant changes as documented here: https://community.jboss.org/wiki/DRAFTUsingJBossNegotiationOnAS7

KDC is AD2003R2

and after a few trial and errors we've got the SPN right

 

However, when trying the secured test in the negotiation toolkit (from both win2003R2 and WinXP), we get the following :

 

2012-01-16 17:43:57,116 INFO  [stdout] (http--0.0.0.0-8080-1) Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /home/tlv/oourfali/negotiation/service.keytab refreshKrb5Config is false principal is host/MY_HOST@MY_DOMAIN tryFirstPass is false useFirstPass is false storePass is false clearPass is false

2012-01-16 17:43:57,117 INFO  [stdout] (http--0.0.0.0-8080-1) principal's key obtained from the keytab

2012-01-16 17:43:57,117 INFO  [stdout] (http--0.0.0.0-8080-1) Acquire TGT using AS Exchange

2012-01-16 17:43:57,123 INFO  [stdout] (http--0.0.0.0-8080-1) principal is host/MY_HOST@MY_DOMAIN

2012-01-16 17:43:57,123 INFO  [stdout] (http--0.0.0.0-8080-1) EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 23 83 92 78 CB 63 67 D2   39 40 AD 53 A9 C0 23 A0  #..x.cg.9@.S..#.

2012-01-16 17:43:57,123 INFO  [stdout] (http--0.0.0.0-8080-1)

2012-01-16 17:43:57,125 INFO  [stdout] (http--0.0.0.0-8080-1) Added server's keyKerberos Principal host/MY_HOST@MY_DOMAINKey Version 8key EncryptionKey: keyType=23 keyBytes (hex dump)=

2012-01-16 17:43:57,125 INFO  [stdout] (http--0.0.0.0-8080-1) 0000: 23 83 92 78 CB 63 67 D2   39 40 AD 53 A9 C0 23 A0  #..x.cg.9@.S..#.

2012-01-16 17:43:57,125 INFO  [stdout] (http--0.0.0.0-8080-1)

2012-01-16 17:43:57,125 INFO  [stdout] (http--0.0.0.0-8080-1)

2012-01-16 17:43:57,126 INFO  [stdout] (http--0.0.0.0-8080-1)           [Krb5LoginModule] added Krb5Principal  host/MY_HOST@MY_DOMAIN to Subject

2012-01-16 17:43:57,126 INFO  [stdout] (http--0.0.0.0-8080-1) Commit Succeeded

2012-01-16 17:43:57,126 INFO  [stdout] (http--0.0.0.0-8080-1)

2012-01-16 17:43:57,126 INFO  [stdout] (http--0.0.0.0-8080-1)           [Krb5LoginModule]: Entering logout

2012-01-16 17:43:57,126 INFO  [stdout] (http--0.0.0.0-8080-1)           [Krb5LoginModule]: logged out Subject

2012-01-16 17:43:57,127 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--0.0.0.0-8080-1) Login failure: javax.security.auth.login.LoginException: Continuation Required.

        at  org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:174) [jboss-negotiation-2.2.0.Beta3.jar:]

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [:1.6.0_24]

        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [:1.6.0_24]

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [:1.6.0_24]

        at java.lang.reflect.Method.invoke(Method.java:597) [:1.6.0_24]

        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) [:1.6.0_24]

        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) [:1.6.0_24]

        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) [:1.6.0_24]

        at java.security.AccessController.doPrivileged(Native Method) [:1.6.0_24]

        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) [:1.6.0_24]

        at javax.security.auth.login.LoginContext.login(LoginContext.java:579) [:1.6.0_24]

        at  org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:412) [picketbox-infinispan-4.0.6.Beta1.jar:]

        at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:346) [picketbox-infinispan-4.0.6.Beta1.jar:]

        at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:155) [picketbox-infinispan-4.0.6.Beta1.jar:]

        at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:214) [jboss-as-web-7.1.0.Beta1b.jar:]

        at  org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:187) [jboss-negotiation-2.2.0.Beta3.jar:]

        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:455) [jbossweb-7.0.3.Final.jar:]

        at  org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:151) [jboss-as-web-7.1.0.Beta1b.jar:]

        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.3.Final.jar:]

        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.3.Final.jar:]

        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.3.Final.jar:]

        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:362) [jbossweb-7.0.3.Final.jar:]

        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.3.Final.jar:]

        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.3.Final.jar:]

        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.3.Final.jar:]

        at java.lang.Thread.run(Thread.java:662) [:1.6.0_24]

 

Appreciate your help,

Oved

  • 1. Re: Continuation Required exception
    grrd Newbie

    Hello,

     

    I am having the same problem. I was able to trace it down to the fact that the wrong type of mech token is presented first in the list, see the code here:

     

    http://grepcode.com/file/repository.jboss.org/nexus/content/repositories/releases/org.jboss.security/jboss-negotiation-spnego/2.2.0.Beta3/org/jboss/security/negotiation/spnego/SPNEGOLoginModule.java?av=f#322

     

    The first mech token is checked for its type, and if it is not kerberos, the rest will fail. However, in my setup there are three mech tokens available (I have debugged this to check), but the first in my list is not "kerberos V5" (OID 1.2.840.113554.1.2.2), but "Kerberos v5 legacy" (OID 1.2.840.48018.1.2.2). The next in my list however, is "Kerberos v5", the expected one.

     

    So my question is then, how to handle this? Is there a reason why this will not work if the mech list is in this order? Is it possible to configure Active Directory (in my case) to NOT send the "Legacy" part? Or should the code ideally have handled this situation?

     

    Appreciate all feedback!

  • 2. Re: Continuation Required exception
    Jordi Alvarez Newbie

    Hello, we are experiencing the same situation as described by grrd:

     

    - Kerberos legacy appears first, and Kerberos second.

    - The continuation required exception appears.

    - A second authentication is performed and this one fails with: Unable to authenticate - Unsupported mechanism requested: 1.2.840.113554.1.2.2

     

    We are testing this with the jboss-negotiation-toolkit.war. The first two servlets work ok, while the secured one shows the error.

     

    Any ideas?

  • 3. Re: Continuation Required exception
    guillaume cornet Newbie

    @Oved and @grrd,

     

     

    I faced the same problem some days ago and my opinion is that "Continuation Required" should not be log as an exception, but as a simple INFO message.

     

    This article (http://msdn.microsoft.com/en-us/library/ms995330.aspx) explains SPNEGO.

    Once read, you should understand that "Continuation Required" is a normal SPNEGO behavior.

     

    Extract :

    "Note that for the server side handler to be complete, it should gracefully handle the following conditions: [...]

    NegTokenInit arrives, but Kerberos OID is in MechList and not in first position (meaning the client supports Kerberos, but the initial token, if available, will not be optimized for Kerberos—remember the optimized token corresponds to the first OID in the MechTypeList), or no initial MechToken is available—server should send a response token that indicates that it supports the Kerberos MechType and negResult of accept_incomplete. This will prompt the client to send over a Kerberos token for authentication."

     

    FYI :

    Windows Server 2008 MechList : {Kerberos V5 Legacy} {Kerberos V5} {1.3.6.1.4.1.311.2.2.30} {NTLM}

    Windows XP MechList : {Kerberos V5 Legacy} {Kerberos V5} {NTLM}

    RHEL 6.3 MechList : {Kerberos V5} {1.3.5.1.5.2} {Kerberos V5 Legacy} {1.3.6.1.5.2.5}

     

    => Every time the {Kerberos V5} oid is not in the first position in the MechList, you will see a "Continuation Required" exception in the AS7 log...

  • 4. Re: Continuation Required exception
    Nigel Benns Newbie

    I'm getting the same thing, its not the continuation that's the problem, but the second thing as stated above:

     

    A second authentication is performed and this one fails with: Unable to authenticate - Unsupported mechanism requested: 1.2.840.113554.1.2.2

     

    It's causing my pages not to work at all.

    Does anyone have a solution for this?

     

    I basically have this exact setup:

     

    https://access.redhat.com/knowledge/docs/en-US/JBoss_Enterprise_Application_Platform/6/html/Development_Guide/Configure_Kerberos_or_Microsoft_Active_Directory_Desktop_SSO_for_Web_Applications.html

     

    Windows 2008 R2 but not in native mode.

    and another funny thing is I only seem to be able to get RC4-HMAC tickets as well, not AES-128/256, but that might be unrelated.

  • 5. Re: Continuation Required exception
    guillaume cornet Newbie

    @Nigel Benns,

     

     

    My previous anwser only concerns the "Continuation required" ...

    not the second one :-) but I will do my best to help.

     

    Could you please answer these questions ?

      - Could you send a full stack trace ? (not the 'continuation required" one !)

      - Did you enable TRACE logs for package "org.jboss.security" ?

      - Could you send the hex dump of the request which cause the error ? (just enable TRACE, use the 'Secured' servlet of jboss-negotiation-toolkit, and copy/paste the log). It should looks like : 15:26:42,543 TRACE [org.jboss.security.negotiation.common.MessageTrace.Request.Hex] (http-/0.0.0.0:8080-1)  0xa1 0x82 0x04 0xf7 0x30 0x82 0x04 0xf3 0xa2 0x82 0x04 0xef 0x04 0x82 0x04 0xeb 0x60 0x82 0x04 0xe7 0x06 0x09 0x2a 0x86 0x48 0x86 0xf7 0x12 0x01 0x02 0x02 0x01 0x00 0x6e 0x82 0x04 0xd6 0x30 0x82 0x04 0xd2 0xa0 0x03 0x02 0x01 0x05 0xa1 0x03 0x02 0x01 0x0e 0xa2 0x07 0x03 0x05 0x00 0x00 0x00 0x00 0x00 0xa3 0x82 ...

      - Which OS are you using on the JBoss Server side ?

      - Which OS are you using on the browser side ?

      - Which Kerberos Server are you using ? MIT ? AD DS ?