Blogs

SpringSource Blog

Spring Security Kerberos/SPNEGO Extension

Posted on September 28th, 2009 by Mike Wiesner in 3.0, Java, Open Source, Security, Spring, Web.

Mike Wiesner

We're pleased to announce that the first milestone of the Spring Security Kerberos Extension is now available for download. The release is also available through the Maven milestone repository at http://maven.springframework.org/milestone. With the Spring Security Kerberos Extension, your users are authenticated against your web application just by opening the URL. There is no need to enter a username/password and no need to install additional software.

Before going deeper into Kerberos, I would like to introduce Spring Security Extensions, a new Spring Extension project dedicated to provide extension modules for the core Spring Security project. Currently we have two extensions developed there: A SAML2 integration and a Kerberos/SPNEGO integration. Every module will have its own release cycle, so that people can benefit from these extensions as soon as they are ready and don't have to wait for the next Spring Security release. If you have any ideas or even some code for further extensions, please tell us!

Kerberos/SPNEGO

In the first milestone of this module we provide you with an out-of-the-box Kerberos/SPNEGO solution for web applications. Kerberos is a standardized network authentication protocol, which is designed to provide strong authentication for client/server application, like web applications where the Browser is the client. It is also the recommended way to authenticate users in a Windows network and it replaces the outdated and relatively insecure NTLM. Besides this, it is widely used in *NIX environments and there are implementations for every major platform. So, it is very likely that you already have Kerberos in place and now you can use this also in your own web application. That means that your user just enters the URL and he is automatically authenticated with his domain username, for example mikewiesner@SPRINGSOURCE.COM. You can then find out this username via Spring Security or even with request.getRemoteUser(). How does this work? Here is a brief overview:

SPNEGO

The Browser sends a GET request to your web application (1), which then returns that "negotiate" authentication is required (2). The Browser will then ask the Kerberos Server to get a so called service ticket (3). The Browser then send this service ticket, which proves the identity of the caller, and some additional things to the web application (5). After validating the ticket, based on some shared secret between your web application and the Kerberos server, you get back the username.

For this to work, every web applications needs to be registered at the Kerberos server and gets a service prinicipal and a shared secret assigned. For web applications, the service principal must be "HTTP/<full qualified domain name>@DOMAIN". For example "HTTP/web.springsource.com@SPRINGSOURCE.COM", if your app runs on web.springsource.com. You then need to export the credentials of this principal to a keytab file (shared secret) and make this available to your application. Every Kerberos based system will work this way, but the creation of this service principal and the keytab is different between the systems. I will show you how you do this with Microsoft Windows and MIT Kerberos, but it should also work with other implementations.

Creating service principal with Microsoft Windows 2008 Server

Although this refers to Microsoft Windows 2008 Server, it should be very similar in 2003 and even 2000 Server. In ActiveDirectory, you just create a normal domain user and then assign him a service principal (SPN), and create the keytab with a command line utility. And now step by step:

Create a normal user which will become the service principal. The username and the password is meaningless for Kerberos, but you should of course choose a useful name, like http-web.springsource.com. Just make sure that you deactivate the option "User must change password at next logon" and activate "Password never expires".

After that, you have to use the command line tool "ktpass.exe". It is already included in Windows 2008 Server, in earlier versions you have to install it yourself. Just make sure that you are using a version which matches to your server version and also the locale should match. This tool will assign the service principal name (SPN) to your earlier created user and will export the user key to a keytab file. If your service principal is "HTTP/web.springsource.com@SPRINGSOURCE.COM" and your user is http-web.springsource.com, then your ktpass command should look like this:

ktpass /out http-web.keytab /mapuser http-web.springsource.com@SPRINGSOURCE.COM /princ HTTP/web.springsource.com@SPRINGSOURCE.COM  /pass *

ktpass will prompt you for some password. You should choose some secure random one for it. If you now have a file http-web.keytab in your directory, then everything worked fine. This file is needed later in your application, as it contains the shared secret to validate the service tickets.

Creating service principal with MIT Kerberos

On *NIX systems and also in Mac OS X, the MIT Kerberos implementation is widely used. With MIT Kerberos it is even simpler. Just open the kadmin console and execute the following commands:

kadmin:  addprinc -randkey HTTP/web.springsource.com
kadmin:  ktadd -k /http-web.keytab HTTP/web.springsource.com

You should then have a file http-web.keytab under root. This file is later needed in your application, as it contains the shared secret to validate the service tickets.

Configuring Spring Security

First of all, the requirements:

  • Spring Security 3.0.0 M2
  • SUN JRE/JDK 1.6.x
  • Kerberos environment
  • Browser which supports SPNEGO (Firefox, IE, Safari)

In order to use the Kerberos module in Spring Security, you just have to declare a filter, an authentication entry point and an authentication provider. We included a sample web app which you can use as as starting point. You just have to configure your service principal name and place your generate keytab there. The sample app is included in the download mentioned above.

If you open the security.xml file of the sample application, which is under /src/main/webapp/WEB-INF, you see a basic Spring Security configuration which uses the new Kerberos module.

<sec:http entry-point-ref="spnegoEntryPoint">
	<sec:intercept-url pattern="/secure/**" access="IS_AUTHENTICATED_FULLY" />
	<sec:custom-filter ref="spnegoAuthenticationProcessingFilter" position="BASIC_PROCESSING_FILTER" />
</sec:http>

<bean id="spnegoEntryPoint" class="org.springframework.security.extensions.kerberos.web.SpnegoEntryPoint" />

<bean id="spnegoAuthenticationProcessingFilter" class="org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter">
	<property name="authenticationManager" ref="authenticationManager" />
</bean>

<sec:authentication-manager alias="authenticationManager">
	<sec:authentication-provider ref="kerberosServiceAuthenticationProvider" />
</sec:authentication-manager>

<bean id="kerberosServiceAuthenticationProvider" class="org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider">
	<property name="ticketValidator">
		<bean class="org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator">
			<property name="servicePrincipal" value="HTTP/web.springsource.com" />
			<property name="keyTabLocation" value="classpath:http-web.keytab" />
		</bean>
	</property>
	<property name="userDetailsService" ref="dummyUserDetailsService" />
</bean>

<!-- Just returns the User authenticated by Kerberos and gives him the ROLE_USER -->
<bean id="dummyUserDetailsService" class="org.springframework.security.extensions.kerberos.sample.DummyUserDetailsService"/>

The first two beans (SpnegoEntryPoint and SpnegoAuthenticationProcessingFilter) are responsible for the handshake, and the KerberosServiceAuthenticationProvider then finally validates the service ticket. Currently we only support the Kerberos/SPNEGO implementation which is included in SUN's JRE/JDK. As you only get back the username from Kerberos, you also need an UserDetailsService to fetch the roles and maybe some other user attributes. In this sample we just use a dummy implementation to make testing easier.

As you can see, we already filled in the service prinicipal name and the keytab location. Change these values for your need and make sure that the previously generated keytab is available under this location.

Now start your server and try to attempt a SPNEGO authentication. You should see your full domain username in the Browser. In your code you can retrieve the username with the normal Spring Security classes or even with the standard Java servlet call request.getRemoteUser(). If it doesn't work (maybe you see an empty page), check these things:

  • Check the logfile
  • Make sure that you use the full qualified domain name (not the IP adress and not the short name) in your URL.
  • If you are using Internet Explorer: Turn on "Windows Integrated Authentication" and make sure that the domain (in our case web.springsource.com) is listed in IE's local intranet site section.
  • If you are using Firefox: Have a look here.
  • If you are using a Windows client: Client and Server must be on different machines, because otherwise Windows will use NTLM instead of Kerberos.
  • Check if the time is synchronized on all involved machines.
  • If you're using Microsoft AD, you will find some further help here: http://msdn.microsoft.com/en-us/library/ms995329.aspx

      • Besides this, setting up a proper Kerberos environment can be complicated, and it is important to get this right before you start using the Spring Security Kerberos extension. Most of the problems we encounter during consulting are problems with the Kerberos environment and not with the application itself.

      If you wan't to use the Spring Security Kerberos Extension in your own Maven project, you have to add the Spring Milestone Repository to your pom.xml. It should look like this:

      <repositories>
	<repository>
		<id>spring-milestone</id>
		<name>Spring Portfolio Milestone Repository</name>
		<url>http://maven.springframework.org/milestone </url>
	</repository>
</repositories>

      and of course the dependency:

      <dependency>
	<groupId>org.springframework.security.extensions</groupId>
	<artifactId>spring-security-kerberos-core</artifactId>
	<version>1.0.0.M1</version>
</dependency>

      There is still some work to do, for example to also provide Kerberos for Java clients and not only for the server, but we hope you'll try out this milestone release and provide some feedback. The Community Forum is the best place to ask questions or to start discussions on new features. Alternatively, if you find something amiss, you can raise a Jira Issue.

      Similar Posts

      Share this Post
      • Digg
      • Sphinn
      • del.icio.us
      • Facebook
      • Mixx
      • Google Bookmarks
      • DZone
      • LinkedIn
      • Slashdot
      • Technorati
      • Twitter
       

87 responses

  1. Kai Virkki says:

    Added on September 28th, 2009 at 5:56 am

    This is great news! We've been fighting with the buggy jcifs NTLM implementation for years and really welcome a Kerberos solution for Windows SSO!! :)

  2. Risom says:

    Added on October 8th, 2009 at 11:45 pm

    As mentioned in the API that it work fine with JAAS implementation of SUN. What should I be doing if I have to use it in websphere with IBM jre.

  3. Mike Wiesner (blog author) says:

    Added on October 9th, 2009 at 3:38 am

    @Risom Currently you can't use it with a IBM JVM. The code which is dependent on the Sun JVM is already separated, but in M1 we don't have an implementation which works on a IBM JVM. I've created a JIRA issue for this, so that you (and others) can follow the progress: https://jira.springsource.org/browse/SES-15

  4. Risom says:

    Added on October 9th, 2009 at 4:50 am

    Hello Mike Wiesner this blog was awesome! cheers …

  5. dominikz says:

    Added on October 15th, 2009 at 9:44 am

    I'm having trouble with running the sample. I use kerberos from MIT on Linux and a Tomcat 6.0 on Windows. When I try to deploy the webapp on the server I get the following error:

    Key for the principal HTTP/web.springsource.com@GENIJUSZ.ORG not available in file:/D:/Java/Tomcat 6.0/webapps/kerberos/WEB-INF/classes/http-web.keytab

    On the other hand

    $ /cygdrive/c/Java/jdk1.6.0_11/bin/klist.exe -f -k http-web.keytab

    Key tab: http-web.keytab, 2 entries found.

    [1] Service principal: HTTP/web.springsource.com@GENIJUSZ.ORG
    KVNO: 3
    [2] Service principal: HTTP/web.springsource.com@GENIJUSZ.ORG
    KVNO: 3

    I understand that this probably not the extension issue, but a JAAS issue. But anyway your help would be nice. Is there a way to verify if the key is actually available in the keytab? Does the domain name (web.springsource.com) matter? (should I use a different one)

  6. TP says:

    Added on November 5th, 2009 at 7:11 pm

    Hi,

    I'm running into some issues when i tried to run the sample SSO app from spring security v3. Getting the following exception during the server startup,

    Key for the principal HTTP/uname.company.com@COMPANY.COM not available in file:/C:/Program Files/Apache Software Foundation/Tomcat 6.0/webapps/spring-security-kerberos-sample-1.0.0.M1/WEB-INF/classes/http-web.keytab
    [Krb5LoginModule] authentication failed
    Unable to obtain password from user

    I have the web.keytab placed under the above mentioned path and the keytab file was generated in a windows server.

    I'm using Tomcat 6 and JDK 1.6.0_06.

    -TP

  7. dominikz says:

    Added on November 6th, 2009 at 1:53 am

    I was running into the same trouble. I've had MIT KDC and what helped was adding these encryption algorithms (rc4-hmac:normal,des-cbc-crc:normal) when generating principals in KDC

    addprinc -x containerdn=o=Novell -e rc4-hmac:normal,des-cbc-crc:normal -pw password host/testworkstation.kerberos.yourcompany.com

    When I tried it with the default one, or only with des-cbc-crc:normal it was not working. Since it is Java that tries to read the keytab, I presume that it may also help in your case.

    One more thing. Just as is said on this page – there is far greater probability that you have your kerberos setup wrong rather than there's something wrong in the spring library. The following articles helped me with clearing my kerberos setup:

    http://www.novell.com/documentation/zenworks7/dm7admin/?page=/documentation/zenworks7/dm7admin/data/b5czc1w.html
    http://www.cgl.ucsf.edu/Security/CGLAUTH/CGLAUTH.html
    http://sial.org/howto/kerberos/windows/

  8. Mike Wiesner (blog author) says:

    Added on November 10th, 2009 at 2:19 am

    @TP: The JAAS Kerberos module, which is used inside, seems to have problems with loading the keytab from a path which includes whitespaces. I've created a JIRA issue for that: https://jira.springsource.org/browse/SES-19.

  9. Mike Wiesner (blog author) says:

    Added on November 10th, 2009 at 2:34 am

    @Dominikz: Microsoft also provides some help for setting up Kerberos/SPNEGO in an Active Directory environment. It can be found here: http://msdn.microsoft.com/en-us/library/ms995329.aspx

  10. TP says:

    Added on November 10th, 2009 at 5:14 pm

    @Mike : Thanks for information. The "authentication failed" issue was resolved once I updated the keytab file's location path not to include any spaces in the referred directory names.

  11. Joe Khoobyar says:

    Added on November 11th, 2009 at 3:06 pm

    Mike,

    You may want to consider leveraging Microsoft Windows SSPI for native Kerberos/SPNEGO. This forgoes the need for using KTPASS, works seamlessly in complex cross-forest authentication scenarios, and is critical for full single sign-on integration when your organization uses a more "Microsoft centric" Kerberos solution… such as Centrify.

    About a month ago, I successfully integrated an SSPI Kerberos implementation into JSch (a Java SSH client), and Net::SSH::Kerberos (a ruby gem that extends Net::SSH with kerberos functionality).

    I'm more than willing to lend a hand if you'd find such an enhancement potentially useful.

  12. Vandana says:

    Added on November 17th, 2009 at 12:44 pm

    Hi Mike,

    Thanks alot for your efforts!!! this stuff is of great help.

    I tried deploying the sample on tomcat 6 and made required changes for the service principal and keytab
    I don't understand this error, could you please give any solution or share you thoughts on this.
    this is from Tomcat logs.

    Access is denied (user is anonymous); redirecting to authentication entry point
    org.springframework.security.access.AccessDeniedException: Access is denied

    Thanks in Advance!!

    Vandana

  13. Nikolay says:

    Added on December 13th, 2009 at 2:02 pm

    Hi Mike,

    I wonder if I can specify the path to the keytab file to be something like "/etc/krb5.keytab".
    I'm running two websites on my PC, and have chosen Kerberos for cross-site authentication.
    I think, I can handle registration by calling shell script "kadmin … add username …".
    What do you think could be the best practice to combine your Spring Kerberos authentication module and the registration procedure?
    If, say, the registration code creates a new principal using kadmin and updates the "/etc/krb5.keytab", will the new user be able to immediately authenticate through your Spring Kerberos authentication module?
    I.e. will it reload the new keytab content?
    Can I point it to an arbitrary location on the disk? (because it's gonna be used by several web-apps)

  14. Nikolay says:

    Added on December 24th, 2009 at 3:01 pm

    I get this error:

    Access is denied (user is anonymous); redirecting to authentication entry point

    org.springframework.security.access.AccessDeniedException: Access is denied
    at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:71)

  15. peter says:

    Added on January 20th, 2010 at 7:11 pm

    Hi Mike,

    I get the following error

    Authentication attempt using org.springframework.security.extensions.kerberos.Ke
    rberosServiceAuthenticationProvider
    Try to validate Kerberos Token
    Checksum failed !
    Negotiate Header was invalid:

    I assume that there is something wrong with my Kerberos set up, but not clear on where to look.

    any pointers would be appreciated!

  16. Rizwan says:

    Added on January 21st, 2010 at 7:19 pm

    I am using the sample provided above and I am getting the following exception:

    Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) – Cannot find key of appropriate type to decryp
    t AP REP – RC4 with HMAC)
    at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
    at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:874)
    at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:541)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
    at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.j
    ava:135)
    at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.j
    ava:125)
    … 22 more
    Caused by: KrbException: Invalid argument (400) – Cannot find key of appropriate type to decrypt AP REP – RC4 with HMAC
    at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:262)
    at sun.security.krb5.KrbApReq.(KrbApReq.java:134)
    at sun.security.jgss.krb5.InitSecContextToken.(InitSecContextToken.java:79)
    at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
    … 30 more

    I am using the following:
    - Jdk 1.6,
    - Oracle Weblogic server 10.3,
    - Active Directory 2003; AD only uses DES-CBC-CRC or DES-CBC-MD5 (by default) encryption and I can't change to RC4 that my Server requires.

    Can anyone help how can I force to use DES encryption?

    How can I change the encryption to DES in my application.

  17. Arve says:

    Added on February 1st, 2010 at 11:22 am

    Hi,
    I have tested on a Mac 10.6, running Kerberos on a virtual Ubuntu. Works like a dream.

    My vote for Spring Security Kerberos/SPNEGO Extension.

  18. Rizwan says:

    Added on February 4th, 2010 at 6:40 pm

    Yes the problem is finally resoloved. That was a 3 steps process:

    1. I recreated the user
    2. The setspn was called before ktpass commmand. It looks like setspn is not required as ktpass command does the job for you
    3. I was using a service principal appending my domain name like HTTP/pc43433.mydomain but it suppose to be HTTP/pc43433

  19. Arve says:

    Added on February 5th, 2010 at 7:15 am

    To use SX Spring Security Extension version 1.0.0.M1, my experience is:
    - In the security.xml: "…/spring-security-3.0.xsd" says "BASIC_PROCESSING_FILTER" is not valid, but "…/spring-security-2.5.xsd" says it is.
    - Spring security version 3.0.1 gives me "java.lang.NoSuchMethodError in constructor of KerberosServiceRequestToken" as Harald Radi (https://jira.springsource.org/browse/SES-29) experienced.
    – To define authorities: Collection authorities = AuthorityUtils.createAuthorityList("ROLE_USER");
    - Spring security version 3.0.0.M2 is OK combination.
    – To define authorities: List authorities = AuthorityUtils.createAuthorityList("ROLE_USER");

  20. ukdavo says:

    Added on February 8th, 2010 at 12:38 pm

    I'm getting the following error with Spring Security 3.0.1:

    "org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: Line 19 in XML document from ServletContext resource [/WEB-INF/spring/security-config.xml] is invalid; nested exception is org.xml.sax.SAXParseException: cvc-enumeration-valid: Value 'BASIC_PROCESSING_FILTER' is not facet-valid with respect to enumeration '[FIRST, CHANNEL_FILTER, CONCURRENT_SESSION_FILTER, SECURITY_CONTEXT_FILTER, LOGOUT_FILTER, X509_FILTER, PRE_AUTH_FILTER, CAS_FILTER, FORM_LOGIN_FILTER, OPENID_FILTER, BASIC_AUTH_FILTER, SERVLET_API_SUPPORT_FILTER, REMEMBER_ME_FILTER, ANONYMOUS_FILTER, EXCEPTION_TRANSLATION_FILTER, SESSION_MANAGEMENT_FILTER, FILTER_SECURITY_INTERCEPTOR, SWITCH_USER_FILTER, LAST]'. It must be a value from the enumeration."

    Any suggestions?

  21. Arve says:

    Added on February 8th, 2010 at 1:02 pm

    ukdavo, my suggestion is, as said 5. feb.: Spring Security Extension version 1.0.0.M1 is OK with Spring security version 3.0.0.M2.

  22. ukdavo says:

    Added on February 9th, 2010 at 6:27 am

    Thanks for your help. Using Spring Security 3.0.0 M2 seems to have helped in that I'm further than I was before. Unfortunately, I now get an IllegalArgumentException – it can't find the file C:\Windows\krb5.ini. This file doesn't exist – do I have to create one? I'm running everything on a Windows Server 2003 VM that's been set up as a PDC.

  23. ukdavo says:

    Added on February 9th, 2010 at 10:18 am

    @Arve – I created the krb5.ini so I've got a little further. It looks like IE is sending a NTLM token instead of a Kerberos token. I added the site into the Intranet zone so I'm not sure what's going on. Thanks for your help anyway. I'll keep Googling for an answer.

  24. Aaron Douglas says:

    Added on February 9th, 2010 at 12:00 pm

    Mike – How does this plugin work with a load-balanced environment? I've never used Kerberos before and I'd like to set this up on an app I'm running. The issue is, the app may be running on multiple servers. Can I have my sys admins add multiple service principals to the same Windows user, one for each fully qualified server name? What if all the servers are behind a single proxy load balancer? Thanks for your help!

  25. Peter Mularien says:

    Added on February 9th, 2010 at 1:43 pm

    @ukdavo
    "I'm running everything on a Windows Server 2003 VM that's been set up as a PDC."
    You MUST have the browser client on a separate machine, otherwise it will always use NTLM.

  26. ukdavo says:

    Added on February 9th, 2010 at 1:49 pm

    Thanks Peter. I just spotted your advice on the Spring Extensions forum. Time to set up a new VM I guess!

  27. Grant says:

    Added on February 22nd, 2010 at 11:01 pm

    I got this error:

    Received Negotiate Header for request :
    Negotiate TlRMTV
    NTUAABAAAAB7IIogcABwA1AAAADQANACgAAAAFASgKAAAAD1cwMDI0RThEQjY3NEFPQ0VBTklB
    Authentication attempt using org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider
    Try to validate Kerberos Token
    Negotiate Header was invalid: Negotiate TlRMTVNTUAABAAAAB7IIogcABwA1AAAADQANACgAAAAFASgKAAAAD1cwMDI0RThEQjY3NEFPQ0VBTklB
    org.springframework.security.authentication.BadCredentialsException: Kerberos validation not succesfull
    at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:65)
    at org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:86)
    at org.springframework.security.authentication.ProviderManager.doAuthentication(ProviderManager.java:127)
    at org.springframework.security.authentication.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:49)
    at org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter.doFilter(SpnegoAuthenticationProcessingFilter.java:118)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:150)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454)
    at java.lang.Thread.run(Thread.java:619)
    Caused by: java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAs(Subject.java:396)
    at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:63)
    … 22 more
    Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
    at sun.security.jgss.GSSHeader.(GSSHeader.java:80)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:287)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
    at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:135)
    at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:125)
    … 25 more
    SecurityContextHolder now cleared, as request processing completed

    Any help? Thanks.

  28. Peter says:

    Added on February 22nd, 2010 at 11:03 pm

    Received Negotiate Header for request http://w0024e8db674a.oceania.corp.anz.com:8080/spring-security-kerberos-sample-1.0.0.M1/secure/index.jsp: Negotiate TlRMTV
    NTUAABAAAAB7IIogcABwA1AAAADQANACgAAAAFASgKAAAAD1cwMDI0RThEQjY3NEFPQ0VBTklB
    Authentication attempt using org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider
    Try to validate Kerberos Token
    Negotiate Header was invalid: Negotiate TlRMTVNTUAABAAAAB7IIogcABwA1AAAADQANACgAAAAFASgKAAAAD1cwMDI0RThEQjY3NEFPQ0VBTklB
    org.springframework.security.authentication.BadCredentialsException: Kerberos validation not succesfull
    at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:65)
    at org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:86)
    at org.springframework.security.authentication.ProviderManager.doAuthentication(ProviderManager.java:127)
    at org.springframework.security.authentication.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:49)
    at org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter.doFilter(SpnegoAuthenticationProcessingFilter.java:118)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:150)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454)
    at java.lang.Thread.run(Thread.java:619)
    Caused by: java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAs(Subject.java:396)
    at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:63)
    … 22 more
    Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
    at sun.security.jgss.GSSHeader.(GSSHeader.java:80)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:287)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
    at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:135)
    at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:125)
    … 25 more
    SecurityContextHolder now cleared, as request processing completed

  29. ukdavo says:

    Added on February 24th, 2010 at 5:21 pm

    Just wanted to say thanks for a great addition to Spring. I got it to work once I followed Peter Mularien's advice.

    Peter/Grant – it looks like you've got the same problem that I had. It looks like you're presenting NTLM tokens (see http://appliedcrypto.com/spnego/qa.html) instead of Kerberos tokens. Apparently, IE will use NTLM if the client and server are the same machine.

  30. norm says:

    Added on March 2nd, 2010 at 3:27 am

    Always got GSSException "Checksum failed" when validating Ticket sent back from Windows Server 2008 against Keytab file produced by ktpass. The only thing that worked for me was recreating keytab file with ktab.exe provided by JDK on windows installation

  31. Clarence says:

    Added on March 3rd, 2010 at 12:54 pm

    @norm – I had the same problem with Windows Server 2003, and the only solution that worked for me was ktab, as you described.

    Anybody know why this error occurs with the keytab produced by ktpass?

  32. ukdavo says:

    Added on March 3rd, 2010 at 4:16 pm

    @Clarence @norm

    I had similar problems but found that they disappeared when I changed the command parameters as per http://wiki.alfresco.com/wiki/Configuring_the_CIFS_and_web_servers_for_Kerberos/AD_integration. I also followed their suggestions re the "Use DES encryption types for this account" and "Do not require Kerberos preauthentication" options. I've no idea if this will help you but it seemed to work for me.

  33. Kianoosh says:

    Added on March 29th, 2010 at 10:01 pm

    what ptype should be used for setting the spn? I get this from ktpass:
    "KTPASS: Could not determine the correct principal type.
    If this keytab is intended for a computer account, please use /ptype KRB5_NT_SRV_HST
    If this keytab is intended for a user account, please use /ptype KRB5_NT_PRINCIPAL"

  34. ukdavo says:

    Added on April 16th, 2010 at 4:06 am

    Can this be used to get back role information similar to the ldap provider? – e.g. membership of AD groups.

  35. Rhys Parsons says:

    Added on April 20th, 2010 at 10:51 am

    Here's what worked for me (it took me 2.5 days to sort this out!).

    1. Use Mike's config exactly as it is (except, obviously, changing domain names, etc) especially wrt capitalisation and using FQDN.
    2. Use Mike's example of ktpass exactly as it is. You can specify /ptype KRB5_NT_PRINCIPAL if you like, but trying any value for /crypto just didn't work for me.
    3. Set up the Java System properties java.security.krb5.kdc AND java.security.krb5.realm to be the fully-qualified name of your Domain Controller and your domain (fully-qualified) in captials.
    4. Make sure Internet Explorer in your client thinks that the server is in its Intranet! Don't use the server as a client!
    5. For your Service Principal and any users you want to authenticate, in the Account options, disable 'Use Kerberos DES…', enable 'This account supports Kerberos AES 128 bit…', enable 'This account supports Kerberos AES 256 bit…' and disable 'Do not require Kerberos preauthentication'.
    6. If you are outside the US, you may need to download the full support for AES 256-bit encryption. Look it up.

    In the test system I set up, the domain was vbis.security.local. The Windows Server 2008 machine was called chekov. So the values for the properties were:

    java.security.krb5.kdc=chekov.vbis.security.local
    java.security.krb5.realm=VBIS.SECURITY.LOCAL

    Some mistakes I made:

    I messed around with so many different settings without knowing what was what that I kept tripping over previous dead-end attempts. I recommend deleting and re-creating the Service Principle if things don't go your way (and then, of course, re-running ktpass and setting up the AES security as specified in step 5).

    Hope this helps someone. I can't guarantee it'll work for you!

    Good luck!

  36. Rhys Parsons says:

    Added on April 26th, 2010 at 7:44 am

    Would like to see SpnegoAuthenticationProcessingFilter extend AbstractAuthenticationProcessingFilter.

  37. Nicholas Irving says:

    Added on May 16th, 2010 at 7:18 pm

    Figured out how to make this work with WebSphere 5.1 with some changes to KerberosValidateAction, and potentially there is a single line fix for 6.1+, so check out the Jira for this update, https://jira.springsource.org/browse/SES-15

  38. Luke says:

    Added on June 15th, 2010 at 12:03 am

    Hi,

    I need to authenticate against AD with a token. How can I acquire a token that has been generated for a user and use this token to authenticate/validate…? I am attempting to implement a SSO process that does authentication via a web service.

    My WS needs to acquire a token for the user that is currently logged in. It then passes this token to an external WS which will use this token to authenticate against AD and return either success or failure…

    Any help much appreciated…

    Luke.

  39. Savvas Andreas says:

    Added on June 15th, 2010 at 5:13 am

    Hello,

    Does anyone know how the mapping for the normal users of the application takes place? The ktpass tool will map a user (e.g. server.user@domain.com) with a Service Principal (e.g. http/web.fully.qualified.name) and this user, to my understanding, will be used by the application server to authenticate itself.
    But then later on after getting the SPNEGO header from the client it will try to authenticate the attempted user's principal contained within the SPNEGO header. If say, the attempted user is someone@domain.com and the service principal name is http/web.fully.qualified.name *how* or *when* does that mapping take place?

    Regards,
    Savvas.

  40. Akshay says:

    Added on August 9th, 2010 at 10:13 am

    i
    I am following the exact steps as mentioned in spring security kerberos tuorial but I seem to get the following error when validating kerberos toeke :
    Found key for HTTP/my-key@MYDOMAIN
    Entered Krb5Context.acceptSecContext with state=STATE_NEW
    >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
    Checksum failed !
    WARN : org.springframework.security.extensions.kerberos.w eb.SpnegoAuthenticationProcessingFilter – Negotiate Header was invalid: Negotiate YIIQs….

    Any pointers how to resolve this error?

    Thanks

  41. davetbo says:

    Added on August 31st, 2010 at 10:32 am

    @TP, @dominikz and others

    I banged my head against the wall all morning trying to solve the "LoginException: Unable to obtain password from user" problem. The solution ended up being that you MUST USE the SUN java. I was previously using java-1.6.0-openjdk-1.6.0.0-1.13.b16.el5 on Centos 5.4. I switched to use Sun
    jdk1.6.0_21 and it started working immediately. You can follow instructions here to get the Sun java working: http://chrisschuld.com/2008/10/installing-sun-java-on-centos-5-2/ (this says Centos 5.2 but it worked for me on 5.4).

    Best,
    Dave

  42. Jason says:

    Added on October 26th, 2010 at 5:42 am

    Got this working after a while…

    However, does anyone know if I can use this authenticated context to perform an LDAP lookup for the user? I.e. I don't want to have a username/password sat in an XML file somewhere.

    Basically, I want the user to login seemlessly, (which now works) then have access tro certain resources given the groups they have, Spring LDAP seems to want me to place a username and password in an XML file for a AD user.

    I am aware of the UserDetailsService but can find no sensible example/documentation to use in this context.

    Many Thanks

  43. ukdavo says:

    Added on October 26th, 2010 at 6:09 am

    Just thinking aloud – perhaps you could search AD/LDAP via LdapTemplate for the sAMAccountName (i.e. the authenticated username).

  44. Zoharat says:

    Added on February 17th, 2011 at 12:13 pm

    I am following the exact steps as mentioned in spring security kerberos tuorial but I seem to get the following error when validating kerberos toeke :
    Found key for HTTP/my-key@MYDOMAIN
    Entered Krb5Context.acceptSecContext with state=STATE_NEW
    >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
    Checksum failed !
    WARN : org.springframework.security.extensions.kerberos.w eb.SpnegoAuthenticationProcessingFilter – Negotiate Header was invalid: Negotiate YIIQs….

    We have a windows 2000 server.

  45. Zoharat says:

    Added on February 17th, 2011 at 12:14 pm

    I am following the exact steps as mentioned in spring security kerberos tuorial but I seem to get the following error when validating kerberos toeke :
    Found key for HTTP/my-key@MYDOMAIN
    Entered Krb5Context.acceptSecContext with state=STATE_NEW
    >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
    Checksum failed !
    WARN : org.springframework.security.extensions.kerberos.w eb.SpnegoAuthenticationProcessingFilter – Negotiate Header was invalid: Negotiate YIIQs….

    Any pointers how to resolve this error?

    Thanks

  46. Savvas Andreas Moysidis says:

    Added on February 20th, 2011 at 4:08 pm

    Hi Zoharat,

    If I remember right, this error means that you are specifying a different encoding type in your krb5.ini file than the one you are using in your ktpass command.

    Regards,
    - Savvas

  47. lipman says:

    Added on February 21st, 2011 at 9:53 pm

    after several days struggling, it is finally working perfectly. KDC is windows 2008 R2, and
    both RC4-hmac and AES256-CTS-HMAC-SHA1-96 are working.

    my initial problem is that rc4-hmac is working but, AES256 is failed with checksum failed error. As the same ktab file is used, I'm really confused. after 3 days struggling, I realized that domain name was not specified correctly, RC4-HMAC is case insensitive, but AES256 is. so have to follow the Mike's instructions exactly, use the uppercase for the domain.

  48. Zoharat says:

    Added on February 22nd, 2011 at 10:00 am

    So we finally got it to work on Windows 2008 as well as Windows 2000.

    Steps

    1. Create me an active directory user as follows…
    username = http-myservice.com
    password = test
    rules – deactivate the option 'User must change password at next logon' and activate 'Password never expires'
    — This user will be the user for the server (or the service provider) and will basically authenticate the server to the active directory so that the two of them can communicate. This is NOT a 'real' user in that it's not mapped to a human being.

    2. Run ktpass for this user to create a keytab file…
    ktpass /out http-web.keytab /mapuser http-myservice.com@ /princ HTTP/.@ /pass test

    where….
    /out http-web.keytab – this directs the output of this ktpass command to write a file named 'http-web.keytab"

    /mapuser http-myservice.com@
    – this does a few things…
    – the domain name MUST be in upper case
    – http-myservice.com is the user that we've created specifically for the server. Again, this isn't a 'real' user.

    /princ HTTP/.@
    – three things to note here…
    – all things in upper case
    – This is the server that the service will be running on…
    – The domain of the active directory

    /pass test – basically, who cares what the password is…but we don't want it to prompt us, so create a password for this server/service provider user.

  49. Dreamer says:

    Added on March 10th, 2011 at 8:57 pm

    Where does on add the krb5.ini file (defining realms and domain_realms).

    Or aren't krb5.ini files required for SPNEGO Extension?

    Thanks.

  50. Savvas Andreas Moysidis says:

    Added on March 17th, 2011 at 12:31 pm

    Hello,

    The krb5.ini *is* required and should be placed under C:\Windows\

  51. Sophia says:

    Added on April 7th, 2011 at 3:21 am

    Hi,
    I get the following error. Any help is appreciated.

    WARNING: Negotiate Header was invalid: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==
    org.springframework.security.authentication.BadCredentialsException: Kerberos validation not succesfull
    at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:69)
    at org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:86)
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:134)
    at org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter.doFilter(SpnegoAuthenticationProcessingFilter.java:131)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:324)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:324)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:165)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:879)
    at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
    at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
    at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
    at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
    at java.lang.Thread.run(Thread.java:662)
    Caused by: java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAs(Subject.java:396)
    at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:67)
    … 23 more
    Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
    at sun.security.jgss.GSSHeader.(GSSHeader.java:80)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:287)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
    at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:146)
    at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:136)
    … 26 more

  52. ukdavo says:

    Added on April 7th, 2011 at 5:38 am

    @Sophia – that looks like an NTLM token. Is the server and client one and the same? or is the target website shown to be in the Internet zone in IE?

  53. Shashank Jain says:

    Added on April 11th, 2011 at 11:20 pm

    Is there a way for web service client written in java to generate SPNEGO tokens.
    We need to be able to allow web services client to authenticate using the kerberos mechanism

  54. Zoharat says:

    Added on June 9th, 2011 at 4:18 pm

    As per Mike , we must specify the fully qualified domain name when accessing out application.

    IN our case we do have the KDC_NAME=TSTVMWIN2K8R2.MARVEL.LOCAL and the REALM=MARVEL.LOCAL set as jvm properties.

    But when we type in the full URL i.e http://TSTVMWIN2K8R2.MARVEL.LOCAL:9080/application/index.html we get a NT auth screen. Why???

  55. James says:

    Added on June 29th, 2011 at 11:31 am

    I was looking at spnego.sourceforge.net last night and they have some really good comprehensive documentation & testing steps. Much of that can be applied here as it discusses the steps for setting up kerberos auth very well. Much of what they have there can be used here as well.

  56. Stas says:

    Added on July 4th, 2011 at 6:48 am

    I am getting the following exception:
    Caused by: java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) – Cannot find key of appropriate type to decrypt AP REP – DES CBC mode with MD5)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAs(Subject.java:396)
    at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:67)
    … 28 more
    Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) – Cannot find key of appropriate type to decrypt AP REP – DES CBC mode with MD5)
    at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
    at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:874)
    at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:541)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
    at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:146)
    at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:136)
    … 31 more
    Caused by: KrbException: Invalid argument (400) – Cannot find key of appropriate type to decrypt AP REP – DES CBC mode with MD5
    at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:263)
    at sun.security.krb5.KrbApReq.(KrbApReq.java:134)
    at sun.security.jgss.krb5.InitSecContextToken.(InitSecContextToken.java:79)
    at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
    … 39 more

  57. Savvas Andreas says:

    Added on July 5th, 2011 at 8:54 am

    @Stas this could be caused because of a mismatch between the encoding type you used to generate the keytab file and the encoding specified in krb5.ini

  58. Stas says:

    Added on July 5th, 2011 at 12:55 pm

    The exception causes only if a client OS is Windows XP. If the OS is Windows 7 the application runs fine.
    My keytab file encoding type is rc4–hmac. Does the WinXP support it?

  59. Stas says:

    Added on July 6th, 2011 at 5:42 am

    And also I have a trouble with Firefox 5:

    network.negotiate-auth.delegation-uris = .example.com
    network.negotiate-auth.trusted-uris = .example.com

    Application runs and:


    Filter 'springSecurityFilterChain' configured successfully
    Converted URL to lowercase, from: '/index.jsp'; to: '/index.jsp'
    Candidate is: '/index.jsp'; pattern is /**; matched=true
    /index.jsp at position 1 of 9 in additional filter chain; firing Filter: 'org.springframework.security.web.context.SecurityContextPersistenceFilter@38facfb'
    No HttpSession currently exists
    No SecurityContext was available from the HttpSession: null. A new one will be created.
    /index.jsp at position 2 of 9 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@4d8dfa76'
    /index.jsp at position 3 of 9 in additional filter chain; firing Filter: 'org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter@243680c1'
    /index.jsp at position 4 of 9 in additional filter chain; firing Filter: 'org.springframework.security.web.savedrequest.RequestCacheAwareFilter@763f1179'
    /index.jsp at position 5 of 9 in additional filter chain; firing Filter: 'org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@26945b95'
    /index.jsp at position 6 of 9 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.AnonymousAuthenticationFilter@5caccd65'
    Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@90550640: Principal: anonymousUser; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@7798: RemoteIpAddress: 10.99.22.52; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
    /index.jsp at position 7 of 9 in additional filter chain; firing Filter: 'org.springframework.security.web.session.SessionManagementFilter@54e0d16b'
    /index.jsp at position 8 of 9 in additional filter chain; firing Filter: 'org.springframework.security.web.access.ExceptionTranslationFilter@73d4f355'
    /index.jsp at position 9 of 9 in additional filter chain; firing Filter: 'org.springframework.security.web.access.intercept.FilterSecurityInterceptor@21b38cdc'
    Converted URL to lowercase, from: '/index.jsp'; to: '/index.jsp'
    Candidate is: '/index.jsp'; pattern is /secure/**; matched=false
    Public object – authentication not attempted
    /index.jsp reached end of additional filter chain; proceeding with original chain
    Chain processed normally
    SecurityContext contents are anonymous – context will not be stored in HttpSession.
    SecurityContextHolder now cleared, as request processing completed
    Converted URL to lowercase, from: '/secure/index.jsp'; to: '/secure/index.jsp'
    Candidate is: '/secure/index.jsp'; pattern is /**; matched=true
    /secure/index.jsp at position 1 of 9 in additional filter chain; firing Filter: 'org.springframework.security.web.context.SecurityContextPersistenceFilter@38facfb'
    HttpSession returned null object for SPRING_SECURITY_CONTEXT
    No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@962e703. A new one will be created.
    /secure/index.jsp at position 2 of 9 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@4d8dfa76'
    /secure/index.jsp at position 3 of 9 in additional filter chain; firing Filter: 'org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter@243680c1'
    /secure/index.jsp at position 4 of 9 in additional filter chain; firing Filter: 'org.springframework.security.web.savedrequest.RequestCacheAwareFilter@763f1179'
    /secure/index.jsp at position 5 of 9 in additional filter chain; firing Filter: 'org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@26945b95'
    /secure/index.jsp at position 6 of 9 in additional filter chain; firing Filter: 'org.springframework.security.web.authentication.AnonymousAuthenticationFilter@5caccd65'
    Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6faa6108: Principal: anonymousUser; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff10d0: RemoteIpAddress: 10.99.22.52; SessionId: 74B9B91130584184F9C203317F8F3A17; Granted Authorities: ROLE_ANONYMOUS'
    /secure/index.jsp at position 7 of 9 in additional filter chain; firing Filter: 'org.springframework.security.web.session.SessionManagementFilter@54e0d16b'
    /secure/index.jsp at position 8 of 9 in additional filter chain; firing Filter: 'org.springframework.security.web.access.ExceptionTranslationFilter@73d4f355'
    /secure/index.jsp at position 9 of 9 in additional filter chain; firing Filter: 'org.springframework.security.web.access.intercept.FilterSecurityInterceptor@21b38cdc'
    Converted URL to lowercase, from: '/secure/index.jsp'; to: '/secure/index.jsp'
    Candidate is: '/secure/index.jsp'; pattern is /secure/**; matched=true
    Secure object: FilterInvocation: URL: /secure/index.jsp; Attributes: [IS_AUTHENTICATED_FULLY]
    Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6faa6108: Principal: anonymousUser; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff10d0: RemoteIpAddress: 10.99.22.52; SessionId: 74B9B91130584184F9C203317F8F3A17; Granted Authorities: ROLE_ANONYMOUS
    Voter: org.springframework.security.access.vote.RoleVoter@3c2c7ac5, returned: 0
    Voter: org.springframework.security.access.vote.AuthenticatedVoter@c303a60, returned: -1
    Access is denied (user is anonymous); redirecting to authentication entry point
    org.springframework.security.access.AccessDeniedException: Access is denied
    at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:71)
    at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:203)
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:106)
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
    at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:97)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
    at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:100)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
    at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:78)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
    at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
    at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:35)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
    at org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter.doFilter(SpnegoAuthenticationProcessingFilter.java:152)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:188)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:355)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:149)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:240)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:164)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:462)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:563)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:403)
    at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:286)
    at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:272)
    at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:1730)
    at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
    at java.lang.Thread.run(Thread.java:662)
    DefaultSavedRequest added to Session: DefaultSavedRequest[http://example.com:8080/spring-security-kerberos-sample-1.0.0.M2/secure/index.jsp]
    Calling Authentication entry point.
    Sending back Negotiate Header for request: http://example.com:8080/spring-security-kerberos-sample-1.0.0.M2/secure/index.jsp
    SecurityContextHolder now cleared, as request processing completed

    I guess that Firefox should show the login form, but it doesn't…

  60. Savvas Andreas says:

    Added on July 6th, 2011 at 6:23 am

    @Stas we had the exact same problem but in reverse order :) everything worked fine in XP environments but failed in Windows 7 ones..

    After some investigation, we discovered that Windows 7 has dropped the, by default, support for the DES option and as we had been generating our keytab files using the DES-Only option the W7 workstations didn't like that..

    As currently the number of our W7 users is limited, we just applied this patch http://technet.microsoft.com/en-us/library/ff646918(WS.10).aspx to all W7 machines and it fixed the problem.

    Hope that helps,
    Savvas.

  61. Stas says:

    Added on July 6th, 2011 at 9:28 am

    @Savvas Andreas thank you very much

  62. Java Coder says:

    Added on July 12th, 2011 at 3:12 pm

    GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)

    How to fix it?

    Thanks

  63. Stas says:

    Added on July 12th, 2011 at 4:40 pm

    @Java Coder if you use Windows, your client and server should be separate machines. If you use AD, client and server should be in the same domain. Also you need to configure a client browser:
    IE – http://download.oracle.com/docs/cd/E13222_01/wls/docs81/secmanage/sso.html#1101398
    Firefox – http://www.cgl.ucsf.edu/Security/CGLAUTH/CGLAUTH.html
    Time on the client and on the server shouldn't differ strongly

    PS I still have not solved the problem with Firefox (it doesn't work for me)
    PPS Sorry for my terrible english

  64. jk says:

    Added on July 25th, 2011 at 12:03 pm

    Is there a new milestone out there for the client side?

  65. Tul says:

    Added on September 21st, 2011 at 1:06 am

    Hi,
    I studied entire discussion and I'm still getting 'GSSHeader did not find the right tag' followed by 'Negotiate TlRM…' which I believe means that the browser sends ntlm instead of kerberos. KDC, App and client are all running on seperate machines. Browsers look to be configured properly, kinit gets ticket with no problem, keytab is generated, spn is set to HTTP/…
    So what else get cause such problems?
    KDC is running on WinServer 2003, app on WinXp and client on Win7.

  66. ukdavo says:

    Added on September 21st, 2011 at 3:27 am

    What zone is the website in? Internet zone? Intranet zone? If the latter, NTLM will be used.

  67. Tul says:

    Added on September 21st, 2011 at 4:47 am

    It's in intranet zone. The browser is IE9 but I also tried IE7, 6 and firefox

  68. Tul says:

    Added on September 21st, 2011 at 5:42 am

    Now I tried to deploy app on linux tomcat and I get 'javax.security.auth.login.LoginException: Unable to obtain password from user' on server startup with no corresponding '[key] not available in [keytab]' message. Keytab is generated using java 1.5 ktab. I generated it in the same way previously on windows server and spring read the principals successfully.

  69. Nick says:

    Added on September 23rd, 2011 at 2:13 am

    Hi,

    Can anyone tell me where the repository was moved to? http://maven.springframework.org/milestone seems not to be working anymore… And is 1.0.0.M1 still the current version?

    Thanks a lot for your responses.

  70. Zoharat says:

    Added on October 3rd, 2011 at 10:20 am

    Tul,

    Were you able to figure out why NTLM token were being generated, we have done all the verifcations i.e.
    1>Server client on separate machines
    2>Site listed in Intranet sites.
    3>Using the URL as http://:/application
    4>kinit also seems to work.

    But still the header contains NTLM tokens.

  71. Zoharat says:

    Added on October 3rd, 2011 at 10:22 am

    Tul,

    Were you able to figure out why NTLM token were being generated, we have done all the verifcations i.e.
    1>Server client on separate machines
    2>Site listed in Intranet sites.
    3>Using the URL as http://:/application
    4>kinit also seems to work.

    But still the header contains NTLM token.

  72. Tul says:

    Added on October 3rd, 2011 at 12:02 pm

    Zoharat,
    In my case it was a matter of bad kvno in keytab. Unfortunately I can't give you a recipe as the admin fixed that, not me. He said that some kind of example app of Apache Kerberos helped him a lot as it gives much better error information.
    At least you have a hint.

  73. Zoharat says:

    Added on October 3rd, 2011 at 12:08 pm

    So simply specifying a kvno value fixed the NTLM token issue you observed Windows?

  74. Aurelien says:

    Added on October 10th, 2011 at 4:19 am

    Could it be possible to use Spring Security Kerberos Extension with multiple domains (on separate forests with a two-way forest trust) by merging keytab files ?

  75. Chau says:

    Added on February 21st, 2012 at 3:38 am

    I would be very grateful if anyone can help me with this.
    Also apologies in advance for my lack of experience.

    I have just migrated my apps to spring framework 3.1.0, spring security 3.1.0 as part of a technology refresh and an effort to add kerberos authentication. I've followed all the very constructive help from this and other websites and got to the point of integrating the spring-security-kerberos-core-1.0.0.M2.jar into my apps.

    The problem I have now is that I am getting a NoClassDefFound error (in the tomcat log) indicating that it cannot find the org.springframework.security.core.codec.Base64. Apparently this has been repackaged to org.springframework.security.crypto.codec.Base64.

    I understand there is already a jira issue raised for this (SES-98) but it has remained open since 28/09/2011.

    Does anyone have a solution or workaround that I can use?

    Cheers
    Chau

    PS: I've tried creating a basic proxy class with the old package but I get a java.lang.IllegalAccessError. Something to do with different class loader and classes are in different packages I think.

  76. Karthikeyan Vaithilingam says:

    Added on March 20th, 2012 at 10:51 pm

    Hi,

    I configured everything and its working as expected but i need one more thing if the browser can't do kerberos I want it to fall back to basic authentication like SPNEGO servlet filter (http://spnego.sourceforge.net/) how to achive this.

    Regards,
    Karthikeyan V

  77. Muammer Yucel says:

    Added on March 28th, 2012 at 7:47 am

    I also came up this exception and solved it by changing principal and re-creating keytab file with ktpass. SPN should be created according to FQDN. That is exactly what you see as output of nslookup command. For example if FQDN is server.domain.com, principal should be HTTP/server.domain.com@domain.com, should not be HTTP/server@domain.com. Otherwise KDC server sends NTLM token instead of SPNEGO and the exception below is thrown. SPNEGO token is someting diferent from such a this form: TlRMTVNT…

    Good luck!
    Muammer

    WARNING: Negotiate Header was invalid: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbAdAAAADw==
    org.springframework.security.authentication.BadCredentialsException: Kerberos validation not succesfull
    at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:69)
    at org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:86)
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:134)
    at org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter.doFilter(SpnegoAuthenticationProcessingFilter.java:131)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:324)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:324)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:165)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:879)
    at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
    at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
    at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
    at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
    at java.lang.Thread.run(Thread.java:662)
    Caused by: java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAs(Subject.java:396)
    at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:67)
    … 23 more
    Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
    at sun.security.jgss.GSSHeader.(GSSHeader.java:80)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:287)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
    at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:146)
    at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:136)
    … 26 more

  78. Seth says:

    Added on September 19th, 2012 at 9:45 am

    Does this kerberos jar work with Spring 2.0? If yes, why am I getting a NoClassDefFoundError. If no, is there any way to configure Kerberos with Spring 2.0?
    Thanks!

  79. Jesper Knudsen says:

    Added on September 25th, 2012 at 2:27 am

    The library is broken using Spring Security 3.1.x due to moving if Base64 class.
    Please fix this
    Thanks!

  80. Kenny West says:

    Added on October 16th, 2012 at 8:53 am

    The Base64 issue is fixed. Git the latest source and mvn package your own jar.

  81. Shameer says:

    Added on October 23rd, 2012 at 11:11 am

    Is it possible to use SPRING SECURITY KERBEROS/SPNEGO EXTENSION to make SOAP calls to a protected SOAP Web Service? something like integration of KERBEROS/SPNEGO EXTENSION and Spring Web Services – Please advise?

  82. shatk says:

    Added on October 23rd, 2012 at 9:45 pm

    Is it possible for Spring Security – Kerberos Extension
    to make soap calls to a Kerberos protected service? something like kerberosInterceptor similar to Wss4jSecurityInterceptor ?
    Please advise?

  83. Robert says:

    Added on October 25th, 2012 at 1:50 am

    I hava get the same Exception:
    GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
    I see someone have the same problem.

    If my client not in domain ?
    How can i solve it on server machine?

  84. Marco says:

    Added on October 29th, 2012 at 6:31 am

    Hello
    i have an interesting issue.
    My app is running on host myhost.mydomain.com.
    Users can access application using either
    http://myhost.mydomain.com:1234 or http://myapp.mydomain.com:1234, as we have DNS redirection in place.
    I have enabled kerberos on myhost.mydomain.com, and i have a SPN of HTTP/myhost.mydomain.com.
    If i use Firefox and access http://myhost.mydomain.com:1234 or http://myapp.mydomain.com:1234, everything works fine.
    If i use IE, i can only access my app using http://myhost.mydomain.com:1234, as i get a Kerberos validation not succesfull when i use IE to open http://myapp.mydomain.com:1234.

    I could create two SPN, one for myhost.mydomain.com and another for myapp.mydomain.com, but KerberosTicketvalidator allows only one ServicePrincipal to be configured.
    Could anyone assist here?

    regards
    marco

  85. Aurelien says:

    Added on November 7th, 2012 at 8:56 am

    Do you plan a new milestone for compatibility with Spring Security 3.1.3.RELEASE ? (including the Base64 issue in 1.0.0.M2)

    http://maven.springframework.org/milestone/org/springframework/security/extensions/spring-security-kerberos-core/

  86. aaron says:

    Added on December 5th, 2012 at 12:36 pm

    Has anybody attempted to use the kerberos extension with java 7 yet? I had a working setup with spring security 3 and java 6, but upgrading to 7 has started to give me:

    java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level
    (Mechanism level: Invalid argument (400) –
    Cannot find key of appropriate type to decrypt AP REP – RC4 with HMAC)

    errors. Most of the fixes found on the net don't appear to help me out so I'm wondering if someone knows of anything specific to the JVM that would cause such a problem?

  87. Zoharat says:

    Added on January 29th, 2013 at 12:42 pm

    Has anybody attempted to use the kerberos extension with java 7 yet? I had a working setup with spring security 3 and java 6, but upgrading to 7 has started to give me:

    java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level
    (Mechanism level: Invalid argument (400) –
    Cannot find key of appropriate type to decrypt AP REP – RC4 with HMAC)

    errors. Most of the fixes found on the net don't appear to help me out so I'm wondering if someone knows of anything specific to the JVM that would cause such a problem?

    Also what is the isInitiator flag, the LoginModule in the SunJAASKerberosTicketValidator is set to false, but Java 7 seems to need it as true.

    Also is there a version which has the base64 errors fixed?

    When will we have a new release of the spengo extension compatible with Java 7.

7 trackbacks

Leave a Reply