Author:
Henk-Jan
Message:
We're trying to configure an application using Kerberos authentication.
Invoking the service fails with the following error message:
security.wssecurity.WSSContextImpl.s02:
com.ibm.websphere.security.WSSecurityException: Exception
org.apache.axis2.AxisFault: CWWSS6521E: The Login failed because of an
exception: javax.security.auth.login.LoginException: CWWSS7212E: Cannot verify
security context token using the reference information from the derived key
token element ocurred while running action:
com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler$1@37fa37fa
We're using WAS version 7.0.0.19 and a WCF client to access the service.
Analysing the logfile, we conclude:
- the specified keytab file is being found and used (SPN
HTTP/rs6sv303.office01.internalcorp@office01.internalcorp.net)
- the kerberos user identity is correctly determined (eo30021)
However, there are some strange error messages we cannot explain:
6/13/12 15:21:06:958 CEST 002d TokenHolder
setInboundTokenToContext(TGSAuthToken newtoken, MessageContext messageContext)
Entry
6/13/12 15:21:06:958 CEST 002d TokenHolder 3 The operation context is
NULL!!!
and
6/13/12 15:21:06:993 CEST 002d DKTConsumeLog initialize(Subject subject,
CallbackHandler handler, Map sharedState, Map options) Entry
6/13/12 15:21:06:993 CEST 002d WSSAuditServi
isEventRequired(WSSAuditService.WSSAuditEventType eventTypeSECURITY_AUTHN,
WSSAuditService.WSSAuditOutcome out
comeSUCCESS, Maplt;Object, Objectgt; context) Entry
6/13/12 15:21:06:993 CEST 002d WSSAuditServi 3 Usage error, context
should not be null
6/13/12 15:21:06:993 CEST 002d WSSAuditServi isRequired returns: false
Exit
Can anybody point me into a direction where I should look for a solution for
this error message?
Thanks,
Henk-Jan.
The logfile contains much more information which I won't include right away,
but I think this part is the most relevant part:
6/13/12 15:21:06:941 CEST 002d KRBSPNList KRBSPNList() Entry
6/13/12 15:21:06:941 CEST 002d KRBSPNList loadProvSPN() Entry
6/13/12 15:21:06:941 CEST 002d KRBSPNList getKeyTabEntries() Entry
6/13/12 15:21:06:942 CEST 002d KRBSPNList3 Obtained KeyTab Instance
6/13/12 15:21:06:942 CEST 002d KRBSPNList3 kverno 4 spn
HTTP/rs6sv303.office01.internalcorp@office01.internalcorp.net
6/13/12 15:21:06:944 CEST 002d KRBSPN KRBSPN() Entry
6/13/12 15:21:06:944 CEST 002d KRBSPN KRBSPN() Exit
6/13/12 15:21:06:944 CEST 002d KRBSPN setSPN(name, realm) Entry
6/13/12 15:21:06:944 CEST 002d KRBSPN setSPN(name, realm) Exit
6/13/12 15:21:06:944 CEST 002d KRBSPN KRBSPN() Entry
6/13/12 15:21:06:944 CEST 002d KRBSPN KRBSPN() Exit
6/13/12 15:21:06:944 CEST 002d KRBSPNList3 Custom SPN added to
listhttp://HTTP/rs6sv303.OFFICE01.INTERNALCORP.NET
6/13/12 15:21:06:944 CEST 002d KRBSPNList getKeyTabEntries() Exit
6/13/12 15:21:06:945 CEST 002d KRBSPNList loadProvSPN() Exit
6/13/12 15:21:06:945 CEST 002d KRBSPNList KRBSPNList() Exit
6/13/12 15:21:06:945 CEST 002d KRB5Util
isSubKeyEncTypeSupported()... Entry
6/13/12 15:21:06:946 CEST 002d KRB5Util 3 CONTEXT_SUB_KEY_ENC: 23
6/13/12 15:21:06:946 CEST 002d KRB5Util 3 CONTEXT_SUB_KEY_ENC:
java.lang.Integer
6/13/12 15:21:06:946 CEST 002d KRB5Util 3 Current Kerberos subkey
encryption type value: 23
6/13/12 15:21:06:946 CEST 002d KRB5Util 3 Current Kerberos subkey
encryption type: rc4-hmac
6/13/12 15:21:06:946 CEST 002d KRB5Util 3 Kerberos encryption type:
rc4-hmac is tolerated.
6/13/12 15:21:06:946 CEST 002d KRB5Util 3 Supported Kerberos sub key
encryption type in Web services security: aes128-cts-hmac-sha1-96 ,
aes256-cts-hmac-
sha1-96, des3-cbc-sha1
6/13/12 15:21:06:946 CEST 002d KRB5Util
isSubKeyEncTypeSupported()... Exit
6/13/12 15:21:06:947 CEST 002d KRBConsumeLog 3 Key of type: [B with
encryption type: java.lang.Integer from token as follows...^M
: 4d091fe9 3ef84da8 69487b05 910d8fd8M... .M. iH{.
0010:
6/13/12 15:21:06:947 CEST 002d KRBConsumeLog 3 Request token processed OK
6/13/12 15:21:06:947 CEST 002d KRBConsumeLog 3 getAuthenticatedUsername:
WebSphere Security principal = eo30021
6/13/12 15:21:06:947 CEST 002d KRBConsumeLog 3 Kerberos client principal:
eo30021
6/13/12 15:21:06:949 CEST 002d CacheableToke CacheableTokenCacheImpl
Entry
6/13/12 15:21:06:950 CEST 002d CacheableToke CacheableTokenCacheImpl Exit
6/13/12 15:21:06:950 CEST 002d WSSecurityFac 3 factory key =
com.ibm.ws.wssecurity.platform.cacheableTokenCache
6/13/12 15:21:06:950 CEST 002d WSSecurityFac 3 factory impl class =
com.ibm.ws.wssecurity.platform.websphere.auth.CacheableTokenCacheImpl
6/13/12 15:21:06:950 CEST 002d CacheableToke