Comments on: Spring Security Kerberos/SPNEGO Extension http://blog.springsource.com/2009/09/28/spring-security-kerberos/ The voice of SpringSource Wed, 17 Mar 2010 12:25:56 -0500 http://wordpress.org/?v=2.8.5 hourly 1 By: ukdavo http://blog.springsource.com/2009/09/28/spring-security-kerberos/comment-page-1/#comment-171477 ukdavo Wed, 03 Mar 2010 21:16:19 +0000 http://blog.springsource.com/?p=2756#comment-171477 @Clarence @norm I had similar problems but found that they disappeared when I changed the command parameters as per http://wiki.alfresco.com/wiki/Configuring_the_CIFS_and_web_servers_for_Kerberos/AD_integration. I also followed their suggestions re the "Use DES encryption types for this account" and "Do not require Kerberos preauthentication" options. I've no idea if this will help you but it seemed to work for me. @Clarence @norm

I had similar problems but found that they disappeared when I changed the command parameters as per http://wiki.alfresco.com/wiki/Configuring_the_CIFS_and_web_servers_for_Kerberos/AD_integration. I also followed their suggestions re the "Use DES encryption types for this account" and "Do not require Kerberos preauthentication" options. I've no idea if this will help you but it seemed to work for me.

]]> By: Clarence http://blog.springsource.com/2009/09/28/spring-security-kerberos/comment-page-1/#comment-171474 Clarence Wed, 03 Mar 2010 17:54:52 +0000 http://blog.springsource.com/?p=2756#comment-171474 @norm - I had the same problem with Windows Server 2003, and the only solution that worked for me was ktab, as you described. Anybody know why this error occurs with the keytab produced by ktpass? @norm – I had the same problem with Windows Server 2003, and the only solution that worked for me was ktab, as you described.

Anybody know why this error occurs with the keytab produced by ktpass?

]]> By: norm http://blog.springsource.com/2009/09/28/spring-security-kerberos/comment-page-1/#comment-171460 norm Tue, 02 Mar 2010 08:27:44 +0000 http://blog.springsource.com/?p=2756#comment-171460 Always got GSSException "Checksum failed" when validating Ticket sent back from Windows Server 2008 against Keytab file produced by ktpass. The only thing that worked for me was recreating keytab file with ktab.exe provided by JDK on windows installation Always got GSSException "Checksum failed" when validating Ticket sent back from Windows Server 2008 against Keytab file produced by ktpass. The only thing that worked for me was recreating keytab file with ktab.exe provided by JDK on windows installation

]]> By: Peter http://blog.springsource.com/2009/09/28/spring-security-kerberos/comment-page-1/#comment-171388 Peter Tue, 23 Feb 2010 04:03:01 +0000 http://blog.springsource.com/?p=2756#comment-171388 Received Negotiate Header for request http://w0024e8db674a.oceania.corp.anz.com:8080/spring-security-kerberos-sample-1.0.0.M1/secure/index.jsp: Negotiate TlRMTV NTUAABAAAAB7IIogcABwA1AAAADQANACgAAAAFASgKAAAAD1cwMDI0RThEQjY3NEFPQ0VBTklB Authentication attempt using org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider Try to validate Kerberos Token Negotiate Header was invalid: Negotiate TlRMTVNTUAABAAAAB7IIogcABwA1AAAADQANACgAAAAFASgKAAAAD1cwMDI0RThEQjY3NEFPQ0VBTklB org.springframework.security.authentication.BadCredentialsException: Kerberos validation not succesfull at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:65) at org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:86) at org.springframework.security.authentication.ProviderManager.doAuthentication(ProviderManager.java:127) at org.springframework.security.authentication.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:49) at org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter.doFilter(SpnegoAuthenticationProcessingFilter.java:118) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:150) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454) at java.lang.Thread.run(Thread.java:619) Caused by: java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:396) at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:63) ... 22 more Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag) at sun.security.jgss.GSSHeader.(GSSHeader.java:80) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:287) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267) at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:135) at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:125) ... 25 more SecurityContextHolder now cleared, as request processing completed Received Negotiate Header for request http://w0024e8db674a.oceania.corp.anz.com:8080/spring-security-kerberos-sample-1.0.0.M1/secure/index.jsp: Negotiate TlRMTV
NTUAABAAAAB7IIogcABwA1AAAADQANACgAAAAFASgKAAAAD1cwMDI0RThEQjY3NEFPQ0VBTklB
Authentication attempt using org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider
Try to validate Kerberos Token
Negotiate Header was invalid: Negotiate TlRMTVNTUAABAAAAB7IIogcABwA1AAAADQANACgAAAAFASgKAAAAD1cwMDI0RThEQjY3NEFPQ0VBTklB
org.springframework.security.authentication.BadCredentialsException: Kerberos validation not succesfull
at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:65)
at org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:86)
at org.springframework.security.authentication.ProviderManager.doAuthentication(ProviderManager.java:127)
at org.springframework.security.authentication.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:49)
at org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter.doFilter(SpnegoAuthenticationProcessingFilter.java:118)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:150)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454)
at java.lang.Thread.run(Thread.java:619)
Caused by: java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:396)
at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:63)
… 22 more
Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
at sun.security.jgss.GSSHeader.(GSSHeader.java:80)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:287)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:135)
at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:125)
… 25 more
SecurityContextHolder now cleared, as request processing completed

]]> By: Grant http://blog.springsource.com/2009/09/28/spring-security-kerberos/comment-page-1/#comment-171387 Grant Tue, 23 Feb 2010 04:01:35 +0000 http://blog.springsource.com/?p=2756#comment-171387 I got this error: Received Negotiate Header for request : Negotiate TlRMTV NTUAABAAAAB7IIogcABwA1AAAADQANACgAAAAFASgKAAAAD1cwMDI0RThEQjY3NEFPQ0VBTklB Authentication attempt using org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider Try to validate Kerberos Token Negotiate Header was invalid: Negotiate TlRMTVNTUAABAAAAB7IIogcABwA1AAAADQANACgAAAAFASgKAAAAD1cwMDI0RThEQjY3NEFPQ0VBTklB org.springframework.security.authentication.BadCredentialsException: Kerberos validation not succesfull at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:65) at org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:86) at org.springframework.security.authentication.ProviderManager.doAuthentication(ProviderManager.java:127) at org.springframework.security.authentication.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:49) at org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter.doFilter(SpnegoAuthenticationProcessingFilter.java:118) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:150) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454) at java.lang.Thread.run(Thread.java:619) Caused by: java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:396) at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:63) ... 22 more Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag) at sun.security.jgss.GSSHeader.(GSSHeader.java:80) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:287) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267) at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:135) at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:125) ... 25 more SecurityContextHolder now cleared, as request processing completed Any help? Thanks. I got this error:

Received Negotiate Header for request :
Negotiate TlRMTV
NTUAABAAAAB7IIogcABwA1AAAADQANACgAAAAFASgKAAAAD1cwMDI0RThEQjY3NEFPQ0VBTklB
Authentication attempt using org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider
Try to validate Kerberos Token
Negotiate Header was invalid: Negotiate TlRMTVNTUAABAAAAB7IIogcABwA1AAAADQANACgAAAAFASgKAAAAD1cwMDI0RThEQjY3NEFPQ0VBTklB
org.springframework.security.authentication.BadCredentialsException: Kerberos validation not succesfull
at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:65)
at org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:86)
at org.springframework.security.authentication.ProviderManager.doAuthentication(ProviderManager.java:127)
at org.springframework.security.authentication.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:49)
at org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter.doFilter(SpnegoAuthenticationProcessingFilter.java:118)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:150)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:849)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:454)
at java.lang.Thread.run(Thread.java:619)
Caused by: java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:396)
at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:63)
… 22 more
Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
at sun.security.jgss.GSSHeader.(GSSHeader.java:80)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:287)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:135)
at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:125)
… 25 more
SecurityContextHolder now cleared, as request processing completed

Any help? Thanks.

]]> By: ukdavo http://blog.springsource.com/2009/09/28/spring-security-kerberos/comment-page-1/#comment-171293 ukdavo Tue, 09 Feb 2010 18:49:54 +0000 http://blog.springsource.com/?p=2756#comment-171293 Thanks Peter. I just spotted your advice on the Spring Extensions forum. Time to set up a new VM I guess! Thanks Peter. I just spotted your advice on the Spring Extensions forum. Time to set up a new VM I guess!

]]> By: Peter Mularien http://blog.springsource.com/2009/09/28/spring-security-kerberos/comment-page-1/#comment-171292 Peter Mularien Tue, 09 Feb 2010 18:43:55 +0000 http://blog.springsource.com/?p=2756#comment-171292 @ukdavo "I'm running everything on a Windows Server 2003 VM that's been set up as a PDC." You MUST have the browser client on a separate machine, otherwise it will always use NTLM. @ukdavo
"I'm running everything on a Windows Server 2003 VM that's been set up as a PDC."
You MUST have the browser client on a separate machine, otherwise it will always use NTLM.

]]> By: Aaron Douglas http://blog.springsource.com/2009/09/28/spring-security-kerberos/comment-page-1/#comment-171290 Aaron Douglas Tue, 09 Feb 2010 17:00:02 +0000 http://blog.springsource.com/?p=2756#comment-171290 Mike - How does this plugin work with a load-balanced environment? I've never used Kerberos before and I'd like to set this up on an app I'm running. The issue is, the app may be running on multiple servers. Can I have my sys admins add multiple service principals to the same Windows user, one for each fully qualified server name? What if all the servers are behind a single proxy load balancer? Thanks for your help! Mike – How does this plugin work with a load-balanced environment? I've never used Kerberos before and I'd like to set this up on an app I'm running. The issue is, the app may be running on multiple servers. Can I have my sys admins add multiple service principals to the same Windows user, one for each fully qualified server name? What if all the servers are behind a single proxy load balancer? Thanks for your help!

]]> By: ukdavo http://blog.springsource.com/2009/09/28/spring-security-kerberos/comment-page-1/#comment-171286 ukdavo Tue, 09 Feb 2010 15:18:25 +0000 http://blog.springsource.com/?p=2756#comment-171286 @Arve - I created the krb5.ini so I've got a little further. It looks like IE is sending a NTLM token instead of a Kerberos token. I added the site into the Intranet zone so I'm not sure what's going on. Thanks for your help anyway. I'll keep Googling for an answer. @Arve – I created the krb5.ini so I've got a little further. It looks like IE is sending a NTLM token instead of a Kerberos token. I added the site into the Intranet zone so I'm not sure what's going on. Thanks for your help anyway. I'll keep Googling for an answer.

]]> By: ukdavo http://blog.springsource.com/2009/09/28/spring-security-kerberos/comment-page-1/#comment-171284 ukdavo Tue, 09 Feb 2010 11:27:46 +0000 http://blog.springsource.com/?p=2756#comment-171284 Thanks for your help. Using Spring Security 3.0.0 M2 seems to have helped in that I'm further than I was before. Unfortunately, I now get an IllegalArgumentException - it can't find the file C:\Windows\krb5.ini. This file doesn't exist - do I have to create one? I'm running everything on a Windows Server 2003 VM that's been set up as a PDC. Thanks for your help. Using Spring Security 3.0.0 M2 seems to have helped in that I'm further than I was before. Unfortunately, I now get an IllegalArgumentException – it can't find the file C:\Windows\krb5.ini. This file doesn't exist – do I have to create one? I'm running everything on a Windows Server 2003 VM that's been set up as a PDC.

]]>