Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Problem getting SPNEGO working in WAS 6.1

580 views
Skip to first unread message

stev...@axegroup.com.au

unread,
May 27, 2007, 11:03:06 PM5/27/07
to
Hi,

I'm trying to get SPNEGO working with an application deployed to WAS 6.1.0.7, using MS Active Directory on Windows Server 2003 for authentication.

I have things working to the extent that the browser is returning a SPNEGO token to WAS, but it seems to be having trouble decrypting it:

[28/05/07 12:32:13:184 EST] 00000019 SystemOut O [JGSS_DBG_CTX] SPNEGO: convert the gss token to the mech specific token
[28/05/07 12:32:13:184 EST] 00000019 SystemOut O [JGSS_DBG_CTX] AuthenticatorCache, scope of bucket122
[28/05/07 12:32:13:184 EST] 00000019 SystemOut O [JGSS_DBG_CTX] ticket enc type = rc4-hmac
[28/05/07 12:32:13:200 EST] 00000019 SystemOut O [JGSS_DBG_CTX] Error authenticating request. Reporting to client
Major code = 13, Minor code = 0
org.ietf.jgss.GSSException, major code: 13, minor code: 0
major string: Invalid credentials
minor string: Cryptographic key type rc4-hmac not found
[28/05/07 12:32:13:200 EST] 00000019 SystemOut O [JGSS_DBG_CTX] SPNEGO: wrap the response data to a gss token
[28/05/07 12:32:13:200 EST] 00000019 SystemOut O [JGSS_DBG_MARSH] mech DER=
[28/05/07 12:32:13:200 EST] 00000019 SystemOut O [JGSS_DBG_MARSH] 0000: 06 09 2a 86 48 86 f7 12 01 02 02 ....H......

[28/05/07 12:32:13:200 EST] 00000019 SystemOut O [JGSS_DBG_MARSH] inner token=
[28/05/07 12:32:13:216 EST] 00000019 SystemOut O [JGSS_DBG_MARSH] 0000: 03 00 7e 81 fb 30 81 f8 a0 03 02 01 05 a1 03 02 .....0..........

[28/05/07 12:32:13:216 EST] 00000019 SystemOut O [JGSS_DBG_MARSH] asn1Encoded token=
[28/05/07 12:32:13:216 EST] 00000019 SystemOut O [JGSS_DBG_MARSH] 0000: 60 82 01 0b 06 09 2a 86 48 86 f7 12 01 02 02 03 ........H.......

[28/05/07 12:32:13:216 EST] 00000019 SystemOut O [JGSS_DBG_CTX] SPNEGO: target accept incomplete
[28/05/07 12:32:13:216 EST] 00000019 SystemOut O [JGSS_DBG_CTX] SPNEGO: target select preferred mechanism
[28/05/07 12:32:13:216 EST] 00000019 SystemOut O [JGSS_DBG_MARSH] mech DER=
[28/05/07 12:32:13:216 EST] 00000019 SystemOut O [JGSS_DBG_MARSH] 0000: 06 06 2b 06 01 05 05 02 ........

[28/05/07 12:32:13:216 EST] 00000019 SystemOut O [JGSS_DBG_MARSH] inner token=
[28/05/07 12:32:13:216 EST] 00000019 SystemOut O [JGSS_DBG_MARSH] 0000: a1 82 01 2d 30 82 01 29 a0 03 0a 01 01 a1 0b 06 ....0...........

[28/05/07 12:32:13:216 EST] 00000019 SystemOut O [JGSS_DBG_MARSH] asn1Encoded token=
[28/05/07 12:32:13:216 EST] 00000019 SystemOut O [JGSS_DBG_MARSH] 0000: 60 82 01 39 06 06 2b 06 01 05 05 02 a1 82 01 2d ...9............

[28/05/07 12:32:13:216 EST] 00000019 Context E com.ibm.ws.security.spnego.Context begin CWSPN0011E: An invalid SPNEGO token has been encountered while authenticating a HttpServletRequest: 0000: 60820139 06062b06 01050502 a182012d `..9 ..+. .... ...-

I've left out the big hex dumps with the token content.

Is this a AD/KDC configuration problem? What do I need to do to get this working?

Any help would be appreciated.

Thanks

Paul Ilechko

unread,
May 28, 2007, 9:01:52 AM5/28/07
to
stev...@axegroup.com.au wrote:
> Hi,
>
> I'm trying to get SPNEGO working with an application deployed to WAS 6.1.0.7, using MS Active Directory on Windows Server 2003 for authentication.
>
> I have things working to the extent that the browser is returning a SPNEGO token to WAS, but it seems to be having trouble decrypting it:

> org.ietf.jgss.GSSException, major code: 13, minor code: 0


> major string: Invalid credentials
> minor string: Cryptographic key type rc4-hmac not found

this looks like it may be important ...

from the WAS infocenter:

# What type of encryption is to be used to process the SPNEGO tokens?
Microsoft Windows Active Directory supports two different Kerberos
encryption types: RC4-HMAC and DES-CBC-MD5. The IBM Java Generic
Security Service (JGSS) library (and SPNEGO library) support both of
these encryption types.
Restriction: RC4-HMAC encryption is only supported with a Windows 2003
Server key distribution center (KDC). RC4-HMAC encryption is not
supported when using a Windows 2000 Server as a Kerberos KDC.

Are you sure that WAS is using a win 2003 KDC ?

> Is this a AD/KDC configuration problem? What do I need to do to get this working?

Either that or a WAS config problem. Did you do all the following:

1. Create a user account in a Microsoft Active Directory. This
account will be mapped to the Kerberos service principal name (SPN).
2. On the Microsoft Active Directory where the Kerberos key
distribution center (KDC) is active, map the user account to the
Kerberos service principal name (SPN). This user account represents the
WebSphere Application Server as being a Kerberize'd service with the
KDC. Use the setspn tool to establish WebSphere Application Server as
the user. This user account is not the account name of the user. More
information about the setspn tool can be found here, Windows 2003
Technical Reference (setspn command)
3. On the Microsoft Active Directory where the Kerberos key
distribution center (KDC) is active, create the Kerberos keytab file and
make it available to WebSphere Application Server. Use the ktpass tool
to create the Kerberos keytab file (krb5.keytab). Windows 2003 Technical
Reference (Kerberos keytab file and ktpass command) provides more
information on creating the Kerberos keytab file.
4. Configure and enable the application server and the associated
SPNEGO TAI using the administrative console or using the wsadmin command
to perform command tasks. See Configuring SPNEGO TAI in WebSphere
Application Server .
5. Select Lightweight Third-Party Authentication (LTPA) as the
authentication mechanism. See Configuring the Lightweight Third Party
Authentication mechanism .
6. Install the Kerberos keytab file (krb5.keytab). That is, copy the
krb5.keytab file (created in step 3) from the LDAP machine to the
WebSphere Application Server machine.
7. Update the associated Kerberos configuration (krb5.conf ).
8. Configure JVM properties and enable SPNEGO TAI in each
application server in which it is defined. See Configuring JVM
properties and enabling SPNEGO TAI in WebSphere Application Server .

Steve Coy

unread,
May 28, 2007, 11:00:24 AM5/28/07
to
>
> > org.ietf.jgss.GSSException, major code: 13, minor
> code: 0
> > major string: Invalid credentials
> > minor string: Cryptographic key type rc4-hmac not
> found
>
> this looks like it may be important ...
>
> from the WAS infocenter:
>
> # What type of encryption is to be used to process
> the SPNEGO tokens?
> Microsoft Windows Active Directory supports two
> different Kerberos
> encryption types: RC4-HMAC and DES-CBC-MD5. The IBM
> Java Generic
> Security Service (JGSS) library (and SPNEGO library)
> support both of
> these encryption types.
> Restriction: RC4-HMAC encryption is only supported
> with a Windows 2003
> Server key distribution center (KDC). RC4-HMAC
> encryption is not
> supported when using a Windows 2000 Server as a
> Kerberos KDC.
>
> Are you sure that WAS is using a win 2003 KDC ?
>

I'll double check this, but I thought that the browser enlisted the aid of the KDC to generate the token in the first place?

> > Is this a AD/KDC configuration problem? What do I
> need to do to get this working?
>
> Either that or a WAS config problem. Did you do all
> the following:
>

Yes. I RTFM'd and followed the documented procedure as summarised by you. It took a while to get to this point as there is plenty of scope for mistakes. (for example the property that denotes the location of the krb5.ini file doesn't seem to be tolerant to spaces in the pathname).

For what it's worth, I have not been able to get the Kinit utility provided by the IBM JRE to create a ticket for me either - but that maybe because I was running it from the same machine as WAS (and therefore the same SPN). I've been testing with a remote browser, as running the browser from the WAS machine (aka my development desktop) also doesn't work - the browser insists on using NTLM in this scenario.


Paul Ilechko

unread,
May 28, 2007, 11:41:58 AM5/28/07
to

Yes, I think you are correct, I'm not a Spnego expert.

>
>>> Is this a AD/KDC configuration problem? What do I
>> need to do to get this working?
>>
>> Either that or a WAS config problem. Did you do all
>> the following:
>>
>
> Yes. I RTFM'd and followed the documented procedure as summarised by you. It took a while to get to this point as there is plenty of scope for mistakes. (for example the property that denotes the location of the krb5.ini file doesn't seem to be tolerant to spaces in the pathname).
>
> For what it's worth, I have not been able to get the Kinit utility provided by the IBM JRE to create a ticket for me either - but that maybe because I was running it from the same machine as WAS (and therefore the same SPN). I've been testing with a remote browser, as running the browser from the WAS machine (aka my development desktop) also doesn't work - the browser insists on using NTLM in this scenario.
>
>

I would try opening a PMR. If that doesn't give you any useful
assistance, email me offline, I'll find you a contact who can help.

Daniel Garcia

unread,
May 29, 2007, 10:16:30 AM5/29/07
to
Hi,

Steve, you must to create the certificate using RC4, I read that Windows 2003 Server have a bug and only support this format !!.

Revise your krb5.conf or use the wsadmin command createKrbConfigFile to create the file.

In the RedBook IBM WebSphere Application Server V6.1 Security Handbook - sg246316, you can found a lot of information, but for my is confuse.

I have the same architecture and I get a very similar error org.ietf.jgss.GSSException, major code: 11, minor code: 0, any help?.

When I created the SPN, I mapped the SPN to the machine, not with a user.


Regards,
Dani


Steve Coy

unread,
May 30, 2007, 8:33:06 PM5/30/07
to
I have resolved this particular issue.

The Active Directory administrator had the Windows 2000 version of ktpass.exe in his path before the Windows 2003 version. Therefore the keytab was generated with the wrong version of ktpass.exe.

Now it's decrypting and getting a checksum error:

[30/05/07 14:08:57:673 EST] 0000001b SystemOut O [KRB_DBG_CRYP] Rc4HMac:WebContainer : 0: 0000: a2 96 70 3b 44 26 dd 32 0b 73 59 ce e4 65 cb 95 ..p.D..2.sY..e..

[30/05/07 14:08:57:673 EST] 0000001b SystemOut O [KRB_DBG_CRYP] Rc4HMac:WebContainer : 0: 0000: 26 2c 43 0d 52 e1 d1 c2 40 3c 89 17 d9 ab 1b f7 ..C.R...........

[30/05/07 14:08:57:673 EST] 0000001b SystemOut O [KRB_DBG_CRYP] Rc4HMac:WebContainer : 0: Checksum arrays = [B@12241224 newchecksum:[B@12cc12cc
[30/05/07 14:08:57:673 EST] 0000001b SystemErr R com.ibm.security.krb5.internal.crypto.KrbCryptoException, status code: 0
message: Checksum error; received checksum does not match computed checksum

0 new messages