Hi,
I need to communicate to a URL on internet through a proxy server. The
proxy server has kerberos authentication integrated with an Active
Directory. In my program I specify the "Proxy server" and a valid Active
Directory user account for the Proxy Server but communication fails with an
error that Proxy Authentication Required. By debugging I see that
InitSecContext method has been called and a service ticket have been
fetched. PFA programOutput.txt the output of program.
It seems to me that code in GGSSchemeBase is inconsistent. In the method
authenticate, the state is set to TOKEN_GENERATED; but when parseChallenge
method is called again by the HttpAthenticator class, the state is set to
FAILED. Following is the code in GGSSchemeBase.java method parseChallenge
if (state == State.UNINITIATED) {
token = base64codec.decode(challenge.getBytes());
state = State.CHALLENGE_RECEIVED;
} else {
log.debug("Authentication already attempted");
state = State.FAILED;
}
If some one has already used Kerberos authentication with proxy server or
target server, please give me some sample code.
Thank you for help.
Deepak
Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt
false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is
false principal is null tryFirstPass is false useFirstPass is false storePass
is false clearPass is false
Acquire TGT from Cache
>>>KinitOptions cache name is C:\Documents and
>>>Settings\administrator.TEST\krb5cc_administrator
>>>DEBUG <CCacheInputStream> client principal is [email protected]
>>>DEBUG <CCacheInputStream> server principal is krbtgt/[email protected]
>>>DEBUG <CCacheInputStream> key type: 23
>>>DEBUG <CCacheInputStream> auth time: Sun Nov 04 16:33:14 GMT+05:30 2012
>>>DEBUG <CCacheInputStream> start time: Sun Nov 04 16:33:14 GMT+05:30 2012
>>>DEBUG <CCacheInputStream> end time: Mon Nov 05 02:33:14 GMT+05:30 2012
>>>DEBUG <CCacheInputStream> renew_till time: Thu Jan 01 05:30:00 GMT+05:30 1970
>>> CCacheInputStream: readFlags() INITIAL; PRE_AUTH;
Host address is /172.25.194.209
>>> KrbCreds found the default ticket granting ticket in credential cache.
>>> Obtained TGT from LSA: Credentials:
[email protected]
server=krbtgt/[email protected]
authTime=20121104110314Z
startTime=20121104110314Z
endTime=20121104210314Z
renewTill=19700101000000Z
flags: INITIAL;PRE-AUTHENT
EType (int): 23
Principal is [email protected]
Commit Succeeded
Found ticket for [email protected] to go to krbtgt/[email protected]
expiring on Mon Nov 05 02:33:14 GMT+05:30 2012
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
>>> KdcAccessibility: reset
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 3 1 23 16 17 18.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbKdcReq send: kdc=win-xtqhaqj5814.test.local UDP:88, timeout=30000,
>>> number of retries =3, #bytes=1421
>>> KDCCommunication: kdc=win-xtqhaqj5814.test.local UDP:88,
>>> timeout=30000,Attempt =1, #bytes=1421
>>> KrbKdcReq send: #bytes read=1456
>>> KrbKdcReq send: #bytes read=1456
>>> KdcAccessibility: remove win-xtqhaqj5814.test.local
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbApReq: APOptions are 00100000 00000000 00000000 00000000
>>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
Krb5Context setting mySeqNumber to: 107022887
Created InitSecContextToken:
0000: 01 00 6E 82 05 5E 30 82 05 5A A0 03 02 01 05 A1 ..n..^0..Z......
0010: 03 02 01 0E A2 07 03 05 00 20 00 00 00 A3 82 04 ......... ......
0020: 82 61 82 04 7E 30 82 04 7A A0 03 02 01 05 A1 0F .a...0..z.......
0030: 1B 0D 51 41 2E 53 43 43 4D 2E 4C 4F 43 41 4C A2 ..TEST.LOCAL.
0040: 2C 30 2A A0 03 02 01 00 A1 23 30 21 1B 04 48 54 ,0*......#0!..HT
0050: 54 50 1B 19 75 62 75 6E 74 75 78 36 34 2D 31 2E TP..ubuntux64-1.
0060: 71 61 2E 73 63 63 6D 2E 6C 6F 63 61 6C A3 82 04 test.local...
0070: 32 30 82 04 2E A0 03 02 01 12 A1 03 02 01 09 A2 20..............
0080: 82 04 20 04 82 04 1C 83 40 DD FA 65 7C 6B 62 17 .. [email protected].
0090: E6 0B 04 15 20 AC 8E 33 37 01 DF 97 E9 EA C7 BA .... ..37.......
00A0: 8A 2D 2C A7 2C D5 8B 7A 7A CD 5D 02 C5 C4 EF B7 .-,.,..zz.].....
00B0: A7 E0 CB 19 9A 4C 35 A7 B1 64 D8 2C 84 CB CF 0B .....L5..d.,....
00C0: C3 6B FD 12 F0 DE 61 37 53 60 6D 78 35 41 CF E2 .k....a7S`mx5A..
00D0: 4B 2D 16 BF 2E B9 B2 53 67 19 CB A1 EE E3 1E 0E K-.....Sg.......
00E0: 16 E2 E4 57 D9 CD 6B A3 F6 1F 2C CF 3F 54 44 48 ...W..k...,.?TDH
00F0: 23 70 9A 03 39 AD 67 54 6D 12 18 1D 1D 9B CF 2B #p..9.gTm......+
0100: 6A 8D D9 E8 D0 12 30 16 20 64 61 43 15 33 88 D7 j.....0. daC.3..
0110: CD 34 75 7D 8B 18 8B 46 D5 C7 95 E9 D5 8D 68 DC .4u....F......h.
0120: EE 26 66 4D 9C 7B 12 C0 30 51 33 84 63 12 70 12 .&fM....0Q3.c.p.
0130: 6C EE 99 F6 9F 04 92 3C 8B 77 A0 E2 73 C6 B5 FC l......<.w..s...
0140: 54 BA 16 4B 81 94 03 E2 1D EA 2F 2C 2E 1D 0C 92 T..K....../,....
0150: C5 35 98 3A 79 5C 62 BD 50 48 0A 5A A8 12 C0 E2 .5.:y\b.PH.Z....
0160: A2 B5 46 F6 5E 00 51 C6 7E 82 CE 13 A3 BB 46 1F ..F.^.Q.......F.
0170: 0B DC 2C CB A9 F5 C4 41 8F 07 DB 26 2A 57 ED 45 ..,....A...&*W.E
0180: 48 7B 5C 0E 7A 1A F1 80 F2 9C 1D 0F D9 90 24 5F H.\.z.........$_
0190: 2D 23 B5 0D F4 EB 7E AD DC 13 91 B9 0D F3 3E D2 -#............>.
01A0: 89 22 F7 E0 BD A6 DF 53 38 CD 3E CB 20 35 09 DD .".....S8.>. 5..
01B0: E5 5D 68 67 F0 3D 68 86 5E 52 58 BB AF B7 E2 6E .]hg.=h.^RX....n
01C0: 12 39 3D 94 5B 83 3F 8D 8B 48 5A F1 9C ED 8C DF .9=.[.?..HZ.....
01D0: D6 CB 10 82 9C 40 EF AE 6D 8C C3 4C 22 15 D6 2D [email protected]"..-
01E0: 7E B4 EB D9 3A F5 0C 7C 19 5E 6F A8 04 84 70 79 ....:....^o...py
01F0: 17 FF 51 93 C0 2C 3E 4C 28 4C 9A C8 29 6A 30 35 ..Q..,>L(L..)j05
0200: FC 58 23 87 B7 4B EF DF 34 C8 B6 BB 67 97 2E CF .X#..K..4...g...
0210: A2 71 E7 42 7E 40 43 03 3B 1B 43 9C 76 E9 12 8D .q.B.@C.;.C.v...
0220: 9E F0 40 D3 89 EE 57 91 7A 24 37 4D 9F 1A 5D 78 [email protected]$7M..]x
0230: AB C7 6E DE 37 15 0E 56 8C 3C 63 3C E2 DB 50 5C ..n.7..V.<c<..P\
0240: 9B 2B 2F 6D F9 D9 93 3C E8 55 5D AB 40 35 E9 04 .+/m...<.U].@5..
0250: 9A 27 73 89 FD 0D C4 F3 4F 4D C0 2E A3 21 7F 96 .'s.....OM...!..
0260: A8 7C 6D 97 CB 08 68 28 48 4E B7 39 00 13 42 35 ..m...h(HN.9..B5
0270: B6 BC 05 D1 02 57 61 48 D5 22 2D C5 01 12 00 DD .....WaH."-.....
0280: F3 D1 AC 20 66 4B 01 02 D4 74 56 A3 7F 88 A2 7E ... fK...tV.....
0290: 96 DB F5 D3 75 EE 51 03 BF F0 B1 B6 78 AA 90 1F ....u.Q.....x...
02A0: 06 D6 FC 7D F8 2B 4E A4 A3 DA CC B0 E7 3A 95 32 .....+N......:.2
02B0: 66 91 02 15 72 51 72 00 D1 2D 32 90 BB 32 63 61 f...rQr..-2..2ca
02C0: A5 E4 BE 6C 57 49 5D 1F 35 F4 40 F8 91 2D 33 37 ...lWI][email protected]
02D0: 5A 01 D7 00 B9 C9 E1 62 56 D2 C3 29 D7 15 F9 59 Z......bV..)...Y
02E0: B7 D1 E2 98 BC B7 78 A5 AE 23 F8 15 72 A2 B9 A5 ......x..#..r...
02F0: BC 7D FE B3 97 90 64 11 B3 1C 8D 9A 62 94 12 1B ......d.....b...
0300: A4 C7 58 23 E0 CB 6A 1C DB 55 BB 0A 8D 24 BD 0F ..X#..j..U...$..
0310: A6 C4 B2 08 0F 3A 56 E0 E8 51 8F 66 91 E3 B2 E6 .....:V..Q.f....
0320: DF EF BE 9A B3 42 10 53 93 EB FA 07 59 AA 19 7C .....B.S....Y...
0330: 94 F0 1D 0C B3 A1 32 FE 18 3D D9 4F 19 37 DD 5C ......2..=.O.7.\
0340: 17 F3 41 55 71 B4 2D 8F 00 2E FC 1D BD E8 95 7B ..AUq.-.........
0350: 9A 6A 82 34 11 22 F1 8F E3 70 4F 97 2B 03 17 51 .j.4."...pO.+..Q
0360: 99 6C 09 E2 2A 56 DC 79 7D FE ED 95 8A D4 5C 59 .l..*V.y......\Y
0370: 09 FF A2 CF 49 F5 AB D6 F7 17 A8 A5 EF 17 42 CE ....I.........B.
0380: 83 AB A8 38 2C 73 CA 96 ED 44 FD 06 43 EA 13 C0 ...8,s...D..C...
0390: AB ED 6A BE 58 06 91 0E EA 23 77 DC 0F BF B2 2A ..j.X....#w....*
03A0: 18 4A 4D 0D 60 E6 F4 1D DA 83 9B 78 F2 1D 44 6D .JM.`......x..Dm
03B0: 5A 2F 66 3B ED C3 1F 4D DA FB 85 48 F1 5E 5A C0 Z/f;...M...H.^Z.
03C0: B7 21 C6 74 2D 60 BF A3 EF 9D 50 7F AD D3 9B E5 .!.t-`....P.....
03D0: D4 84 19 62 C1 4B A4 18 09 D7 25 B1 A6 C7 0C 57 ...b.K....%....W
03E0: EB 1A 5C 62 3A 95 C1 7C FE 21 58 F9 26 C5 4C 00 ..\b:....!X.&.L.
03F0: BD 61 FD E6 B8 DA 93 63 7F 90 C5 5C F1 63 FD 07 .a.....c...\.c..
0400: E5 77 24 0D 42 4F D0 92 80 F6 13 D3 F0 48 15 0C .w$.BO.......H..
0410: 92 A1 1E 1D 93 28 A5 41 AC 22 0B 24 98 7F 07 D2 .....(.A.".$....
0420: 5F 51 58 DC B4 E2 32 A5 DC 71 35 41 F3 C3 CD BF _QX...2..q5A....
0430: 9B 63 85 6D 92 DB 3F EA 55 7F AE 8C A3 73 3F 40 .c.m..?.U....s?@
0440: C9 BB 9D A6 37 86 0E 91 22 EF 54 CD 50 02 93 B6 ....7...".T.P...
0450: C0 7D EA 47 64 C2 AF 55 56 B6 CE A6 EF 0C 24 78 ...Gd..UV.....$x
0460: 54 66 A2 56 58 80 61 62 EC 37 41 8D E6 D1 C3 A9 Tf.VX.ab.7A.....
0470: 08 10 DA 42 A2 95 C9 56 46 9F 96 C4 DE EB F4 A3 ...B...VF.......
0480: 36 CD AD 47 EB 6B 6F 31 6A 63 C4 9D 22 8A 79 D1 6..G.ko1jc..".y.
0490: C7 65 A1 AB 31 A6 D2 44 5F 3F 9C 81 74 AB 79 4B .e..1..D_?..t.yK
04A0: 05 CA EA A4 81 BE 30 81 BB A0 03 02 01 03 A2 81 ......0.........
04B0: B3 04 81 B0 41 87 CF 9F D6 7C 99 FE 88 40 38 0B ....A........@8.
04C0: 2B 05 47 8B 2F 9F 38 08 88 74 0C 0B AE 44 A2 EB +.G./.8..t...D..
04D0: 3F FE 0A 25 5E 99 96 16 62 04 E0 A4 41 6E 75 B1 ?..%^...b...Anu.
04E0: 32 D6 7A 53 A1 A0 35 F8 09 F8 21 20 8C A3 7E 91 2.zS..5...! ....
04F0: C2 D6 4B 43 C4 B4 B1 EF 2D 38 5C 4F E6 F8 6B 3D ..KC....-8\O..k=
0500: 2F 45 3B B6 8F 1A 5B E2 ED C5 71 EC DC 5E 93 33 /E;...[...q..^.3
0510: B5 16 19 A3 41 76 94 30 52 08 B2 DC E6 0C 37 89 ....Av.0R.....7.
0520: 71 19 8F F0 BF 2B EF 1C BC FB BC C4 32 FC FB E3 q....+......2...
0530: A5 8F 98 F0 C2 0C 77 89 DB 84 76 AE 5F 89 5A B3 ......w...v._.Z.
0540: D9 D8 6B 06 EC 28 2E DF AC AD CE E1 BE C6 05 E6 ..k..(..........
0550: 6F D6 7C 8F A9 1E 7E 2D 10 E4 BC 0A 6A 1F 16 8A o......-....j...
0560: D6 C1 7F 5A ...Z
org.apache.http.client.HttpResponseException: Proxy Authentication Required
at
org.apache.http.impl.client.BasicResponseHandler.handleResponse(BasicResponseHandler.java:68)
package org.apache.http.examples.client;
import java.io.IOException;
import java.security.KeyManagementException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.util.Arrays;
import java.util.Collections;
import org.apache.http.HttpHost;
import org.apache.http.HttpResponse;
import org.apache.http.auth.AuthSchemeRegistry;
import org.apache.http.auth.AuthScope;
import org.apache.http.auth.Credentials;
import org.apache.http.auth.UsernamePasswordCredentials;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpUriRequest;
import org.apache.http.client.protocol.ClientContext;
import org.apache.http.conn.params.ConnRoutePNames;
import org.apache.http.impl.auth.SPNegoSchemeFactory;
import org.apache.http.impl.client.BasicResponseHandler;
import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.protocol.BasicHttpContext;
import org.apache.http.protocol.HttpContext;
import org.apache.log4j.BasicConfigurator;
public class TestKerberosHttpClient {
private static String kerbHttpHost = "http://www.google.com";;
public static void main(String[] args) throws KeyStoreException,
NoSuchAlgorithmException, CertificateException, IOException,
KeyManagementException, UnrecoverableKeyException {
BasicConfigurator.configure();
System.setProperty("java.security.auth.login.config",
"login.conf");
System.setProperty("java.security.krb5.conf", "krb5.conf");
System.setProperty("sun.security.krb5.debug", "true");
System.setProperty("javax.security.auth.useSubjectCredsOnly","false");
if( args.length > 0 )
kerbHttpHost = args[0];
DefaultHttpClient httpclient = new DefaultHttpClient();
HttpHost host = new HttpHost("proxyserver.test.local", 3128);
httpclient.getParams().setParameter(ConnRoutePNames.DEFAULT_PROXY, host);
httpclient.getCredentialsProvider().setCredentials(new
AuthScope("proxyserver.test.local", 3128),
new UsernamePasswordCredentials("TEST\\Administrator",
"adminpasswd"));
AuthSchemeRegistry authSchemeRegistry =
httpclient.getAuthSchemes();
authSchemeRegistry.unregister("Negotiate");
authSchemeRegistry.register("Negotiate", new
SPNegoSchemeFactory(true));
httpclient.setAuthSchemes(authSchemeRegistry);
Credentials use_jaas_creds = new Credentials() {
@Override
public String getPassword() {
return null;
}
@Override
public Principal getUserPrincipal() {
return null;
}
};
httpclient.getCredentialsProvider().setCredentials(
new AuthScope(null, -1, null),
use_jaas_creds);
HttpUriRequest request = new HttpGet(kerbHttpHost);
HttpResponse response = null;
HttpContext httpContext = createHttpContext(httpclient);
try{
response = httpclient.execute(request, httpContext);
String s = new
BasicResponseHandler().handleResponse(response);
System.out.println(s);
} catch ( Exception ex){
ex.printStackTrace();
}
}
static HttpContext createHttpContext(DefaultHttpClient httpclient){
HttpContext context = new BasicHttpContext();
context.setAttribute(
ClientContext.AUTHSCHEME_REGISTRY,
httpclient.getAuthSchemes());
context.setAttribute(
ClientContext.AUTH_SCHEME_PREF,
Collections.unmodifiableList( Arrays.asList(new
String[] {
"negotiate",
"ntlm",
"digest",
"basic"
}))
);
context.setAttribute(
ClientContext.COOKIESPEC_REGISTRY,
httpclient.getCookieSpecs());
context.setAttribute(
ClientContext.COOKIE_STORE,
httpclient.getCookieStore());
context.setAttribute(
ClientContext.CREDS_PROVIDER,
httpclient.getCredentialsProvider());
return context;
}
}
[libdefaults]
default_realm = TEST.LOCAL
dns_lookup_kdc = true
dns_lookup_realm = true
ticket_lifetime = 24h
default_keytab_name = /etc/squid3/proxy.keytab
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
#forwardable = true
#proxiable = true
[realms]
TEST.LOCAL = {
kdc = win-xtqhaqj5814.test.local
admin_server = win-xtqhaqj5814.test.local
default_domain = test.local
}
[domain_realm]
.test.local = TEST.LOCAL
test.local = TEST.LOCAL
[login]
krb4_convert = true
krb4_get_tickets = false
com.sun.security.jgss.login {
com.sun.security.auth.module.Krb5LoginModule required client=TRUE
useTicketCache=true debug=true;
};
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required client=TRUE
useTicketCache=true debug=true;
};
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required client=TRUE
useTicketCache=true debug=true;
};
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
