Home.... | log in.... | Pub my question! | Sign-up....
Java-index >> Security >> Kerberos & Java GSS (JGSS)

SPNEGO (No valid credentials provided)

Hello!

I am trying to integrate kerberos SSO into weblogic platform.

Doing exactly as it is described here - http://dev2dev.bea.com.cn/techdoc/20060621823.html

My jaas config:

com.sun.security.jgss.initiate{

com.sun.security.auth.module.Krb5LoginModule required

principal="HTTP/wl.dev.org@DEV.ORG" useKeyTab=true

keyTab=/etc/krb5/mykeytab storeKey=true;

};

com.sun.security.jgss.accept{

com.sun.security.auth.module.Krb5LoginModule required

doNotPrompt=true

principal="HTTP/wl.dev.org@DEV.ORG" useKeyTab=true

keyTab=/etc/krb5/mykeytab storeKey=true;

};

JAVA_OPTIONS

JAVA_OPTIONS="-Dsun.security.krb5.debug=true -Dweblogic.StdoutDebugEnabled=true -Djava.security.krb5.realm=DEV.ORG -Djava.security.krb5.kdc=dc1.dev.org

-Djava.security.auth.login.config=/etc/krb5/krb5Login.conf -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.security.enableNegotiate=true -DDebugSecurityAdjudicator=true -Dweblogic.debug.DebugSecurityAtn=true -Dweblogic.debug.DebugSecurityAtz=true"

Kerberos config

#

# kerberos conffor DEV.ORG realm

#

[libdefaults]

default_realm = DEV.ORG

default_tkt_enctypes = des-cbc-md5

default_tgs_enctypes = des-cbc-md5

ticket_lifetime = 600

[realms]

DEV.ORG ={

kdc = dc1.dev.org

kdc = dc2.dev.org

}

[domain_realm]

.dev.org = DEV.ORG

dev.org = DEV.ORG

[logging]

default = FILE:/var/krb5/kdc.log

kdc = FILE:/var/krb5/kdc.log

kdc_rotate ={

period = 1d

versions = 10

}

[appdefaults]

autologin =true

forward =true

forwardable =true

encrypt =true

kinit, klist..they all working withouth any errors

Weird, that no additional information is provided in trace..no error codes :(

Service ticket is pushed to the workstation. When i try to login, i see a kerberos token is being sent, after some time the exception happens. Trace caused by exception:

####<Feb 27, 2007 2:16:27 PM EET> <Debug> <SecurityDebug> <wl> <examplesServer> <ExecuteThread:'14'for queue:'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <Found Negotiate with SPNEGO token>

####<Feb 27, 2007 2:16:27 PM EET> <Debug> <SecurityDebug> <wl> <examplesServer> <ExecuteThread:'14'for queue:'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <GSS exception GSSException: No valid credentials provided (Mechanism level: Attempt to obtainnew ACCEPT credentials failed!)

GSSException: No valid credentials provided (Mechanism level: Attempt to obtainnew ACCEPT credentials failed!)

at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)

at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)

at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)

at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)

at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)

at sun.security.jgss.GSSCredentialImpl.><init>(GSSCredentialImpl.java:44)

at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)

at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:277)

at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246)

at weblogic.security.providers.utils.SPNEGONegotiateToken.getUsername(SPNEGONegotiateToken.java:371)

at weblogic.security.providers.authentication.SinglePassNegotiateIdentityAsserterProviderImpl.assertIdentity(SinglePassNegotiateIdentityAsserterProviderImpl.java:201)

at weblogic.security.service.adapters.IdentityAsserterV1Adapter.assertIdentity(IdentityAsserterV1Adapter.java:28)

at weblogic.security.service.PrincipalAuthenticator.assertIdentity(PrincipalAuthenticator.java:677)

at weblogic.security.service.PrincipalAuthenticator.assertIdentity(PrincipalAuthenticator.java:622)

at weblogic.servlet.security.internal.CertSecurityModule.checkUserPerm(CertSecurityModule.java:104)

at weblogic.servlet.security.internal.SecurityModule.beginCheck(SecurityModule.java:228)

at weblogic.servlet.security.internal.CertSecurityModule.checkA(CertSecurityModule.java:86)

at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:145)

at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3813)

at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2766)

at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:224)

at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:183)

Caused by: javax.security.auth.login.LoginException: No LoginModules configuredfor com.sun.security.jgss.accept

at javax.security.auth.login.LoginContext.init(LoginContext.java:189)

at javax.security.auth.login.LoginContext.<init>(LoginContext.java:404)

at sun.security.jgss.LoginUtility.run(LoginUtility.java:56)

at java.security.AccessController.doPrivileged(Native Method)

at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)

... 21 more

>

####<Feb 27, 2007 2:16:27 PM EET> <Debug> <SecurityDebug> <wl> <examplesServer> <ExecuteThread:'14'for queue:'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <Exception weblogic.security.providers.utils.NegotiateTokenException: GSSException: No valid credentials provided (Mechanism level: Attempt to obtainnew ACCEPT credentials failed!)

weblogic.security.providers.utils.NegotiateTokenException: GSSException: No valid credentials provided (Mechanism level: Attempt to obtainnew ACCEPT credentials failed!)

at weblogic.security.providers.utils.SPNEGONegotiateToken.getUsername(SPNEGONegotiateToken.java:419)

at weblogic.security.providers.authentication.SinglePassNegotiateIdentityAsserterProviderImpl.assertIdentity(SinglePassNegotiateIdentityAsserterProviderImpl.java:201)

at weblogic.security.service.adapters.IdentityAsserterV1Adapter.assertIdentity(IdentityAsserterV1Adapter.java:28)

at weblogic.security.service.PrincipalAuthenticator.assertIdentity(PrincipalAuthenticator.java:677)

at weblogic.security.service.PrincipalAuthenticator.assertIdentity(PrincipalAuthenticator.java:622)

at weblogic.servlet.security.internal.CertSecurityModule.checkUserPerm(CertSecurityModule.java:104)

at weblogic.servlet.security.internal.SecurityModule.beginCheck(SecurityModule.java:228)

at weblogic.servlet.security.internal.CertSecurityModule.checkA(CertSecurityModule.java:86)

at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:145)

at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3813)

at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2766)

at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:224)

at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:183)

>

####<Feb 27, 2007 2:16:27 PM EET> <Debug> <SecurityDebug> <wl> <examplesServer> <ExecuteThread:'14'for queue:'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <PrincipalAuthenticator.assertIdentity - IdentityAssertionException>

Message was edited by:

technoplague

[9158 byte] By [technoplaguea] at [2007-11-26 19:48:23]
«« INFO mesage in catalina file of tomcat under linux
»» share session/context between two different applications
# 1
Hi,Did you close all open instances of IE after changing the settings ? This is required for the changes to take effect.Thanks,Vidya
VidyaVa at 2007-7-9 22:36:00 > top of Java-index,Security,Kerberos & Java GSS (JGSS)...
# 2
Hello, Vidya !Sure i did that. It's not the case. Please refer to trace.Aleks
technoplaguea at 2007-7-9 22:36:00 > top of Java-index,Security,Kerberos & Java GSS (JGSS)...
# 3
Anybody, please?
technoplaguea at 2007-7-9 22:36:00 > top of Java-index,Security,Kerberos & Java GSS (JGSS)...
Security
Kerberos & Java GSS (JGSS)

Security New Topic

Security Hot Topic

Security

All Classified