Hi, I am trying to configure SSO using JAVA and spring. For this, I use this document: http://docs.spring.io/spring-security-kerberos/docs/1.0.0.RELEASE/reference/htmlsingle/
and the code from point 3. Spnego Negotiate.But it does not work. I get an error:
org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter doFilter
WARNING: Negotiate Header was invalid: Negotiate YIIGywYGKwYBBQUCoIIGvzCCBrugMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBoUEggaBYIIGfQYJKoZIhvcSAQICAQBuggZsMIIGaKADAgEFoQMCAQ6iBwMFACAAAACjggTtYYIE6TCCBOWgAwIBBaENGwtCSVVSTy5MT0NBTKIiMCCgAwIBAqEZMBcbBEhUVFAbD3ZtaS5iaXVyby5sb2NhbKOCBKkwggSloAMCARehAwIBDqKCBJcEggSTURM5n5gBXc6mVdBmyns4DHBkvw0gqD1GxkYQQx8dWb/upu5sopCPZoxsir970evZKg6/3iDSOyQuGDzjK1xl0Sqma+VNy4ZB9bA5RVCFMZqQT2poicYhaKQbkjazG6GeGUYh7NS91g9qqLXYXtI+jeoOPIDwMCAjaEuq4bRN/JqOIZFLinK2qwEM7h62kRVoqF48cxVHdG+chwLzHCSorp1+ZimU00nkdLk/WjDd88Om1K++735m2JsvGV4h5eSYiZ19fDF5fpbyDOMk4k2g26IuNeg8VNZhC2MjEi47IiteDu+gJKUopjmv1PZ26rtNL78Oawygcxk9F2uIBUoOsCX0S9Nl2aNjfzIxWPlQ0w4kwFCDmsdbzEHD7mfZhNIWQd0CJEhJ+6lrxAXGM7nq86kcFXVE/329G9/HiRtTrnHTwCF4AJCMt4im2OaEjFewgRQZwOqxT72/bGLsbOxYws6Qj0pVJhiXhmRDJiirfjXSzevMp1NANgrfQmlFD+W/d2lY8gPLNQmGGNwmY5TQcdngsxI7ALVB1v8acegka+9AxO3b+ElypvjePVbhZYH6t6AcJlwu4M7Kka94zDtA0ZTWBLmUCHEh8e470zMj+H8kUo6gKSDe+tOrtEjmlGHEiJbg2w/0BcpVUtBqmMTeq7Vf0UvGwBK7JZy6GdWJTDMYpJUD+8w9UEb+GTWCEDfboQcxCIs8ny6qKK8e92BvIrYgm2jAZM2y4VsOSdfPb21bYHhJybtDVvlLpAVlCY/L0NvcIgNWTdi8UCD7OfROCqqjU2B+eftR+1vmhzb7PT/tDm8TXHFcLyNE7W5W/Tp1ncRpq1T7nWbdmefZe8StyfcmxvOje1uMNShWNY3yJFFUUHKsxuz5mvH4tklaPFof7VW1PNTAqAimdCNRIBoWBg7FSKcBnsqOnJoNv8qpvN9nLDwOTlMt3aIREgUxFgLBx2kvU1GbsbhGk10MWZqz/23Xz8BKPmZrE4cTDyCUasKp+7VOkGLDtVtxnLM1vQE1AD8pDRRkrF/EaK3fTNvpsV2dTIzFjFSS89HOGTH8TuNMcnAfFJcn/FRgEI/BJQLDSNB3MRfR+2CwmOaB1rB+iYthTDnd965Y4GpKfE7PpYrYrPiXznZ+oG2JFt/KwGuPAp54x68PgbFNyi+g5fixfsn9o0iGo8UNn6XRNMpZT55jODkIEATZhDWIpPsDMvOnc0wIYZt2Trc0K+By/drx+hfMYNgFnLCoJZOIbjEEneYKbBdkxeVKjUrHILzucfYSu+Eq5He6r9fHTDkHOR23Bn7PmQGZQ8gu7zP7NQE7qvABA8Le4TPWmBGVmnZqYJKlyufFMUmIIuosx6Fe/pBV9+L+fMPuGcbUgFINvYWHavKk3fWWHyfS+bWhphZxoCQ59HpfvVQ4lCvAnd8c5s/tEVgD+1Sek84zRVh76cCsYa/6ybCNKeHveEJJGcZ6mX7KT3EVzByifgTskk1vieYIoPGCoB67x/h8gZDDXiFboSwNIrXCu2qL5WKuAAAr1eyfh6i+zQC5Nw1SoTggdFE0hmLeCqSCAWAwggFcoAMCAReiggFTBIIBT5hccN26LqNklPkMvzsPMEa1y0OIs/pZHZG8ZvCpgxLmu2wpPpt9F2hy+sXsBgI63x/ZzS6z6omPMM8g1PdDjUQazYvSly3LKY7I/FX8sq1pRjtXqm0bG5UMk9pcB9t38jpYW/XwZvACJava+6kmyZxiK/jG8yMrsHokmEnIKUu7TPMgFxkBqJx7yZU63LYp55jlyX+eWnGYC533pjB1nsWMKy5uMUbYungzrj6qB/q4OMaUNmApNX0OSCPjNYOm0ruvA/A2F7ZuoBSkiztTWgRsuPQuyFE0cU1naqjmVllFEX8ThCXxYwjigU6Ms5mQ6HYddCXSFE5/LCSqafJAj4v3CNmefvUNez+dK/ibzPjiGGYQMaZHtrRgLtierTdAmelHIU8wkl5OOOePYLjqUMUVZMA3V+4Eb5nv1eyGI44ltdCNfJME/OEYecl+ICC1
org.springframework.security.authentication.BadCredentialsException: GSSContext name of the context initiator is null
at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:165)
at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:152)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:67)
at org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:64)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:167)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:192)
at org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter$AuthenticationManagerDelegator.authenticate(WebSecurityConfigurerAdapter.java:456)
at org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter.doFilter(SpnegoAuthenticationProcessingFilter.java:145)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:205)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:120)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:617)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:518)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:668)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1521)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1478)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
My setup:
Server: Windows Server 2012 R2 Client: windows 8.0 Java server: Tomcat 8 on debian All machines are in a virtual box with an internal network only.
Windows server setup:
IP: 10.0.0.1
DNS was added by vmi.biuro.local
also sets spn for the account:
setspn -A HTTP/vmi.biuro.local vmi
A Keytab file was generated by this command (under a Windows server), and also tries without / kvno:
ktpass /out c:\wrzuta\vmi.keytab /mapuser vmi@BIURO.LOCAL /princ HTTP/vmi.biuro.local@BIURO.LOCAL /pass ZAQ!2wsx /ptype KRB5_NT
_PRINCIPAL /crypto All /kvno 0
Tomcat linux server:
IP: 10.0.0.3
On a Linux machine, I can use the keytab file for kinit:
root@debian:/
root@debian:/
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/vmi.biuro.local@BIURO.LOCAL
Valid starting Expires Service principal
17.07.2015 10:06:03 17.07.2015 20:06:03 krbtgt/BIURO.LOCAL@BIURO.LOCAL
renew until 18.07.2015 10:06:03
:
IP: 10.0.0.2
Internet explorer .
, , , , .
"" "auth", html, , :
Debug is true storeKey true useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
[Krb5LoginModule] user entered username: grzesiek
principal is grzesiek@BIURO.LOCAL
EncryptionKey: keyType=17 keyBytes (hex dump)=0000: 4B 83 C0 91 5E E5 73 6E 01 3B 2C BC E9 56 DA B1 K...^.sn.;,..V..
EncryptionKey: keyType=16 keyBytes (hex dump)=0000: D5 E3 D0 F4 19 7A FB 94 E6 E5 B0 2A C8 2C 75 1A .....z.....*.,u.
0010: 98 76 97 E3 70 9D A4 46 .v..p..F
EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 83 ED 52 4F AE E6 25 B9 40 6A B5 DE D4 7D 4A 21 ..RO..%.@j....J!
Added server keyKerberos Principal grzesiek@BIURO.LOCALKey Version 0key EncryptionKey: keyType=17 keyBytes (hex dump)=
0000: 4B 83 C0 91 5E E5 73 6E 01 3B 2C BC E9 56 DA B1 K...^.sn.;,..V..
[Krb5LoginModule] added Krb5Principal grzesiek@BIURO.LOCAL to Subject
Added server keyKerberos Principal grzesiek@BIURO.LOCALKey Version 0key EncryptionKey: keyType=16 keyBytes (hex dump)=
0000: D5 E3 D0 F4 19 7A FB 94 E6 E5 B0 2A C8 2C 75 1A .....z.....*.,u.
0010: 98 76 97 E3 70 9D A4 46 .v..p..F
[Krb5LoginModule] added Krb5Principal grzesiek@BIURO.LOCAL to Subject
Added server keyKerberos Principal grzesiek@BIURO.LOCALKey Version 0key EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: 83 ED 52 4F AE E6 25 B9 40 6A B5 DE D4 7D 4A 21 ..RO..%.@j....J!
[Krb5LoginModule] added Krb5Principal grzesiek@BIURO.LOCAL to Subject
Commit Succeeded
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject