[
https://issues.apache.org/jira/browse/HTTPCLIENT-934?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12864746#action_12864746
]
Dennis Rieks commented on HTTPCLIENT-934:
-----------------------------------------
Hi,
yes i have, i followed them step by step. But I had to remove
udp_preference_limit = 1 from krb5.conf
I think this is the problem:
WARNUNG: Authentication error: Negotiate authorization challenge expected, but
not found
(WARNUNG is WARNING in german..)
This is the log file:
>>>KinitOptions cache name is /tmp/krb5cc_1000
Kerberos-Benutzername [drieks]: [email protected]
Kerberos-Passwort für [email protected]: hallo
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=kdc.kdctest.local UDP:88, timeout=30000, number of
>>> retries =3, #bytes=150
>>> KDCCommunication: kdc=kdc.kdctest.local UDP:88, timeout=30000,Attempt =1,
>>> #bytes=150
>>> KrbKdcReq send: #bytes read=533
>>> KrbKdcReq send: #bytes read=533
>>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
>>> KrbAsRep cons in KrbAsReq.getReply hallo
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
Found ticket for [email protected] to go to
krbtgt/[email protected] expiring on Fri May 07 13:52:06 CEST 2010
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 3 1 23 16 17.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
>>>crc32: 12ba57aa
>>>crc32: 10010101110100101011110101010
>>> KrbKdcReq send: kdc=kdc.kdctest.local UDP:88, timeout=30000, number of
>>> retries =3, #bytes=568
>>> KDCCommunication: kdc=kdc.kdctest.local UDP:88, timeout=30000,Attempt =1,
>>> #bytes=568
>>> KrbKdcReq send: #bytes read=507
>>> KrbKdcReq send: #bytes read=507
>>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
>>>crc32: 5cfa8fb0
>>>crc32: 1011100111110101000111110110000
>>> KrbApReq: APOptions are 00100000 00000000 00000000 00000000
>>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
>>>crc32: 9a6c3d10
>>>crc32: 10011010011011000011110100010000
Krb5Context setting mySeqNumber to: 1056242984
Created InitSecContextToken:
0000: 01 00 6E 82 01 C3 30 82 01 BF A0 03 02 01 05 A1 ..n...0.........
0010: 03 02 01 0E A2 07 03 05 00 20 00 00 00 A3 81 F8 ......... ......
0020: 61 81 F5 30 81 F2 A0 03 02 01 05 A1 0F 1B 0D 4B a..0...........K
0030: 44 43 54 45 53 54 2E 4C 4F 43 41 4C A2 28 30 26 DCTEST.LOCAL.(0&
0040: A0 03 02 01 00 A1 1F 30 1D 1B 04 48 54 54 50 1B .......0...HTTP.
0050: 15 73 65 72 76 65 72 34 2E 6B 64 63 74 65 73 74 .server4.kdctest
0060: 2E 6C 6F 63 61 6C A3 81 AF 30 81 AC A0 03 02 01 .local...0......
0070: 10 A1 03 02 01 02 A2 81 9F 04 81 9C 1E 71 81 EA .............q..
0080: 28 50 4A A7 76 52 82 E6 0A 91 17 5E C5 44 F0 DD (PJ.vR.....^.D..
0090: 49 A2 6A 4F 49 69 DE 15 BC CE 53 A7 C6 1B 65 30 I.jOIi....S...e0
00A0: 30 1F 6B E2 B5 A0 53 6E 51 8C 0C AC 49 E9 B4 29 0.k...SnQ...I..)
00B0: C6 4B 51 84 10 2D D1 C7 EA 0A 09 1F 40 DE 3B 01 .kq..-......@.;.
00C0: 73 41 DE 9F 4A 25 6D CD 36 32 4B BC 17 98 46 ED sA..J%m.62K...F.
00D0: 17 07 3C 6A A0 97 EC 95 42 89 F6 A8 31 BA F9 5F ..<j....B...1.._
00E0: E4 75 79 BC 0D F0 49 BE 16 6A A8 00 89 16 A9 99 .uy...I..j......
00F0: 37 55 3A 7E 6D 37 C5 2E EA 16 F0 CC C2 1F F1 FE 7U:.m7..........
0100: 39 FB B3 E6 14 27 FD CD 79 26 19 F3 87 D8 45 11 9....'..y&....E.
0110: 58 9E 93 05 EC 85 F4 3C A4 81 AE 30 81 AB A0 03 X......<...0....
0120: 02 01 01 A2 81 A3 04 81 A0 17 55 4F B8 26 1D C8 ..........UO.&..
0130: B4 94 1F 60 75 A2 02 CE 77 27 C3 45 6A 37 F6 C9 ...`u...w'.Ej7..
0140: E1 B6 5C 59 6E 99 7C E8 3E 83 65 15 03 C3 5E EB ..\Yn...>.e...^.
0150: 95 ED 44 21 8B 76 4A C0 CB BB C6 E7 05 80 65 CB ..D!.vJ.......e.
0160: F3 56 16 15 C6 C1 38 E6 B0 C1 D2 E8 5F FA 76 E7 .V....8....._.v.
0170: 55 5C 2A A4 7D 85 9C AB B3 B3 D1 C2 68 2D DB 37 U\*.........h-.7
0180: 1D 68 07 2F A9 32 AA 4D D3 0E 3E 91 83 D1 21 91 .h./.2.M..>...!.
0190: A6 A2 1F DB 8D AA AD 0C F6 0C C0 8A FD 25 F7 7D .............%..
01A0: 23 D2 00 5F 47 02 A0 28 59 E0 FB 6F 3E EA 0B D3 #.._G..(Y..o>...
01B0: 1C 8D D2 D5 B0 C9 0B CA 43 F1 17 77 69 85 98 4D ........C..wi..M
01C0: 1A 17 76 5B DD 92 07 DB 59 ..v[....Y
06.05.2010 13:52:06 org.apache.http.impl.client.DefaultRequestDirector
handleResponse
WARNUNG: Authentication error: Negotiate authorization challenge expected, but
not found
----------------------------------------
HTTP/1.1 401 Authorization Required
----------------------------------------
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Authorization Required</title>
</head><body>
<h1>Authorization Required</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
<hr>
<address>Apache/2.2.9 (Debian) mod_auth_kerb/5.3 PHP/5.2.6-1+lenny8 with
Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g
mod_perl/2.0.4 Perl/v5.10.0 Server at server4.kdctest.local Port 80</address>
</body></html>
----------------------------------------
Using Wireshark, everythink seems to be ok:
> GET /test.php HTTP/1.1
> Host: server4.kdctest.local
> Connection: Keep-Alive
> User-Agent: Apache-HttpClient/4.1-alpha2-SNAPSHOT (java 1.5)
< HTTP/1.1 401 Authorization Required
< Date: Thu, 06 May 2010 11:52:00 GMT
< Server: Apache/2.2.9 (Debian) mod_auth_kerb/5.3 PHP/5.2.6-1+lenny8 with
Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g
mod_perl/2.0.4 Perl/v5.10.0
< WWW-Authenticate: Negotiate
< Vary: Accept-Encoding
< Content-Length: 630
< Keep-Alive: timeout=15, max=100
< Connection: Keep-Alive
< Content-Type: text/html; charset=iso-8859-1
<
< <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
< <html><head>
< <title>401 Authorization Required</title>
< </head><body>
< <h1>Authorization Required</h1>
< <p>This server could not verify that you
< are authorized to access the document
< requested. Either you supplied the wrong
< credentials (e.g., bad password), or your
< browser doesn't understand how to supply
< the credentials required.</p>
< <hr>
< <address>Apache/2.2.9 (Debian) mod_auth_kerb/5.3 PHP/5.2.6-1+lenny8 with
Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g
mod_perl/2.0.4 Perl/v5.10.0 Server at server4.kdctest.local Port 80</address>
< </body></html>
>GET /test.php HTTP/1.1
>Host: server4.kdctest.local
>Connection: Keep-Alive
>User-Agent: Apache-HttpClient/4.1-alpha2-SNAPSHOT (java 1.5)
>Authorization: Negotiate
>YIICBQYGKwYBBQUCoIIB+TCCAfWgDTALBgkqhkiG9xIBAgKhBAMCAD6iggHcBIIB2GCCAdQGCSqGSIb3EgECAgEAboIBwzCCAb+gAwIBBaEDAgEOogcDBQAgAAAAo4H4YYH1MIHyoAMCAQWhDxsNS0RDVEVTVC5MT0NBTKIoMCagAwIBAKEfMB0bBEhUVFAbFXNlcnZlcjQua2RjdGVzdC5sb2NhbKOBrzCBrKADAgEQoQMCAQKigZ8EgZwecYHqKFBKp3ZSguYKkRdexUTw3Umiak9Jad4VvM5Tp8YbZTAwH2vitaBTblGMDKxJ6bQpxktRhBAt0cfqCgkfQN47AXNB3p9KJW3NNjJLvBeYRu0XBzxqoJfslUKJ9qgxuvlf5HV5vA3wSb4WaqgAiRapmTdVOn5tN8Uu6hbwzMIf8f45+7PmFCf9zXkmGfOH2EURWJ6TBeyF9Dykga4wgaugAwIBAaKBowSBoBdVT7gmHci0lB9gdaICzncnw0VqN/bJ4bZcWW6ZfOg+g2UVA8Ne65XtRCGLdkrAy7vG5wWAZcvzVhYVxsE45rDB0uhf+nbnVVwqpH2FnKuzs9HCaC3bNx1oBy+pMqpN0w4+kYPRIZGmoh/bjaqtDPYMwIr9Jfd9I9IAX0cCoChZ4PtvPuoL0xyN0tWwyQvKQ/EXd2mFmE0aF3Zb3ZIH21k=
but here, the server respons with 401:
< HTTP/1.1 401 Authorization Required
< Date: Thu, 06 May 2010 11:52:06 GMT
< Server: Apache/2.2.9 (Debian) mod_auth_kerb/5.3 PHP/5.2.6-1+lenny8 with
Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g
<mod_perl/2.0.4 Perl/v5.10.0
< Vary: Accept-Encoding
< Content-Length: 630
< Keep-Alive: timeout=15, max=99
< Connection: Keep-Alive
< Content-Type: text/html; charset=iso-8859-1
<
< <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
< <html><head>
< <title>401 Authorization Required</title>
< </head><body>
< <h1>Authorization Required</h1>
< <p>This server could not verify that you
< are authorized to access the document
< requested. Either you supplied the wrong
< credentials (e.g., bad password), or your
< browser doesn't understand how to supply
< the credentials required.</p>
< <hr>
< <address>Apache/2.2.9 (Debian) mod_auth_kerb/5.3 PHP/5.2.6-1+lenny8 with
Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g
mod_perl/2.0.4 Perl/v5.10.0 Server at server4.kdctest.local Port 80</address>
< </body></html>
Compared to curl dump:
> GET /test.php HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k
> zlib/1.2.3.3 libidn/1.15
> Host: server4.kdctest.local
> Accept: */*
< HTTP/1.1 401 Authorization Required
< Date: Thu, 06 May 2010 12:02:30 GMT
< Server: Apache/2.2.9 (Debian) mod_auth_kerb/5.3 PHP/5.2.6-1+lenny8 with
Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g
<mod_perl/2.0.4 Perl/v5.10.0
< WWW-Authenticate: Negotiate
< Vary: Accept-Encoding
< Content-Length: 630
< Content-Type: text/html; charset=iso-8859-1
<
< <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
< <html><head>
< <title>401 Authorization Required</title>
< </head><body>
< <h1>Authorization Required</h1>
< <p>This server could not verify that you
< are authorized to access the document
< requested. Either you supplied the wrong
< credentials (e.g., bad password), or your
< browser doesn't understand how to supply
< the credentials required.</p>
< <hr>
< <address>Apache/2.2.9 (Debian) mod_auth_kerb/5.3 PHP/5.2.6-1+lenny8 with
Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g
mod_perl/2.0.4 Perl/v5.10.0 Server at server4.kdctest.local Port 80</address>
< </body></html>
> GET /test.php HTTP/1.1
> Authorization: Negotiate
> YIICEwYJKoZIhvcSAQICAQBuggICMIIB/qADAgEFoQMCAQ6iBwMFAAAAAACjggEaYYIBFjCCARKgAwIBBaEPGw1LRENURVNULkxPQ0FMoigwJqADAgEDoR8wHRsESFRUUBsVc2VydmVyNC5rZGN0ZXN0LmxvY2Fso4HPMIHMoAMCARChAwIBAqKBvwSBvCRjqmUXayAu9Y18Br4KUC2rLsMREylJ/xJscLrF5PXlGEvR2SwNo2flt7RmXAeRbYyI9VEBiLbcVUM8FOjh3UL8zKrBbvpYm1R7QgWUMhNYb5NawlgbQRkiLqf8eaGwivfrqGgFy4F+eeEML2Fb7yN3HkSIrITdtyxXjr8kedd7bJ372DXNWOS8I42ahuAV3PBYg9rOZvttKiGZCKDchqcum4BkQpxzlDdI57ya5Tr/dfLnaBpt0nIKZlC0pIHKMIHHoAMCARCigb8EgbxXqQ30BWszcxaHKdqXc2BlK+AhSNO6fsvs3MuM4Qsu28Trt/447l23Wy4U6gFLLvOY+iNLD29ZqpjNUiBVXhTw4HWss8ml1emShu2Q4RFiK1A494mfE6kTbPSst6LWtAbfnW2PgivWS0K0Wn31FtqoxI5hUD/hHKaVuwby/I2YGA0hHHmBUYvbUvvA63P95QhFYIv0Lj2ZiJsi6rCQLqq+QZxz0CpyhzukZ0cjMHRLdfq25rrCOgrD0f+b/g==
> User-Agent: curl/7.19.7 (x86_64-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k
> zlib/1.2.3.3 libidn/1.15
> Host: server4.kdctest.local
> Accept: */*
< HTTP/1.1 200 OK
< Date: Thu, 06 May 2010 12:02:30 GMT
< Server: Apache/2.2.9 (Debian) mod_auth_kerb/5.3 PHP/5.2.6-1+lenny8 with
Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g
mod_perl/2.0.4 Perl/v5.10.0
< X-Powered-By: PHP/5.2.6-1+lenny8
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
< Content-Type: text/html
<
< 2005
< <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"DTD/xhtml1-transitional.dtd">
< <html><head>
< <style type="text/css">
(...)
I cant find a solution for this. The http server works fine with curl and
firefox.
ClientKerberosAuthentication.java also always asks for the username and
password, ignoring kinit / kdestory in the terminal
With kdestory:
>>>KinitOptions cache name is /tmp/krb5cc_1000
Kerberos-Benutzername [drieks]:
With kinit [email protected]:
>>>KinitOptions cache name is /tmp/krb5cc_1000
>>>DEBUG <CCacheInputStream> client principal is [email protected]
>>>DEBUG <CCacheInputStream> server principal is
>>>krbtgt/[email protected]
>>>DEBUG <CCacheInputStream> key type: 16
>>>DEBUG <CCacheInputStream> auth time: Thu May 06 14:02:26 CEST 2010
>>>DEBUG <CCacheInputStream> start time: Thu May 06 14:02:26 CEST 2010
>>>DEBUG <CCacheInputStream> end time: Fri May 07 14:02:26 CEST 2010
>>>DEBUG <CCacheInputStream> renew_till time: Thu Jan 01 01:00:00 CET 1970
>>> CCacheInputStream: readFlags() INITIAL;
>>>DEBUG <CCacheInputStream>
>>>DEBUG <CCacheInputStream> client principal is [email protected]
>>>DEBUG <CCacheInputStream> server principal is
>>>X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/[email protected]
>>>DEBUG <CCacheInputStream> key type: 0
>>>DEBUG <CCacheInputStream> auth time: Thu Jan 01 01:00:00 CET 1970
>>>DEBUG <CCacheInputStream> start time: Thu Jan 01 01:00:00 CET 1970
>>>DEBUG <CCacheInputStream> end time: Thu Jan 01 01:00:00 CET 1970
>>>DEBUG <CCacheInputStream> renew_till time: Thu Jan 01 01:00:00 CET 1970
>>> CCacheInputStream: readFlags()
java.io.IOException: extra data given to DerValue constructor
at sun.security.util.DerValue.init(Unknown Source)
at sun.security.util.DerValue.<init>(Unknown Source)
at sun.security.krb5.internal.Ticket.<init>(Unknown Source)
at sun.security.krb5.internal.ccache.CCacheInputStream.readData(Unknown
Source)
at sun.security.krb5.internal.ccache.CCacheInputStream.readCred(Unknown
Source)
at sun.security.krb5.internal.ccache.FileCredentialsCache.load(Unknown
Source)
at
sun.security.krb5.internal.ccache.FileCredentialsCache.acquireInstance(Unknown
Source)
at
sun.security.krb5.internal.ccache.CredentialsCache.getInstance(Unknown Source)
at sun.security.krb5.Credentials.acquireTGTFromCache(Unknown Source)
at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown
Source)
at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.access$000(Unknown Source)
at javax.security.auth.login.LoginContext$5.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeCreatorPriv(Unknown
Source)
at javax.security.auth.login.LoginContext.login(Unknown Source)
at sun.security.jgss.GSSUtil.login(Unknown Source)
at sun.security.jgss.krb5.Krb5Util.getTicket(Unknown Source)
at sun.security.jgss.krb5.Krb5InitCredential$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Unknown Source)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Unknown Source)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown
Source)
at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Unknown
Source)
at sun.security.jgss.GSSManagerImpl.getMechanismContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(Unknown
Source)
at sun.security.jgss.spnego.SpNegoContext.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at
org.apache.http.impl.auth.NegotiateScheme.authenticate(NegotiateScheme.java:233)
at
org.apache.http.client.protocol.RequestTargetAuthentication.process(RequestTargetAuthentication.java:104)
at
org.apache.http.protocol.ImmutableHttpProcessor.process(ImmutableHttpProcessor.java:108)
at
org.apache.http.protocol.HttpRequestExecutor.preProcess(HttpRequestExecutor.java:167)
at
org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:453)
at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:693)
at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:624)
at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:602)
at
org.apache.http.examples.client.ClientKerberosAuthentication.main(ClientKerberosAuthentication.java:153)
Kerberos-Benutzername [drieks]:
Do you have any suggestion?
Thank you,
Dennis
> kerberos auth not working
> -------------------------
>
> Key: HTTPCLIENT-934
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-934
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: Examples, HttpClient
> Affects Versions: 4.1 Alpha1
> Reporter: Dennis Rieks
> Priority: Minor
>
> Hi,
> i used org/apache/http/examples/client/ClientKerberosAuthentication.java to
> test kerberos authentication.
> My Setup:
> Apache2 on Debian (virtual machine "server4.kdctest.local") is setup to
> deliver kerberos authenticated content via http and https.
> The Kerberos kdc (virtual maschine "kdc.kdctest.local") also runs on debian.
> On my Desktop (ubuntu) i can use kinit/klist/kdestory to sign in on the
> kerberos domain and server4 only delivers content when signed on.
> I used firefox (with extra settings for http in about:config) and curl (curl
> -k --negotiate -u : http://server4.kdctest.local/test.php) to test my
> kerberos setup.
> The Problem:
> ClientKerberosAuthentication always asks the username/password and dont care
> about kinit. Also there is always an http 401 error and no content is
> deliverd.
> I used the latest svn version of httpclient
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
