Spring Security Kerberos/SPNEGO Extension

74 responses

Kai Virkki says:
Added on September 28th, 2009 at 5:56 am

This is great news! We've been fighting with the buggy jcifs NTLM implementation for years and really welcome a Kerberos solution for Windows SSO!!
Risom says:
Added on October 8th, 2009 at 11:45 pm

As mentioned in the API that it work fine with JAAS implementation of SUN. What should I be doing if I have to use it in websphere with IBM jre.
Mike Wiesner (blog author) says:
Added on October 9th, 2009 at 3:38 am

@Risom Currently you can't use it with a IBM JVM. The code which is dependent on the Sun JVM is already separated, but in M1 we don't have an implementation which works on a IBM JVM. I've created a JIRA issue for this, so that you (and others) can follow the progress: https://jira.springsource.org/browse/SES-15
Risom says:
Added on October 9th, 2009 at 4:50 am

Hello Mike Wiesner this blog was awesome! cheers …
dominikz says:
Added on October 15th, 2009 at 9:44 am

I'm having trouble with running the sample. I use kerberos from MIT on Linux and a Tomcat 6.0 on Windows. When I try to deploy the webapp on the server I get the following error:

Key for the principal HTTP/web.springsource.com@GENIJUSZ.ORG not available in file:/D:/Java/Tomcat 6.0/webapps/kerberos/WEB-INF/classes/http-web.keytab

On the other hand

$ /cygdrive/c/Java/jdk1.6.0_11/bin/klist.exe -f -k http-web.keytab

Key tab: http-web.keytab, 2 entries found.

[1] Service principal: HTTP/web.springsource.com@GENIJUSZ.ORG
KVNO: 3
[2] Service principal: HTTP/web.springsource.com@GENIJUSZ.ORG
KVNO: 3

I understand that this probably not the extension issue, but a JAAS issue. But anyway your help would be nice. Is there a way to verify if the key is actually available in the keytab? Does the domain name (web.springsource.com) matter? (should I use a different one)
TP says:
Added on November 5th, 2009 at 7:11 pm

Hi,

I'm running into some issues when i tried to run the sample SSO app from spring security v3. Getting the following exception during the server startup,

Key for the principal HTTP/uname.company.com@COMPANY.COM not available in file:/C:/Program Files/Apache Software Foundation/Tomcat 6.0/webapps/spring-security-kerberos-sample-1.0.0.M1/WEB-INF/classes/http-web.keytab
[Krb5LoginModule] authentication failed
Unable to obtain password from user

I have the web.keytab placed under the above mentioned path and the keytab file was generated in a windows server.

I'm using Tomcat 6 and JDK 1.6.0_06.

-TP
dominikz says:
Added on November 6th, 2009 at 1:53 am

I was running into the same trouble. I've had MIT KDC and what helped was adding these encryption algorithms (rc4-hmac:normal,des-cbc-crc:normal) when generating principals in KDC

addprinc -x containerdn=o=Novell -e rc4-hmac:normal,des-cbc-crc:normal -pw password host/testworkstation.kerberos.yourcompany.com

When I tried it with the default one, or only with des-cbc-crc:normal it was not working. Since it is Java that tries to read the keytab, I presume that it may also help in your case.

One more thing. Just as is said on this page – there is far greater probability that you have your kerberos setup wrong rather than there's something wrong in the spring library. The following articles helped me with clearing my kerberos setup:

http://www.novell.com/documentation/zenworks7/dm7admin/?page=/documentation/zenworks7/dm7admin/data/b5czc1w.html
http://www.cgl.ucsf.edu/Security/CGLAUTH/CGLAUTH.html
http://sial.org/howto/kerberos/windows/
Mike Wiesner (blog author) says:
Added on November 10th, 2009 at 2:19 am

@TP: The JAAS Kerberos module, which is used inside, seems to have problems with loading the keytab from a path which includes whitespaces. I've created a JIRA issue for that: https://jira.springsource.org/browse/SES-19.
Mike Wiesner (blog author) says:
Added on November 10th, 2009 at 2:34 am

@Dominikz: Microsoft also provides some help for setting up Kerberos/SPNEGO in an Active Directory environment. It can be found here: http://msdn.microsoft.com/en-us/library/ms995329.aspx
TP says:
Added on November 10th, 2009 at 5:14 pm

@Mike : Thanks for information. The "authentication failed" issue was resolved once I updated the keytab file's location path not to include any spaces in the referred directory names.
Joe Khoobyar says:
Added on November 11th, 2009 at 3:06 pm

Mike,

You may want to consider leveraging Microsoft Windows SSPI for native Kerberos/SPNEGO. This forgoes the need for using KTPASS, works seamlessly in complex cross-forest authentication scenarios, and is critical for full single sign-on integration when your organization uses a more "Microsoft centric" Kerberos solution… such as Centrify.

About a month ago, I successfully integrated an SSPI Kerberos implementation into JSch (a Java SSH client), and Net::SSH::Kerberos (a ruby gem that extends Net::SSH with kerberos functionality).

I'm more than willing to lend a hand if you'd find such an enhancement potentially useful.
Vandana says:
Added on November 17th, 2009 at 12:44 pm

Hi Mike,

Thanks alot for your efforts!!! this stuff is of great help.

I tried deploying the sample on tomcat 6 and made required changes for the service principal and keytab
I don't understand this error, could you please give any solution or share you thoughts on this.
this is from Tomcat logs.

Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied

Thanks in Advance!!

Vandana
Nikolay says:
Added on December 13th, 2009 at 2:02 pm

Hi Mike,

I wonder if I can specify the path to the keytab file to be something like "/etc/krb5.keytab".
I'm running two websites on my PC, and have chosen Kerberos for cross-site authentication.
I think, I can handle registration by calling shell script "kadmin … add username …".
What do you think could be the best practice to combine your Spring Kerberos authentication module and the registration procedure?
If, say, the registration code creates a new principal using kadmin and updates the "/etc/krb5.keytab", will the new user be able to immediately authenticate through your Spring Kerberos authentication module?
I.e. will it reload the new keytab content?
Can I point it to an arbitrary location on the disk? (because it's gonna be used by several web-apps)
Nikolay says:
Added on December 24th, 2009 at 3:01 pm

I get this error:

Access is denied (user is anonymous); redirecting to authentication entry point

org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:71)
peter says:
Added on January 20th, 2010 at 7:11 pm

Hi Mike,

I get the following error

Authentication attempt using org.springframework.security.extensions.kerberos.Ke
rberosServiceAuthenticationProvider
Try to validate Kerberos Token
Checksum failed !
Negotiate Header was invalid:

I assume that there is something wrong with my Kerberos set up, but not clear on where to look.

any pointers would be appreciated!
Rizwan says:
Added on January 21st, 2010 at 7:19 pm

I am using the sample provided above and I am getting the following exception:

Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) – Cannot find key of appropriate type to decryp
t AP REP – RC4 with HMAC)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:874)
at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:541)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.j
ava:135)
at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.j
ava:125)
… 22 more
Caused by: KrbException: Invalid argument (400) – Cannot find key of appropriate type to decrypt AP REP – RC4 with HMAC
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:262)
at sun.security.krb5.KrbApReq.(KrbApReq.java:134)
at sun.security.jgss.krb5.InitSecContextToken.(InitSecContextToken.java:79)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
… 30 more

I am using the following:
- Jdk 1.6,
- Oracle Weblogic server 10.3,
- Active Directory 2003; AD only uses DES-CBC-CRC or DES-CBC-MD5 (by default) encryption and I can't change to RC4 that my Server requires.

Can anyone help how can I force to use DES encryption?

How can I change the encryption to DES in my application.
Arve says:
Added on February 1st, 2010 at 11:22 am

Hi,
I have tested on a Mac 10.6, running Kerberos on a virtual Ubuntu. Works like a dream.

My vote for Spring Security Kerberos/SPNEGO Extension.
Rizwan says:
Added on February 4th, 2010 at 6:40 pm

Yes the problem is finally resoloved. That was a 3 steps process:

1. I recreated the user
2. The setspn was called before ktpass commmand. It looks like setspn is not required as ktpass command does the job for you
3. I was using a service principal appending my domain name like HTTP/pc43433.mydomain but it suppose to be HTTP/pc43433
Arve says:
Added on February 5th, 2010 at 7:15 am

To use SX Spring Security Extension version 1.0.0.M1, my experience is:
- In the security.xml: "…/spring-security-3.0.xsd" says "BASIC_PROCESSING_FILTER" is not valid, but "…/spring-security-2.5.xsd" says it is.
- Spring security version 3.0.1 gives me "java.lang.NoSuchMethodError in constructor of KerberosServiceRequestToken" as Harald Radi (https://jira.springsource.org/browse/SES-29) experienced.
– To define authorities: Collection authorities = AuthorityUtils.createAuthorityList("ROLE_USER");
- Spring security version 3.0.0.M2 is OK combination.
– To define authorities: List authorities = AuthorityUtils.createAuthorityList("ROLE_USER");
ukdavo says:
Added on February 8th, 2010 at 12:38 pm

I'm getting the following error with Spring Security 3.0.1:

"org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: Line 19 in XML document from ServletContext resource [/WEB-INF/spring/security-config.xml] is invalid; nested exception is org.xml.sax.SAXParseException: cvc-enumeration-valid: Value 'BASIC_PROCESSING_FILTER' is not facet-valid with respect to enumeration '[FIRST, CHANNEL_FILTER, CONCURRENT_SESSION_FILTER, SECURITY_CONTEXT_FILTER, LOGOUT_FILTER, X509_FILTER, PRE_AUTH_FILTER, CAS_FILTER, FORM_LOGIN_FILTER, OPENID_FILTER, BASIC_AUTH_FILTER, SERVLET_API_SUPPORT_FILTER, REMEMBER_ME_FILTER, ANONYMOUS_FILTER, EXCEPTION_TRANSLATION_FILTER, SESSION_MANAGEMENT_FILTER, FILTER_SECURITY_INTERCEPTOR, SWITCH_USER_FILTER, LAST]'. It must be a value from the enumeration."

Any suggestions?
Arve says:
Added on February 8th, 2010 at 1:02 pm

ukdavo, my suggestion is, as said 5. feb.: Spring Security Extension version 1.0.0.M1 is OK with Spring security version 3.0.0.M2.
ukdavo says:
Added on February 9th, 2010 at 6:27 am

Thanks for your help. Using Spring Security 3.0.0 M2 seems to have helped in that I'm further than I was before. Unfortunately, I now get an IllegalArgumentException – it can't find the file C:\Windows\krb5.ini. This file doesn't exist – do I have to create one? I'm running everything on a Windows Server 2003 VM that's been set up as a PDC.
ukdavo says:
Added on February 9th, 2010 at 10:18 am

@Arve – I created the krb5.ini so I've got a little further. It looks like IE is sending a NTLM token instead of a Kerberos token. I added the site into the Intranet zone so I'm not sure what's going on. Thanks for your help anyway. I'll keep Googling for an answer.
Aaron Douglas says:
Added on February 9th, 2010 at 12:00 pm

Mike – How does this plugin work with a load-balanced environment? I've never used Kerberos before and I'd like to set this up on an app I'm running. The issue is, the app may be running on multiple servers. Can I have my sys admins add multiple service principals to the same Windows user, one for each fully qualified server name? What if all the servers are behind a single proxy load balancer? Thanks for your help!
Peter Mularien says:
Added on February 9th, 2010 at 1:43 pm

@ukdavo
"I'm running everything on a Windows Server 2003 VM that's been set up as a PDC."
You MUST have the browser client on a separate machine, otherwise it will always use NTLM.
ukdavo says:
Added on February 9th, 2010 at 1:49 pm

Thanks Peter. I just spotted your advice on the Spring Extensions forum. Time to set up a new VM I guess!
Grant says:
Added on February 22nd, 2010 at 11:01 pm

I got this error:

Received Negotiate Header for request :
Negotiate TlRMTV
NTUAABAAAAB7IIogcABwA1AAAADQANACgAAAAFASgKAAAAD1cwMDI0RThEQjY3NEFPQ0VBTklB
Authentication attempt using org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider
Try to validate Kerberos Token
Negotiate Header was invalid: Negotiate TlRMTVNTUAABAAAAB7IIogcABwA1AAAADQANACgAAAAFASgKAAAAD1cwMDI0RThEQjY3NEFPQ0VBTklB
org.springframework.security.authentication.BadCredentialsException: Kerberos validation not succesfull
at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:65)
at org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:86)
at org.springframework.security.authentication.ProviderManager.doAuthentication(ProviderManager.java:127)
at org.springframework.security.authentication.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:49)
at org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter.doFilter(SpnegoAuthenticationProcessingFilter.java:118)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:150)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454)
at java.lang.Thread.run(Thread.java:619)
Caused by: java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:396)
at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:63)
… 22 more
Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
at sun.security.jgss.GSSHeader.(GSSHeader.java:80)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:287)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:135)
at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:125)
… 25 more
SecurityContextHolder now cleared, as request processing completed

Any help? Thanks.
Peter says:
Added on February 22nd, 2010 at 11:03 pm

Received Negotiate Header for request http://w0024e8db674a.oceania.corp.anz.com:8080/spring-security-kerberos-sample-1.0.0.M1/secure/index.jsp: Negotiate TlRMTV
NTUAABAAAAB7IIogcABwA1AAAADQANACgAAAAFASgKAAAAD1cwMDI0RThEQjY3NEFPQ0VBTklB
Authentication attempt using org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider
Try to validate Kerberos Token
Negotiate Header was invalid: Negotiate TlRMTVNTUAABAAAAB7IIogcABwA1AAAADQANACgAAAAFASgKAAAAD1cwMDI0RThEQjY3NEFPQ0VBTklB
org.springframework.security.authentication.BadCredentialsException: Kerberos validation not succesfull
at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:65)
at org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:86)
at org.springframework.security.authentication.ProviderManager.doAuthentication(ProviderManager.java:127)
at org.springframework.security.authentication.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:49)
at org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter.doFilter(SpnegoAuthenticationProcessingFilter.java:118)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:150)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454)
at java.lang.Thread.run(Thread.java:619)
Caused by: java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:396)
at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:63)
… 22 more
Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
at sun.security.jgss.GSSHeader.(GSSHeader.java:80)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:287)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:135)
at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:125)
… 25 more
SecurityContextHolder now cleared, as request processing completed
ukdavo says:
Added on February 24th, 2010 at 5:21 pm

Just wanted to say thanks for a great addition to Spring. I got it to work once I followed Peter Mularien's advice.

Peter/Grant – it looks like you've got the same problem that I had. It looks like you're presenting NTLM tokens (see http://appliedcrypto.com/spnego/qa.html) instead of Kerberos tokens. Apparently, IE will use NTLM if the client and server are the same machine.
norm says:
Added on March 2nd, 2010 at 3:27 am

Always got GSSException "Checksum failed" when validating Ticket sent back from Windows Server 2008 against Keytab file produced by ktpass. The only thing that worked for me was recreating keytab file with ktab.exe provided by JDK on windows installation
Clarence says:
Added on March 3rd, 2010 at 12:54 pm

@norm – I had the same problem with Windows Server 2003, and the only solution that worked for me was ktab, as you described.

Anybody know why this error occurs with the keytab produced by ktpass?
ukdavo says:
Added on March 3rd, 2010 at 4:16 pm

@Clarence @norm

I had similar problems but found that they disappeared when I changed the command parameters as per http://wiki.alfresco.com/wiki/Configuring_the_CIFS_and_web_servers_for_Kerberos/AD_integration. I also followed their suggestions re the "Use DES encryption types for this account" and "Do not require Kerberos preauthentication" options. I've no idea if this will help you but it seemed to work for me.
Kianoosh says:
Added on March 29th, 2010 at 10:01 pm

what ptype should be used for setting the spn? I get this from ktpass:
"KTPASS: Could not determine the correct principal type.
If this keytab is intended for a computer account, please use /ptype KRB5_NT_SRV_HST
If this keytab is intended for a user account, please use /ptype KRB5_NT_PRINCIPAL"
ukdavo says:
Added on April 16th, 2010 at 4:06 am

Can this be used to get back role information similar to the ldap provider? – e.g. membership of AD groups.
Rhys Parsons says:
Added on April 20th, 2010 at 10:51 am

Here's what worked for me (it took me 2.5 days to sort this out!).

1. Use Mike's config exactly as it is (except, obviously, changing domain names, etc) especially wrt capitalisation and using FQDN.
2. Use Mike's example of ktpass exactly as it is. You can specify /ptype KRB5_NT_PRINCIPAL if you like, but trying any value for /crypto just didn't work for me.
3. Set up the Java System properties java.security.krb5.kdc AND java.security.krb5.realm to be the fully-qualified name of your Domain Controller and your domain (fully-qualified) in captials.
4. Make sure Internet Explorer in your client thinks that the server is in its Intranet! Don't use the server as a client!
5. For your Service Principal and any users you want to authenticate, in the Account options, disable 'Use Kerberos DES…', enable 'This account supports Kerberos AES 128 bit…', enable 'This account supports Kerberos AES 256 bit…' and disable 'Do not require Kerberos preauthentication'.
6. If you are outside the US, you may need to download the full support for AES 256-bit encryption. Look it up.

In the test system I set up, the domain was vbis.security.local. The Windows Server 2008 machine was called chekov. So the values for the properties were:

java.security.krb5.kdc=chekov.vbis.security.local
java.security.krb5.realm=VBIS.SECURITY.LOCAL

Some mistakes I made:

I messed around with so many different settings without knowing what was what that I kept tripping over previous dead-end attempts. I recommend deleting and re-creating the Service Principle if things don't go your way (and then, of course, re-running ktpass and setting up the AES security as specified in step 5).

Hope this helps someone. I can't guarantee it'll work for you!

Good luck!
Rhys Parsons says:
Added on April 26th, 2010 at 7:44 am

Would like to see SpnegoAuthenticationProcessingFilter extend AbstractAuthenticationProcessingFilter.
Nicholas Irving says:
Added on May 16th, 2010 at 7:18 pm

Figured out how to make this work with WebSphere 5.1 with some changes to KerberosValidateAction, and potentially there is a single line fix for 6.1+, so check out the Jira for this update, https://jira.springsource.org/browse/SES-15
Luke says:
Added on June 15th, 2010 at 12:03 am

Hi,

I need to authenticate against AD with a token. How can I acquire a token that has been generated for a user and use this token to authenticate/validate…? I am attempting to implement a SSO process that does authentication via a web service.

My WS needs to acquire a token for the user that is currently logged in. It then passes this token to an external WS which will use this token to authenticate against AD and return either success or failure…

Any help much appreciated…

Luke.
Savvas Andreas says:
Added on June 15th, 2010 at 5:13 am

Hello,

Does anyone know how the mapping for the normal users of the application takes place? The ktpass tool will map a user (e.g. server.user@domain.com) with a Service Principal (e.g. http/web.fully.qualified.name) and this user, to my understanding, will be used by the application server to authenticate itself.
But then later on after getting the SPNEGO header from the client it will try to authenticate the attempted user's principal contained within the SPNEGO header. If say, the attempted user is someone@domain.com and the service principal name is http/web.fully.qualified.name *how* or *when* does that mapping take place?

Regards,
Savvas.
Akshay says:
Added on August 9th, 2010 at 10:13 am

i
I am following the exact steps as mentioned in spring security kerberos tuorial but I seem to get the following error when validating kerberos toeke :
Found key for HTTP/my-key@MYDOMAIN
Entered Krb5Context.acceptSecContext with state=STATE_NEW
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Checksum failed !
WARN : org.springframework.security.extensions.kerberos.w eb.SpnegoAuthenticationProcessingFilter – Negotiate Header was invalid: Negotiate YIIQs….

Any pointers how to resolve this error?

Thanks
davetbo says:
Added on August 31st, 2010 at 10:32 am

@TP, @dominikz and others

I banged my head against the wall all morning trying to solve the "LoginException: Unable to obtain password from user" problem. The solution ended up being that you MUST USE the SUN java. I was previously using java-1.6.0-openjdk-1.6.0.0-1.13.b16.el5 on Centos 5.4. I switched to use Sun
jdk1.6.0_21 and it started working immediately. You can follow instructions here to get the Sun java working: http://chrisschuld.com/2008/10/installing-sun-java-on-centos-5-2/ (this says Centos 5.2 but it worked for me on 5.4).

Best,
Dave
Jason says:
Added on October 26th, 2010 at 5:42 am

Got this working after a while…

However, does anyone know if I can use this authenticated context to perform an LDAP lookup for the user? I.e. I don't want to have a username/password sat in an XML file somewhere.

Basically, I want the user to login seemlessly, (which now works) then have access tro certain resources given the groups they have, Spring LDAP seems to want me to place a username and password in an XML file for a AD user.

I am aware of the UserDetailsService but can find no sensible example/documentation to use in this context.

Many Thanks
ukdavo says:
Added on October 26th, 2010 at 6:09 am

Just thinking aloud – perhaps you could search AD/LDAP via LdapTemplate for the sAMAccountName (i.e. the authenticated username).
Zoharat says:
Added on February 17th, 2011 at 12:13 pm

I am following the exact steps as mentioned in spring security kerberos tuorial but I seem to get the following error when validating kerberos toeke :
Found key for HTTP/my-key@MYDOMAIN
Entered Krb5Context.acceptSecContext with state=STATE_NEW
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Checksum failed !
WARN : org.springframework.security.extensions.kerberos.w eb.SpnegoAuthenticationProcessingFilter – Negotiate Header was invalid: Negotiate YIIQs….

We have a windows 2000 server.
Zoharat says:
Added on February 17th, 2011 at 12:14 pm

I am following the exact steps as mentioned in spring security kerberos tuorial but I seem to get the following error when validating kerberos toeke :
Found key for HTTP/my-key@MYDOMAIN
Entered Krb5Context.acceptSecContext with state=STATE_NEW
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Checksum failed !
WARN : org.springframework.security.extensions.kerberos.w eb.SpnegoAuthenticationProcessingFilter – Negotiate Header was invalid: Negotiate YIIQs….

Any pointers how to resolve this error?

Thanks
Savvas Andreas Moysidis says:
Added on February 20th, 2011 at 4:08 pm

Hi Zoharat,

If I remember right, this error means that you are specifying a different encoding type in your krb5.ini file than the one you are using in your ktpass command.

Regards,
- Savvas
lipman says:
Added on February 21st, 2011 at 9:53 pm

after several days struggling, it is finally working perfectly. KDC is windows 2008 R2, and
both RC4-hmac and AES256-CTS-HMAC-SHA1-96 are working.

my initial problem is that rc4-hmac is working but, AES256 is failed with checksum failed error. As the same ktab file is used, I'm really confused. after 3 days struggling, I realized that domain name was not specified correctly, RC4-HMAC is case insensitive, but AES256 is. so have to follow the Mike's instructions exactly, use the uppercase for the domain.
Zoharat says:
Added on February 22nd, 2011 at 10:00 am

So we finally got it to work on Windows 2008 as well as Windows 2000.

Steps

1. Create me an active directory user as follows…
username = http-myservice.com
password = test
rules – deactivate the option 'User must change password at next logon' and activate 'Password never expires'
— This user will be the user for the server (or the service provider) and will basically authenticate the server to the active directory so that the two of them can communicate. This is NOT a 'real' user in that it's not mapped to a human being.

2. Run ktpass for this user to create a keytab file…
ktpass /out http-web.keytab /mapuser http-myservice.com@ /princ HTTP/.@ /pass test

where….
/out http-web.keytab – this directs the output of this ktpass command to write a file named 'http-web.keytab"

/mapuser http-myservice.com@
– this does a few things…
– the domain name MUST be in upper case
– http-myservice.com is the user that we've created specifically for the server. Again, this isn't a 'real' user.

/princ HTTP/.@
– three things to note here…
– all things in upper case
– This is the server that the service will be running on…
– The domain of the active directory

/pass test – basically, who cares what the password is…but we don't want it to prompt us, so create a password for this server/service provider user.
Dreamer says:
Added on March 10th, 2011 at 8:57 pm

Where does on add the krb5.ini file (defining realms and domain_realms).

Or aren't krb5.ini files required for SPNEGO Extension?

Thanks.
Savvas Andreas Moysidis says:
Added on March 17th, 2011 at 12:31 pm

Hello,

The krb5.ini *is* required and should be placed under C:\Windows\
Sophia says:
Added on April 7th, 2011 at 3:21 am

Hi,
I get the following error. Any help is appreciated.

WARNING: Negotiate Header was invalid: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==
org.springframework.security.authentication.BadCredentialsException: Kerberos validation not succesfull
at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:69)
at org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:86)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:134)
at org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter.doFilter(SpnegoAuthenticationProcessingFilter.java:131)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:324)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:324)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:165)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:879)
at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
at java.lang.Thread.run(Thread.java:662)
Caused by: java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:396)
at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:67)
… 23 more
Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
at sun.security.jgss.GSSHeader.(GSSHeader.java:80)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:287)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:146)
at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:136)
… 26 more
ukdavo says:
Added on April 7th, 2011 at 5:38 am

@Sophia – that looks like an NTLM token. Is the server and client one and the same? or is the target website shown to be in the Internet zone in IE?
Shashank Jain says:
Added on April 11th, 2011 at 11:20 pm

Is there a way for web service client written in java to generate SPNEGO tokens.
We need to be able to allow web services client to authenticate using the kerberos mechanism
Zoharat says:
Added on June 9th, 2011 at 4:18 pm

As per Mike , we must specify the fully qualified domain name when accessing out application.

IN our case we do have the KDC_NAME=TSTVMWIN2K8R2.MARVEL.LOCAL and the REALM=MARVEL.LOCAL set as jvm properties.

But when we type in the full URL i.e http://TSTVMWIN2K8R2.MARVEL.LOCAL:9080/application/index.html we get a NT auth screen. Why???
James says:
Added on June 29th, 2011 at 11:31 am

I was looking at spnego.sourceforge.net last night and they have some really good comprehensive documentation & testing steps. Much of that can be applied here as it discusses the steps for setting up kerberos auth very well. Much of what they have there can be used here as well.
Stas says:
Added on July 4th, 2011 at 6:48 am

I am getting the following exception:
Caused by: java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) – Cannot find key of appropriate type to decrypt AP REP – DES CBC mode with MD5)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:396)
at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:67)
… 28 more
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) – Cannot find key of appropriate type to decrypt AP REP – DES CBC mode with MD5)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:874)
at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:541)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:146)
at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:136)
… 31 more
Caused by: KrbException: Invalid argument (400) – Cannot find key of appropriate type to decrypt AP REP – DES CBC mode with MD5
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:263)
at sun.security.krb5.KrbApReq.(KrbApReq.java:134)
at sun.security.jgss.krb5.InitSecContextToken.(InitSecContextToken.java:79)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
… 39 more
Savvas Andreas says:
Added on July 5th, 2011 at 8:54 am

@Stas this could be caused because of a mismatch between the encoding type you used to generate the keytab file and the encoding specified in krb5.ini
Stas says:
Added on July 5th, 2011 at 12:55 pm

The exception causes only if a client OS is Windows XP. If the OS is Windows 7 the application runs fine.
My keytab file encoding type is rc4–hmac. Does the WinXP support it?
Stas says:
Added on July 6th, 2011 at 5:42 am

And also I have a trouble with Firefox 5:

network.negotiate-auth.delegation-uris = .example.com
network.negotiate-auth.trusted-uris = .example.com

Application runs and:

…
Filter 'springSecurityFilterChain' configured successfully
Converted URL to lowercase, from: '/index.jsp'; to: '/index.jsp'
Candidate is: '/index.jsp'; pattern is /**; matched=true
/index.jsp at position 1 of 9 in additional filter chain; firing Filter: 'org.springframework.security.web.context.SecurityContextPersistenceFilter@38facfb'
No HttpSession currently exists
No SecurityContext was available from the HttpSession: null. A new one will be created.
/index.jsp at position 2 of 9 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@4d8dfa76'
/index.jsp at position 3 of 9 in additional filter chain; firing Filter: 'org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter@243680c1'
/index.jsp at position 4 of 9 in additional filter chain; firing Filter: 'org.springframework.security.web.savedrequest.RequestCacheAwareFilter@763f1179'
/index.jsp at position 5 of 9 in additional filter chain; firing Filter: 'org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@26945b95'
/index.jsp at position 6 of 9 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.AnonymousAuthenticationFilter@5caccd65'
Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@90550640: Principal: anonymousUser; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@7798: RemoteIpAddress: 10.99.22.52; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
/index.jsp at position 7 of 9 in additional filter chain; firing Filter: 'org.springframework.security.web.session.SessionManagementFilter@54e0d16b'
/index.jsp at position 8 of 9 in additional filter chain; firing Filter: 'org.springframework.security.web.access.ExceptionTranslationFilter@73d4f355'
/index.jsp at position 9 of 9 in additional filter chain; firing Filter: 'org.springframework.security.web.access.intercept.FilterSecurityInterceptor@21b38cdc'
Converted URL to lowercase, from: '/index.jsp'; to: '/index.jsp'
Candidate is: '/index.jsp'; pattern is /secure/**; matched=false
Public object – authentication not attempted
/index.jsp reached end of additional filter chain; proceeding with original chain
Chain processed normally
SecurityContext contents are anonymous – context will not be stored in HttpSession.
SecurityContextHolder now cleared, as request processing completed
Converted URL to lowercase, from: '/secure/index.jsp'; to: '/secure/index.jsp'
Candidate is: '/secure/index.jsp'; pattern is /**; matched=true
/secure/index.jsp at position 1 of 9 in additional filter chain; firing Filter: 'org.springframework.security.web.context.SecurityContextPersistenceFilter@38facfb'
HttpSession returned null object for SPRING_SECURITY_CONTEXT
No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@962e703. A new one will be created.
/secure/index.jsp at position 2 of 9 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@4d8dfa76'
/secure/index.jsp at position 3 of 9 in additional filter chain; firing Filter: 'org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter@243680c1'
/secure/index.jsp at position 4 of 9 in additional filter chain; firing Filter: 'org.springframework.security.web.savedrequest.RequestCacheAwareFilter@763f1179'
/secure/index.jsp at position 5 of 9 in additional filter chain; firing Filter: 'org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@26945b95'
/secure/index.jsp at position 6 of 9 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.AnonymousAuthenticationFilter@5caccd65'
Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6faa6108: Principal: anonymousUser; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff10d0: RemoteIpAddress: 10.99.22.52; SessionId: 74B9B91130584184F9C203317F8F3A17; Granted Authorities: ROLE_ANONYMOUS'
/secure/index.jsp at position 7 of 9 in additional filter chain; firing Filter: 'org.springframework.security.web.session.SessionManagementFilter@54e0d16b'
/secure/index.jsp at position 8 of 9 in additional filter chain; firing Filter: 'org.springframework.security.web.access.ExceptionTranslationFilter@73d4f355'
/secure/index.jsp at position 9 of 9 in additional filter chain; firing Filter: 'org.springframework.security.web.access.intercept.FilterSecurityInterceptor@21b38cdc'
Converted URL to lowercase, from: '/secure/index.jsp'; to: '/secure/index.jsp'
Candidate is: '/secure/index.jsp'; pattern is /secure/**; matched=true
Secure object: FilterInvocation: URL: /secure/index.jsp; Attributes: [IS_AUTHENTICATED_FULLY]
Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6faa6108: Principal: anonymousUser; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff10d0: RemoteIpAddress: 10.99.22.52; SessionId: 74B9B91130584184F9C203317F8F3A17; Granted Authorities: ROLE_ANONYMOUS
Voter: org.springframework.security.access.vote.RoleVoter@3c2c7ac5, returned: 0
Voter: org.springframework.security.access.vote.AuthenticatedVoter@c303a60, returned: -1
Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:71)
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:203)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:106)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:97)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:100)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:78)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:35)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
at org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter.doFilter(SpnegoAuthenticationProcessingFilter.java:152)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:188)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:149)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:462)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:563)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:403)
at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:286)
at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:272)
at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:1730)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:662)
DefaultSavedRequest added to Session: DefaultSavedRequest[http://example.com:8080/spring-security-kerberos-sample-1.0.0.M2/secure/index.jsp]
Calling Authentication entry point.
Sending back Negotiate Header for request: http://example.com:8080/spring-security-kerberos-sample-1.0.0.M2/secure/index.jsp
SecurityContextHolder now cleared, as request processing completed

I guess that Firefox should show the login form, but it doesn't…
Savvas Andreas says:
Added on July 6th, 2011 at 6:23 am

@Stas we had the exact same problem but in reverse order everything worked fine in XP environments but failed in Windows 7 ones..

After some investigation, we discovered that Windows 7 has dropped the, by default, support for the DES option and as we had been generating our keytab files using the DES-Only option the W7 workstations didn't like that..

As currently the number of our W7 users is limited, we just applied this patch http://technet.microsoft.com/en-us/library/ff646918(WS.10).aspx to all W7 machines and it fixed the problem.

Hope that helps,
Savvas.
Stas says:
Added on July 6th, 2011 at 9:28 am

@Savvas Andreas thank you very much
Java Coder says:
Added on July 12th, 2011 at 3:12 pm

GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)

How to fix it?

Thanks
Stas says:
Added on July 12th, 2011 at 4:40 pm

@Java Coder if you use Windows, your client and server should be separate machines. If you use AD, client and server should be in the same domain. Also you need to configure a client browser:
IE – http://download.oracle.com/docs/cd/E13222_01/wls/docs81/secmanage/sso.html#1101398
Firefox – http://www.cgl.ucsf.edu/Security/CGLAUTH/CGLAUTH.html
Time on the client and on the server shouldn't differ strongly

PS I still have not solved the problem with Firefox (it doesn't work for me)
PPS Sorry for my terrible english
jk says:
Added on July 25th, 2011 at 12:03 pm

Is there a new milestone out there for the client side?
Tul says:
Added on September 21st, 2011 at 1:06 am

Hi,
I studied entire discussion and I'm still getting 'GSSHeader did not find the right tag' followed by 'Negotiate TlRM…' which I believe means that the browser sends ntlm instead of kerberos. KDC, App and client are all running on seperate machines. Browsers look to be configured properly, kinit gets ticket with no problem, keytab is generated, spn is set to HTTP/…
So what else get cause such problems?
KDC is running on WinServer 2003, app on WinXp and client on Win7.
ukdavo says:
Added on September 21st, 2011 at 3:27 am

What zone is the website in? Internet zone? Intranet zone? If the latter, NTLM will be used.
Tul says:
Added on September 21st, 2011 at 4:47 am

It's in intranet zone. The browser is IE9 but I also tried IE7, 6 and firefox
Tul says:
Added on September 21st, 2011 at 5:42 am

Now I tried to deploy app on linux tomcat and I get 'javax.security.auth.login.LoginException: Unable to obtain password from user' on server startup with no corresponding '[key] not available in [keytab]' message. Keytab is generated using java 1.5 ktab. I generated it in the same way previously on windows server and spring read the principals successfully.
Nick says:
Added on September 23rd, 2011 at 2:13 am

Hi,

Can anyone tell me where the repository was moved to? http://maven.springframework.org/milestone seems not to be working anymore… And is 1.0.0.M1 still the current version?

Thanks a lot for your responses.
Zoharat says:
Added on October 3rd, 2011 at 10:20 am

Tul,

Were you able to figure out why NTLM token were being generated, we have done all the verifcations i.e.
1>Server client on separate machines
2>Site listed in Intranet sites.
3>Using the URL as http://:/application
4>kinit also seems to work.

But still the header contains NTLM tokens.
Zoharat says:
Added on October 3rd, 2011 at 10:22 am

Tul,

Were you able to figure out why NTLM token were being generated, we have done all the verifcations i.e.
1>Server client on separate machines
2>Site listed in Intranet sites.
3>Using the URL as http://:/application
4>kinit also seems to work.

But still the header contains NTLM token.
Tul says:
Added on October 3rd, 2011 at 12:02 pm

Zoharat,
In my case it was a matter of bad kvno in keytab. Unfortunately I can't give you a recipe as the admin fixed that, not me. He said that some kind of example app of Apache Kerberos helped him a lot as it gives much better error information.
At least you have a hint.
Zoharat says:
Added on October 3rd, 2011 at 12:08 pm

So simply specifying a kvno value fixed the NTLM token issue you observed Windows?
Aurelien says:
Added on October 10th, 2011 at 4:19 am

Could it be possible to use Spring Security Kerberos Extension with multiple domains (on separate forests with a two-way forest trust) by merging keytab files ?

7 trackbacks

View all pings & trackbacks

Search

Authors

Categories

Websites

Archives

Spring Security Kerberos/SPNEGO Extension

Kerberos/SPNEGO

Creating service principal with Microsoft Windows 2008 Server

Creating service principal with MIT Kerberos

Configuring Spring Security

Similar Posts

Other posts

74 responses

Kai Virkki says:

Risom says:

Mike Wiesner (blog author) says:

Risom says:

dominikz says:

TP says:

dominikz says:

Mike Wiesner (blog author) says:

Mike Wiesner (blog author) says:

TP says:

Joe Khoobyar says:

Vandana says:

Nikolay says:

Nikolay says:

peter says:

Rizwan says:

Arve says:

Rizwan says:

Arve says:

ukdavo says:

Arve says:

ukdavo says:

ukdavo says:

Aaron Douglas says:

Peter Mularien says:

ukdavo says:

Grant says:

Peter says:

ukdavo says:

norm says:

Clarence says:

ukdavo says:

Kianoosh says:

ukdavo says:

Rhys Parsons says:

Rhys Parsons says:

Nicholas Irving says:

Luke says:

Savvas Andreas says:

Akshay says:

davetbo says:

Jason says:

ukdavo says:

Zoharat says:

Zoharat says:

Savvas Andreas Moysidis says:

lipman says:

Zoharat says:

Dreamer says:

Savvas Andreas Moysidis says:

Sophia says:

ukdavo says:

Shashank Jain says:

Zoharat says:

James says:

Stas says:

Savvas Andreas says:

Stas says:

Stas says:

Savvas Andreas says:

Stas says:

Java Coder says:

Stas says:

jk says:

Tul says:

ukdavo says:

Tul says: