Hi, Thank you very much for the reply. I am using SPNEGO for silent authentication. Referring https://www.jboss.org/community/docs/DOC-10680
Environment specification: Server Machine: Microsoft windows server 2003 R2 (Name: PASKTABSVR1, Domain: wamtest.wa.local, FullName:PASKTABSVR1.wamtest.wa.local) KDC : windows server 2003 R2, In my case server and KDC are same machine. (Name: PASKTABSVR1, Domain: wamtest.wa.local FullName:PASKTABSVR1.wamtest.wa.local) Client Machine: Microsoft windows XP professional (Name: PASKTABCL1, Domain: wamtest.wa.local FullName:PASKTABCL1.wamtest.wa.local) I basically followed the pdf document userguide downloaded from above link (https://www.jboss.org/community/docs/DOC-10680) User properties are in mail attachment (properties.jpg). SPN setting: C:\Program Files\Support Tools>setspn -l PASKTABSVR1 Registered ServicePrincipalNames for CN=PASKTABSVR1,OU=Domain Controllers,DC=wamtest,DC=wa,DC=local: HTTP/PASKTABSVR1.wamtest.wa.local NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/PASKTABSVR1.wamtest.wa.local ldap/PASKTABSVR1.wamtest.wa.local/ForestDnsZones.wamtest.wa.local GC/PASKTABSVR1.wamtest.wa.local/wamtest.wa.local HOST/PASKTABSVR1.wamtest.wa.local/WAMTEST HOST/PASKTABSVR1 HOST/PASKTABSVR1.wamtest.wa.local HOST/PASKTABSVR1.wamtest.wa.local/wamtest.wa.local E3514235-4B06-11D1-AB04-00C04FC2DCD2/c97c1681-4636-4d4a-b7fe-94f6bf0567cf/wamtest.wa.local ldap/c97c1681-4636-4d4a-b7fe-94f6bf0567cf._msdcs.wamtest.wa.local ldap/PASKTABSVR1.wamtest.wa.local/WAMTEST ldap/PASKTABSVR1 ldap/PASKTABSVR1.wamtest.wa.local ldap/PASKTABSVR1.wamtest.wa.local/DomainDnsZones.wamtest.wa.local ldap/PASKTABSVR1.wamtest.wa.local/wamtest.wa.local DNS/PASKTABSVR1.wamtest.wa.local Command used to create keytab file: C:\Program Files\Support Tools>ktpass -crypto DES-CBC-CRC -princ host/[email protected] -pass Autumn08 -mapus er WAMTEST\PASKTABSVR1 -out C:\pasktabsvr1.host.keytab Login moduoles from Jboss(login-config.xml): . .. ...... <application-policy name="host"> <authentication> <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required"> <module-option name="storeKey">true</module-option> <module-option name="useKeyTab">true</module-option> <module-option name="principal">host/[email protected]</module-option> <module-option name="keyTab">C:/pasktabsvr1.host.keytab</module-option> <module-option name="doNotPrompt">true</module-option> <module-option name="debug">true</module-option> </login-module> </authentication> </application-policy> <application-policy name="SPNEGO"> <authentication> <login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule" flag="requisite"> <module-option name="password-stacking">useFirstPass</module-option> <module-option name="serverSecurityDomain">host</module-option> </login-module> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required"> <module-option name="password-stacking">useFirstPass</module-option> <module-option name="usersProperties">props/spnego-users.properties</module-option> <module-option name="rolesProperties">props/spnego-roles.properties</module-option> </login-module> </authentication> </application-policy> ..... .. . As per document there are three tests (Attachment: Negotiation_test.jpg) Results of test in my environment (test_results.jpg): First and second test passes, ie the client browser gets the token, in second test host login module gets authenticated ie the second test passes. The final test, ie "secured" which is the integrated test of both client and server fails with following exception: Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:262) at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134) at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79) As per your mail I mapped different SPN, I tried: C:\Program Files\Support Tools>setspn.exe -a HTTP/PASKTABSVR1.wamtest.wa.local PASKTABSVR1 C:\Program Files\Support Tools>setspn.exe -a HTTP/pasktabsvr1.wamtest.wa.local PASKTABSVR1 (Small case pasktansvr1) But it didn't help, I got same exception "Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC" Am I doing anything fundamentally wrong. -Nagendra -----Original Message----- From: Thomas Maslen [mailto:[email protected]] Sent: Saturday, March 14, 2009 7:21 PM To: [email protected] Cc: Krishnawat, Nagendra Subject: Re: JBoss Negotiate Let me guess... you're probably running JBoss on a Windows machine that is joined to the Active Directory domain? If so, then the problem is: you have got your SPN mappings wrong. (i.e. the hostname in the URL that you are using in the browser doesn't match any SPN mapping that you have set up). So, when the browser asks AD for a Kerberos service ticket to HTTP/foo.example.com, AD doesn't find an explicit SPN mapping on your service object, so it doesn't use your service object. If AD doesn't find an explicit SPN mapping for HTTP/foo.example.com, it implicitly maps HTTP/foo.example.com to the AD Computer object for foo.example.com (equivalently, HOST/foo.example.com). This works nicely for Microsoft IIS but for other SPNEGO implementations it produces the rather nonobvious error that you are seeing at present. ********************************************************************** E-mail sent through the Internet is not secure. Western Asset therefore recommends that you do not send any confidential or sensitive information to us via electronic mail, including social security numbers, account numbers, or personal identification numbers. Delivery, and or timely delivery of Internet mail is not guaranteed. Western Asset therefore recommends that you do not send time sensitive or action-oriented messages to us via electronic mail. **********************************************************************
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
