Kerberos (SPNEGO support)

Pankaj Arora Wed, 15 Aug 2007 11:43:18 -0700


Hi,
I am trying to do Kerberos authentication with Http Common's and face
following problem:


If I try to do useSubjectPrincipals=false in my properties then I am
prompted for username password for the Kerberos authentication and it
succeeds.
But if I try to use Subjects credentials by putting the flag to true, I
get error below.

I don't want to be prompted for the password and hence I use Subject
credentials for doing the authentication.
Is there a way by using GSS-API and set a callback handler so I am not
prompted for the username/password. That will eliminate need of doing a
login and running as Subject credentials?
Please do tell me what's wrong. I am attaching all the code and config
files.

Thnaks,
Pankaj Arora






Error::::::::
________________________________________________________________________
______________________
Aug 15, 2007 11:24:53 AM
org.apache.commons.httpclient.auth.AuthChallengeProcessor
selectAuthScheme
INFO: Negotiate authentication scheme selected
Aug 15, 2007 11:24:53 AM NegotiateScheme authenticate
INFO: host: vm1-apache-01.castiron.corp
Debug is  true storeKey false useTicketCache false useKeyTab false
doNotPrompt false ticketCache is null isInitiator true KeyTab is null
refreshKrb5Config is false principal is null tryFirstPass is false
useFirstPass is false storePass is true clearPass is false
Kerberos username [parora]: Kerberos password for admin/admin:
[Krb5LoginModule] user entered username: admin/admin

Acquire TGT using AS Exchange
principal is admin/[EMAIL PROTECTED]
EncryptionKey: keyType=3 keyBytes (hex dump)=0000: 52 2F 6B 6E 6D A4 FB
B5   
EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 52 2F 6B 6E 6D A4 FB
B5   
EncryptionKey: keyType=23 keyBytes (hex dump)=0000: F8 59 C2 60 12 D1 EC
EC   67 D2 9C BD F5 D2 31 58  .Y.`....g.....1X

EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 20 45 BF B6 68 EF C4
BA   08 FB 9E 62 EC 1A BF F4   E..h......b....
0010: B6 C1 FD 23 13 5E F4 CE   
EncryptionKey: keyType=17 keyBytes (hex dump)=0000: 4C EC D1 40 65 27 FA
65   FA 2C 04 6A 0C 6B DB 6D  [EMAIL PROTECTED]'.e.,.j.k.m

Commit Succeeded
Subject is :Subject:
        Principal: admin/[EMAIL PROTECTED]
        Private Credential: Ticket (hex) = 
0000: 61 81 FD 30 81 FA A0 03   02 01 05 A1 12 1B 10 51
a..0...........Q
0010: 41 2E 43 41 53 54 49 52   4F 4E 2E 43 4F 52 50 A2
A.CASTIRON.CORP.
0020: 25 30 23 A0 03 02 01 02   A1 1C 30 1A 1B 06 6B 72
%0#.......0...kr
0030: 62 74 67 74 1B 10 51 41   2E 43 41 53 54 49 52 4F
btgt..QA.CASTIRO
0040: 4E 2E 43 4F 52 50 A3 81   B7 30 81 B4 A0 03 02 01
N.CORP...0......
0050: 10 A1 03 02 01 01 A2 81   A7 04 81 A4 A7 B9 05 CE
................
0060: 2D E6 91 3D 79 DC 17 2D   9D 1C EB 37 37 3C A8 40
-..=y..-...77<.@
0070: 88 FE 46 CF CC A1 10 DF   37 5D A7 0C 2F 37 67 17
..F.....7]../7g.
0080: FA BC AE 82 84 30 04 D5   08 93 C4 6D CE 24 04 7E
.....0.....m.$..
0090: 84 40 CB D1 0C AC 28 65   60 D7 5D 9B F8 21 FB 0C
[EMAIL PROTECTED](e`.]..!..
00A0: 79 6B C2 3B 91 66 01 8E   53 B0 36 79 BD E6 02 A0
yk.;.f..S.6y....
00B0: 54 08 B9 3B 4A D1 B1 E6   70 68 DE 58 79 2B EF 8A
T..;J...ph.Xy+..
00C0: E1 B6 23 65 19 B1 AB D6   6F C4 16 2B 4D F5 F1 AF
..#e....o..+M...
00D0: F2 EE AD 2A 1A AC 00 FC   3E 45 41 D9 9D 10 2B B0
...*....>EA...+.
00E0: 79 50 D0 70 0B E8 EA 5E   39 B9 24 86 10 0B A7 87
yP.p...^9.$.....
00F0: D6 F6 8D E2 73 EC E5 4A   6D F5 5D F0 F6 2C EF A5
....s..Jm.]..,..

Client Principal = admin/[EMAIL PROTECTED]
Server Principal = krbtgt/[EMAIL PROTECTED]
Session Key = EncryptionKey: keyType=1 keyBytes (hex dump)=
0000: C2 E0 6B A8 D3 92 85 FD   

Forwardable Ticket false
Forwarded Ticket false
Proxiable Ticket false
Proxy Ticket false
Postdated Ticket false
Renewable Ticket false
Initial Ticket false
Auth Time = Wed Aug 15 11:24:53 PDT 2007
Start Time = Wed Aug 15 11:24:53 PDT 2007
End Time = Thu Aug 16 11:24:53 PDT 2007
Renew Till = null
Client Addresses  Null 

Authenticated principal:**** [admin/[EMAIL PROTECTED]
Performing secure action ...
Context is:class sun.security.jgss.GSSContextImpl
Aug 15, 2007 11:24:53 AM NegotiateScheme authenticate
SEVERE: No valid credentials provided (Mechanism level: Failed to find
any Kerberos tgt)
Aug 15, 2007 11:24:53 AM
org.apache.commons.httpclient.HttpMethodDirector authenticate
SEVERE: No valid credentials provided (Mechanism level: Failed to find
any Kerberos tgt)
org.apache.commons.httpclient.auth.CredentialsNotAvailableException: No
valid credentials provided (Mechanism level: Failed to find any Kerberos
tgt)
        at NegotiateScheme.authenticate(NegotiateScheme.java:321)
        at
org.apache.commons.httpclient.HttpMethodDirector.authenticateHost(HttpMe
thodDirector.java:281)
        at
org.apache.commons.httpclient.HttpMethodDirector.authenticate(HttpMethod
Director.java:233)
        at
org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMetho
dDirector.java:169)
        at
org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:3
96)
        at
org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:3
24)
        at
CustomAuthenticationNegotiateExample_new.main(CustomAuthenticationNegoti
ateExample_new.java:120)
Caused by: GSSException: No valid credentials provided (Mechanism level:
Failed to find any Kerberos tgt)
        at
sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential
.java:130)
        at
sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFact
ory.java:106)
        at
sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFacto
ry.java:172)
        at
sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java
:209)
at
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:195)
        at
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
        at NegotiateScheme.authenticate(NegotiateScheme.java:312)
        ... 6 more
Aug 15, 2007 11:24:53 AM
org.apache.commons.httpclient.HttpMethodDirector processWWWAuthChallenge
INFO: Failure authenticating with NEGOTIATE <any
realm>@vm1-apache-01.castiron.corp:80
HTTP/1.1 401 Authorization Required
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Authorization Required</title>
</head><body>
<h1>Authorization Required</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
<hr>
<address>Apache/2.2.2 (Fedora) Server at vm1-apache-01.castiron.corp
Port 80</address>
</body></html>

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Kerberos (SPNEGO support)

Reply via email to