2 Replies Latest reply on Jan 24, 2014 6:13 AM by prasadpete

    jboss-negotiation-toolkit test SecurityDomainTest does not work

    minal.bagade

      Hi,

       

      I need help finding out the solution to make the SecurityDomainTest and Secured test to work.

      Below is my configuration:

       

      Machines:

      AD

      ----------

      Windows 2008 R2 :  (domain : ssodomain.com)

      Users :  ASUser (SPN user)

                : john (client machine domain user)

       

      Application Server:

      --------------

      Windows 7 (domain : ssodomain)

      JBoss 5.1.0 GA

       

      Client Machine:

      ---------------

      Windows 7 (domain : ssodomain)

      Logged In user: john

      IE 8.

       

       

      I created a spn on AD:

       

       

      C:\Keytab>ktpass -out ASUser_keytab -princ ASUser@SSODOMAIN.COM -mapUser ASUser -kvno 0 -crypto AES128-SHA1 -pass Password@123 -ptype KRB5_NT_PRINCIPAL

       

      Targeting domain controller: SSOAD.ssodomain.com

      Using legacy password setting method

      Failed to set property 'servicePrincipalName' to 'ASUser' on Dn 'CN=ASUser,CN=Us

      ers,DC=ssodomain,DC=com': 0x13.

      WARNING: Unable to set SPN mapping data.

      If ASUser already has an SPN mapping installed for ASUser, this is no cause for

      concern.

      Key created.

      Output keytab to ASUser_keytab:

      Keytab version: 0x502

      keysize 54 ASUser@SSODOMAIN.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 0 etype 0x11 (AE

      S128-SHA1) keylength 16 (0x6b8614aad1ac1e482b769fd5b91d6e1b)

       

       

       

      Later configured login-config.xml file of the default profile :

       

       

      <application-policy name="host">

                <authentication>

                  <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">

                          <module-option name="storeKey">true</module-option>

                          <module-option name="useKeyTab">true</module-option>

                          <module-option name="principal">HTTP/ASUser@SSODOMAIN.COM</module-option>

                          <module-option name="keyTab">ASUser_keytab</module-option>

                          <module-option name="doNotPrompt">true</module-option>

                          <module-option name="debug">true</module-option>

                  </login-module>

                </authentication>

        </application-policy>

       

       

       

       

        <application-policy name="SPNEGO">

                <authentication>

                  <login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule" flag="required">

                          <module-option name="password-stacking">useFirstPass</module-option>

                          <module-option name="serverSecurityDomain">host</module-option>

                  </login-module>

                  <login-module code="org.jboss.security.negotiation.AdvancedLdapLoginModule" flag="required">

                          <module-option name="password-stacking">useFirstPass</module-option>

                          <module-option name="bindAuthentication">GSSAPI</module-option>

                          <module-option name="jaasSecurityDomain">host</module-option>

                          <module-option name="java.naming.provider.url">ldap://SSODOMAIN.COM:3268</moduleoption>

                          <module-option name="baseCtxDN">CN=Users,DC=ssodomain,DC=com</moduleoption>

                          <module-option name="baseFilter">(userPrincipalname={0})</module-option>

                          <module-option name="roleAttributeID">memberOf</module-option>

                          <module-option name="roleAttributeIsDN">true</module-option>

                          <module-option name="rolenameAttributeID">cn</module-option>

                          <module-option name="recurseRoles">true</module-option>

                  </login-module>

                </authentication>

        </application-policy>

       

      Configured my IE 8 on client machine for SPNEGO.

       

      when I hit the jboss-negotiation-toolkit from the client browser IE 8,

      1. Basic negotiation is successful.

       

      2. But SecurityDomainTest gives the below error:

      Negotiation Toolkit

      Security Domain Test

      Testing security-domain 'host'

      Failed!

      javax.security.auth.login.LoginException - No LoginModules configured for host

       

       

      On JBoss console I can see the following error:

      19:38:40,714 INFO  [BasicNegotiationServlet] Authorization header received - decoding token.

      19:39:27,187 ERROR [SecurityDomainTestServlet] testDomain Failed

      javax.security.auth.login.LoginException: No LoginModules configured for host

              at javax.security.auth.login.LoginContext.init(LoginContext.java:273)

              at javax.security.auth.login.LoginContext.<init>(LoginContext.java:349)

              at org.jboss.security.negotiation.toolkit.SecurityDomainTestServlet.testDomain(SecurityDomai

      nTestServlet.java:105)

              at org.jboss.security.negotiation.toolkit.SecurityDomainTestServlet.doGet(SecurityDomainTest

      Servlet.java:77)

              at javax.servlet.http.HttpServlet.service(HttpServlet.java:617)

              at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)

              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.j

      ava:290)

              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

       

       

              at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)

              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.j

      ava:235)

              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

       

       

              at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)

              at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)

              at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.ja

      va:190)

              at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)

              at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)

              at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEs

      tablishmentValve.java:126)

              at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEst

      ablishmentValve.java:70)

              at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)

              at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

              at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:

      158)

              at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)

              at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)

              at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)

              at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.ja

      va:598)

              at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)

              at java.lang.Thread.run(Thread.java:722)

       

       

      3. and the Secured test gives me a blank page.

       

      Please share any workaround or solution , it would be a great help.

       

      Thanks,

      Minal

        • 1. Re: jboss-negotiation-toolkit test SecurityDomainTest does not work
          minal.bagade

          Update,

           

          when I use the same configuration with

          <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">

          <module-option name="password-stacking">useFirstPass</module-option>

          <module-option name="usersProperties">C:\AppServer\jboss-5.1.0.GA\server\default\conf\props\spnego-users.properties</module-option>

          <module-option name="rolesProperties">C:\AppServer\jboss-5.1.0.GA\server\default\conf\props\spnego-roles.properties</module-option>

          </login-module>,

           

          the Basic Negotiation and Security Domain test works well. and the Secured test fails.

           

          But when I use

          <login-module code="org.jboss.security.negotiation.AdvancedLdapLoginModule" flag="required">

                              <module-option name="password-stacking">useFirstPass</module-option>

                              <module-option name="bindAuthentication">GSSAPI</module-option>

                              <module-option name="jaasSecurityDomain">host</module-option>

                              <module-option name="java.naming.provider.url">ldap://SSODOMAIN.COM:3268</moduleoption>

                              <module-option name="baseCtxDN">CN=Users,DC=ssodomain,DC=com</moduleoption>

                              <module-option name="baseFilter">(userPrincipalname={0})</module-option>

                              <module-option name="roleAttributeID">memberOf</module-option>

                              <module-option name="roleAttributeIsDN">true</module-option>

                              <module-option name="rolenameAttributeID">cn</module-option>

                              <module-option name="recurseRoles">true</module-option>

                      </login-module>

           

          It gives me the above error and only the Basic Negotiation works.

          • 2. Re: jboss-negotiation-toolkit test SecurityDomainTest does not work
            prasadpete

            Hi Minal

            The problem is with the SPN name you have used to create the keytab file.

            It should be in this format. HTTP/<APPLICATIONSERVER_NAME>.<LDAP_DOMAIN_NAME>@DOMAIN.COM.

             

            Eg., If my appserver is on, sample012.life.com and my LDAP server's domain name is SSODOMAIN, then the SPN name should be, HTTP/sample012.SSODOMAIN.COM@SSODOMAIN.COM.

             

            Use this and regenerate the keytab file. Once you've generated the keytab execute kinit from your appserver machine and try connection is working.

            Hope that helps!