kerberos / spnego
miten mehta
I have attempted kerberos for SSO for web app using spring-security and have doubts. would appreciate if one can take look at my post here and advise.
Regards,
Miten.
Booker Bense
need to enter your password into the web application. That's the whole
point.
Most browsers need some configuration tweaks to enable SPENGO, I think
only Explorer will do it out of the box. If the web app has
a valid keytab and support for SPENGO, it should never need to talk to the KDC.
It looks like what is really happening is that the software is
attempting to use some form of basic auth where it requests a
username/password
and uses kerberos to verify the password. The error message you are
seeing suggests that the kerberos library it's using doesn't have
proper
support for PRE-AUTH ( old version of Java?)
If you want support for kerberos in Java, you should be using at least
1.6. Most prior versions have very broken kerberos support.
If you're willing to live with username/pw on the web application,
then you'll likely have better luck using LDAP rather than kerberos.
- Booker C. Bense
miten mehta
I am using Internet Explorer 9 and assume it should be configured already for spnego. The webapp as such has to do some auth prompting so I guess it starts out dong jaas based basic auth. I am just following pretty much the article at spring security and their samples.
http://blog.springsource.org/2009/09/28/spring-security-kerberos/
I as such have kerberos working fine for ssh, rsh etc.
Regards,
Miten.
________________________________
From: Booker Bense <bbe...@gmail.com>
To: miten mehta <imi...@yahoo.com>
Cc: "kerb...@mit.edu" <kerb...@mit.edu>
Sent: Monday, October 8, 2012 7:44 PM
Subject: Re: kerberos / spnego
miten mehta
I am using jdk 1.7 on win 7 and jdk 1.6 on debian.
miten mehta
The Pre Auth log is related to
kinit -k -t /http-web.keytab
and not related to actual web based request.
Regards,
Miten.
________________________________
From: miten mehta <imi...@yahoo.com>
To: Booker Bense <bbe...@gmail.com>
Cc: "kerb...@mit.edu" <kerb...@mit.edu>
Sent: Tuesday, October 9, 2012 10:48 AM
Subject: Re: kerberos / spnego
Hi Booker,
I am using Internet Explorer 9 and assume it should be configured already for spnego. The webapp as such has to do some auth prompting so I guess it starts out dong jaas based basic auth. I am just following pretty much the article at spring security and their samples.
http://blog.springsource.org/2009/09/28/spring-security-kerberos/
I as such have kerberos working fine for ssh, rsh etc.
Benjamin Kaduk
> Hi Booker,
>
> I am using Internet Explorer 9 and assume it should be configured
> already for spnego. The webapp as such has to do some auth prompting so
> I guess it starts out dong jaas based basic auth. I am just following
> pretty much the article at spring security and their samples.
If you are using an external kerberos (MIT or heimdal) you will need to
tell firefox to disable sspi (in about:config). Both IE and firefox need
to be told which sites they are permitted to use negotiate auth against,
though -- firefox has a negotiate.trusted-uris entry in about:config, and
IIRC IE needs hostnames configured to be in the local intranet zone.
In my own testing, I was only ever able to get IE9 to do SPNEGO if I
explicitly inserted the correct service ticket into the MSLSA cache
manually, or if the machine was joined to an AD domain.
-Ben Kaduk
miten mehta
I configured firefox for no sspi and also added domain primesystems.com to network.negotiate-auth.trusted-uris and then when I try reaching a page I get in catalina log:
192.168.1.225 - - [10/Oct/2012:12:30:33 +0530] "GET /jsf-sso/supervisor_teller.xhtml HTTP/1.1" 401 5
It shows nothing more. I do not see any ticket send from browser to tomcat and no auth request made by tomcat to kdc.
When I use IE with setting of host added to local intranet it no more prompts for user/pass but then the catalina logs show that it has issue of token:
Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
Regards,
Miten.
________________________________
From: Benjamin Kaduk <ka...@MIT.EDU>
To: miten mehta <imi...@yahoo.com>
Cc: "kerb...@mit.edu" <kerb...@MIT.EDU>
Sent: Wednesday, October 10, 2012 2:51 AM
Subject: Re: kerberos / spnego
Richard E. Silverman
> Hi Benjamin,
>
> I configured firefox for no sspi and also added domain primesystems.com to network.negotiate-auth.trusted-uris and then when I try reaching a page I get in catalina log:
>
> 192.168.1.225 - - [10/Oct/2012:12:30:33 +0530] "GET /jsf-sso/supervisor_teller.xhtml HTTP/1.1" 401 5
>
>
> It shows nothing more. I do not see any ticket send from browser to tomcat and no auth request made by tomcat to kdc.
>
> When I use IE with setting of host added to local intranet it no more prompts for user/pass but then the catalina logs show that it has issue of token:
>
> Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
- Richard
miten mehta
When I obtain kerberos credentials using Network Identity Manager on Win7 against debian kdc I get dialog that kerberos 4 related credential not fetched. I see the ticket for krb5 in manager.
The logs show below:
==> krb5kdc.log <==
Oct 11 10:28:19 pinkydebian krb5kdc[948](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.225: NEEDED_PREAUTH: m...@PRIMESYSTEMS.COM for krbtgt/PRIMESYS...@PRIMESYSTEMS.COM, Additional pre-authentication required
Oct 11 10:28:20 pinkydebian krb5kdc[948](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.225: ISSUE: authtime 1349931500, etypes {rep=18 tkt=18 ses=18}, m...@PRIMESYSTEMS.COM for krbtgt/PRIMESYS...@PRIMESYSTEMS.COM
Oct 11 10:28:20 pinkydebian krb5kdc[948](info): TGS_REQ (1 etypes {1}) 192.168.1.225: BAD_ENCRYPTION_TYPE: authtime 0, m...@PRIMESYSTEMS.COM for krbtgt/PRIMESYS...@PRIMESYSTEMS.COM, KDC has no support for encryption type
Oct 11 10:28:20 pinkydebian krb5kdc[948](info): TGS_REQ (1 etypes {1}) 192.168.1.225: BAD_ENCRYPTION_TYPE: authtime 0, m...@PRIMESYSTEMS.COM for krbtgt/PRIMESYS...@PRIMESYSTEMS.COM, KDC has no support for encryption type
sspi is I guess not really making any difference. I set to false or true I see below wherein principal is anonymousUser may be just created since it cannot find any passed. I expect msm being passed.
==> catalina.out <==
10:10:39 DEBUG web.FilterChainProxy - Converted URL to lowercase, from: '/supervisor_teller.xhtml'; to: '/supervisor_teller.xhtml'
10:10:39 DEBUG web.FilterChainProxy - Candidate is: '/supervisor_teller.xhtml'; pattern is /deny.xhtml; matched=false
10:10:39 DEBUG web.FilterChainProxy - Converted URL to lowercase, from: '/supervisor_teller.xhtml'; to: '/supervisor_teller.xhtml'
10:10:39 DEBUG web.FilterChainProxy - Candidate is: '/supervisor_teller.xhtml'; pattern is /**; matched=true
10:10:39 DEBUG web.FilterChainProxy - /supervisor_teller.xhtml at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
10:10:39 DEBUG context.HttpSessionSecurityContextRepository - No HttpSession currently exists
10:10:39 DEBUG context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
10:10:39 DEBUG web.FilterChainProxy - /supervisor_teller.xhtml at position 2 of 8 in additional filter chain; firing Filter: 'SpnegoAuthenticationProcessingFilter'
10:10:39 DEBUG web.FilterChainProxy - /supervisor_teller.xhtml at position 3 of 8 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
10:10:39 DEBUG web.FilterChainProxy - /supervisor_teller.xhtml at position 4 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
10:10:39 DEBUG web.FilterChainProxy - /supervisor_teller.xhtml at position 5 of 8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
10:10:39 DEBUG authentication.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6faa93c2: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffffe21a: RemoteIpAddress: 192.168.1.225; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
10:10:39 DEBUG web.FilterChainProxy - /supervisor_teller.xhtml at position 6 of 8 in additional filter chain; firing Filter: 'SessionManagementFilter'
10:10:39 DEBUG web.FilterChainProxy - /supervisor_teller.xhtml at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
10:10:39 DEBUG web.FilterChainProxy - /supervisor_teller.xhtml at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
10:10:39 DEBUG intercept.DefaultFilterInvocationSecurityMetadataSource - Converted URL to lowercase, from: '/supervisor_teller.xhtml'; to: '/supervisor_teller.xhtml'
10:10:39 DEBUG intercept.DefaultFilterInvocationSecurityMetadataSource - Candidate is: '/supervisor_teller.xhtml'; pattern is /secure/extreme/**; matched=false
10:10:39 DEBUG intercept.DefaultFilterInvocationSecurityMetadataSource - Candidate is: '/supervisor_teller.xhtml'; pattern is /supervisor_teller.xhtml; matched=true
10:10:39 DEBUG intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /supervisor_teller.xhtml; Attributes: [ROLE_TELLER, ROLE_SUPERVISOR]
10:10:39 DEBUG intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6faa93c2: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffffe21a: RemoteIpAddress: 192.168.1.225; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
10:10:39 DEBUG vote.AffirmativeBased - Voter: org.springframework.security.access.vote.RoleVoter@1531252, returned: -1
10:10:39 DEBUG vote.AffirmativeBased - Voter: org.springframework.security.access.vote.AuthenticatedVoter@d7f248, returned: 0
10:10:39 DEBUG access.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:71)
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:204)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:106)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:97)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:100)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:78)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:35)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter.doFilter(SpnegoAuthenticationProcessingFilter.java:152)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:168)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1002)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:585)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:722)
10:10:39 DEBUG savedrequest.HttpSessionRequestCache - DefaultSavedRequest added to Session: DefaultSavedRequest[http://pinkydebian:8080/jsf-sso/supervisor_teller.xhtml]
10:10:39 DEBUG access.ExceptionTranslationFilter - Calling Authentication entry point.
10:10:39 DEBUG web.SpnegoEntryPoint - Sending back Negotiate Header for request: http://pinkydebian:8080/jsf-sso/supervisor_teller.xhtml
10:10:39 DEBUG context.HttpSessionSecurityContextRepository - SecurityContext is empty or anonymous - context will not be stored in HttpSession.
10:10:39 DEBUG context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
________________________________
From: miten mehta <imi...@yahoo.com>
To: Benjamin Kaduk <ka...@MIT.EDU>
Cc: "kerb...@mit.edu" <kerb...@MIT.EDU>
Sent: Thursday, October 11, 2012 10:23 AM
Subject: Re: kerberos / spnego
Hi,
I am using MIT kerberos both on debian and windows downloaded from http://www.kerberos.org/software/index.html.
Regards,
Miten.
________________________________
From: Benjamin Kaduk <ka...@MIT.EDU>
To: miten mehta <imi...@yahoo.com>
Cc: "kerb...@mit.edu" <kerb...@MIT.EDU>
Sent: Thursday, October 11, 2012 1:24 AM
Subject: Re: kerberos / spnego
On Wed, 10 Oct 2012, miten mehta wrote:
> Hi Benjamin,
>
> I configured firefox for no sspi and also added domain primesystems.com
I do not remember seeing you specify what kerberos implementation you are using. SSPI should only be disabled in some situations, and I don't know which situation you are in.
-Ben Kaduk
miten mehta
After adding log4j I can see some more debug info.
I do not think browser is sending kerberos service ticket on behalf of principal to tomcat.
Regards,
Miten.
________________________________
From: Benjamin Kaduk <ka...@MIT.EDU>
To: miten mehta <imi...@yahoo.com>
Cc: "kerb...@mit.edu" <kerb...@MIT.EDU>
Sent: Wednesday, October 10, 2012 2:51 AM
Subject: Re: kerberos / spnego
Benjamin Kaduk
> Hi,
>
> I am using MIT kerberos both on debian and windows downloaded from
> http://www.kerberos.org/software/index.html.
windows, you must set network.auth.use-sspi to false, *and* set
network.negotiate-auth.trusted-uris to a (comma separated) list of sites
that you wish to use SPNEGO auth with.
-Ben Kaduk
miten mehta
I am using MIT kerberos both on debian and windows downloaded from http://www.kerberos.org/software/index.html.
Regards,
Miten.
________________________________
From: Benjamin Kaduk <ka...@MIT.EDU>
To: miten mehta <imi...@yahoo.com>
Cc: "kerb...@mit.edu" <kerb...@MIT.EDU>
Sent: Thursday, October 11, 2012 1:24 AM
Subject: Re: kerberos / spnego
On Wed, 10 Oct 2012, miten mehta wrote:
Benjamin Kaduk
miten mehta
I have done the setup as you say below and I have posted my results to group too.
Regards,
Miten.
________________________________
From: Benjamin Kaduk <ka...@MIT.EDU>
To: miten mehta <imi...@yahoo.com>
Cc: "kerb...@mit.edu" <kerb...@MIT.EDU>
>
> I am using MIT kerberos both on debian and windows downloaded from http://www.kerberos.org/software/index.html.