Hi Benjamin,
When I obtain kerberos credentials using Network Identity Manager on Win7
against debian kdc I get dialog that kerberos 4 related credential not
fetched. I see the ticket for krb5 in manager.
The logs show below:
==> krb5kdc.log <==
Oct 11 10:28:19 pinkydebian krb5kdc[948](info): AS_REQ (7 etypes {18 17 16 23 1
3 2}) 192.168.1.225: NEEDED_PREAUTH: [email protected] for
krbtgt/[email protected], Additional pre-authentication required
Oct 11 10:28:20 pinkydebian krb5kdc[948](info): AS_REQ (7 etypes {18 17 16 23 1
3 2}) 192.168.1.225: ISSUE: authtime 1349931500, etypes {rep=18 tkt=18 ses=18},
[email protected] for krbtgt/[email protected]
Oct 11 10:28:20 pinkydebian krb5kdc[948](info): TGS_REQ (1 etypes {1})
192.168.1.225: BAD_ENCRYPTION_TYPE: authtime 0, [email protected] for
krbtgt/[email protected], KDC has no support for encryption type
Oct 11 10:28:20 pinkydebian krb5kdc[948](info): TGS_REQ (1 etypes {1})
192.168.1.225: BAD_ENCRYPTION_TYPE: authtime 0, [email protected] for
krbtgt/[email protected], KDC has no support for encryption type
sspi is I guess not really making any difference. I set to false or true I see
below wherein principal is anonymousUser may be just created since it cannot
find any passed. I expect msm being passed.
==> catalina.out <==
10:10:39 DEBUG web.FilterChainProxy - Converted URL to lowercase, from:
'/supervisor_teller.xhtml'; to: '/supervisor_teller.xhtml'
10:10:39 DEBUG web.FilterChainProxy - Candidate is: '/supervisor_teller.xhtml';
pattern is /deny.xhtml; matched=false
10:10:39 DEBUG web.FilterChainProxy - Converted URL to lowercase, from:
'/supervisor_teller.xhtml'; to: '/supervisor_teller.xhtml'
10:10:39 DEBUG web.FilterChainProxy - Candidate is: '/supervisor_teller.xhtml';
pattern is /**; matched=true
10:10:39 DEBUG web.FilterChainProxy - /supervisor_teller.xhtml at position 1 of
8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
10:10:39 DEBUG context.HttpSessionSecurityContextRepository - No HttpSession
currently exists
10:10:39 DEBUG context.HttpSessionSecurityContextRepository - No
SecurityContext was available from the HttpSession: null. A new one will be
created.
10:10:39 DEBUG web.FilterChainProxy - /supervisor_teller.xhtml at position 2 of
8 in additional filter chain; firing Filter:
'SpnegoAuthenticationProcessingFilter'
10:10:39 DEBUG web.FilterChainProxy - /supervisor_teller.xhtml at position 3 of
8 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
10:10:39 DEBUG web.FilterChainProxy - /supervisor_teller.xhtml at position 4 of
8 in additional filter chain; firing Filter:
'SecurityContextHolderAwareRequestFilter'
10:10:39 DEBUG web.FilterChainProxy - /supervisor_teller.xhtml at position 5 of
8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
10:10:39 DEBUG authentication.AnonymousAuthenticationFilter - Populated
SecurityContextHolder with anonymous token:
'org.springframework.security.authentication.AnonymousAuthenticationToken@6faa93c2:
Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true;
Details:
org.springframework.security.web.authentication.WebAuthenticationDetails@ffffe21a:
RemoteIpAddress: 192.168.1.225; SessionId: null; Granted Authorities:
ROLE_ANONYMOUS'
10:10:39 DEBUG web.FilterChainProxy - /supervisor_teller.xhtml at position 6 of
8 in additional filter chain; firing Filter: 'SessionManagementFilter'
10:10:39 DEBUG web.FilterChainProxy - /supervisor_teller.xhtml at position 7 of
8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
10:10:39 DEBUG web.FilterChainProxy - /supervisor_teller.xhtml at position 8 of
8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
10:10:39 DEBUG intercept.DefaultFilterInvocationSecurityMetadataSource -
Converted URL to lowercase, from: '/supervisor_teller.xhtml'; to:
'/supervisor_teller.xhtml'
10:10:39 DEBUG intercept.DefaultFilterInvocationSecurityMetadataSource -
Candidate is: '/supervisor_teller.xhtml'; pattern is /secure/extreme/**;
matched=false
10:10:39 DEBUG intercept.DefaultFilterInvocationSecurityMetadataSource -
Candidate is: '/supervisor_teller.xhtml'; pattern is /supervisor_teller.xhtml;
matched=true
10:10:39 DEBUG intercept.FilterSecurityInterceptor - Secure object:
FilterInvocation: URL: /supervisor_teller.xhtml; Attributes: [ROLE_TELLER,
ROLE_SUPERVISOR]
10:10:39 DEBUG intercept.FilterSecurityInterceptor - Previously Authenticated:
org.springframework.security.authentication.AnonymousAuthenticationToken@6faa93c2:
Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true;
Details:
org.springframework.security.web.authentication.WebAuthenticationDetails@ffffe21a:
RemoteIpAddress: 192.168.1.225; SessionId: null; Granted Authorities:
ROLE_ANONYMOUS
10:10:39 DEBUG vote.AffirmativeBased - Voter:
org.springframework.security.access.vote.RoleVoter@1531252, returned: -1
10:10:39 DEBUG vote.AffirmativeBased - Voter:
org.springframework.security.access.vote.AuthenticatedVoter@d7f248, returned: 0
10:10:39 DEBUG access.ExceptionTranslationFilter - Access is denied (user is
anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
at
org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:71)
at
org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:204)
at
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:106)
at
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at
org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:97)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at
org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:100)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at
org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:78)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at
org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at
org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:35)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at
org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter.doFilter(SpnegoAuthenticationProcessingFilter.java:152)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:168)
at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1002)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:585)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:722)
10:10:39 DEBUG savedrequest.HttpSessionRequestCache - DefaultSavedRequest added
to Session:
DefaultSavedRequest[http://pinkydebian:8080/jsf-sso/supervisor_teller.xhtml]
10:10:39 DEBUG access.ExceptionTranslationFilter - Calling Authentication entry
point.
10:10:39 DEBUG web.SpnegoEntryPoint - Sending back Negotiate Header for
request: http://pinkydebian:8080/jsf-sso/supervisor_teller.xhtml
10:10:39 DEBUG context.HttpSessionSecurityContextRepository - SecurityContext
is empty or anonymous - context will not be stored in HttpSession.
10:10:39 DEBUG context.SecurityContextPersistenceFilter - SecurityContextHolder
now cleared, as request processing completed
________________________________
From: miten mehta <[email protected]>
To: Benjamin Kaduk <[email protected]>
Cc: "[email protected]" <[email protected]>
Sent: Thursday, October 11, 2012 10:23 AM
Subject: Re: kerberos / spnego
Hi,
I am using MIT kerberos both on debian and windows downloaded from
http://www.kerberos.org/software/index.html.
Regards,
Miten.
________________________________
From: Benjamin Kaduk <[email protected]>
To: miten mehta <[email protected]>
Cc: "[email protected]" <[email protected]>
Sent: Thursday, October 11, 2012 1:24 AM
Subject: Re: kerberos / spnego
On Wed, 10 Oct 2012, miten mehta wrote:
> Hi Benjamin,
>
> I configured firefox for no sspi and also added domain primesystems.com
I do not remember seeing you specify what kerberos implementation you are
using. SSPI should only be disabled in some situations, and I don't know which
situation you are in.
-Ben Kaduk
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
