1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Help with Kerberos and SPNEGO

Discussion in 'Computer Security' started by dmarsh, Mar 24, 2015.

  1. dmarsh

    dmarsh Terabyte Poster

    3,782
    302
    184
    Anyone want to help me get some Kerberos and SPNEGO stuff working ?

    Any tips or resources ? thanks !

    David
     
    Certifications: CITP, BSc, HND, SCJP, SCJD, SCWCD, SCBCD, SCEA, N+, Sec+, Proj+, Server+, Linux+, MCTS, MCPD, MCSA, MCITP, CCDH
  2. dmarsh

    dmarsh Terabyte Poster

    3,782
    302
    184
    All these security experts and not one offer ? :)

    I'm having problems performing SPNEGO authentication from a Windows 8.1 browser client to Tomcat 8, both on windows and the KDC is Windows Server 2012 RC2.

    Error :-

    java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: G
    > > SSHeader did not find the right tag)
     
    Certifications: CITP, BSc, HND, SCJP, SCJD, SCWCD, SCBCD, SCEA, N+, Sec+, Proj+, Server+, Linux+, MCTS, MCPD, MCSA, MCITP, CCDH
  3. jk2447

    jk2447 Petabyte Poster Moderator

    5,484
    354
    249
    I'm NO expert on any of this Dave but I am handy at finding ugly solutions to pretty problems :)

    Could you humor me and try what ever you're doing using Firefox please sir....
     
    Certifications: BSc (Hons), HND IT, HND Computing, ITIL-F, MBCS CITP, MCP (270,290,291,293,294,298,299,410,411,412) MCTS (401,620,624,652) MCSA:Security, MCSE: Security, Security+, CPTS, VCP4, CCA (XenApp6.5), MCSA 2012, VCP5, VCP6-NV
  4. SimonD

    SimonD Terabyte Poster Moderator

    3,463
    397
    199
    Certifications: CNA | CNE | CCNA | MCP | MCP+I | MCSE NT4 | MCSA 2003 | Security+ | MCSA:S 2003 | MCSE:S 2003 | MCTS:SCCM 2007 | MCTS:Win 7 | MCITP:EDA7 | MCITP:SA | MCITP:EA | MCTS:Hyper-V | VCP 4 | ITIL v3 Foundation | VCP 5 DCV | VCP 5 Cloud | VCP6 NV | VCP6 DCV | VCAP 5.5 DCA
    WIP: VCP6-CMA, VCAP-DCD and Linux + (and possibly VCIX-NV).
  5. dmarsh

    dmarsh Terabyte Poster

    3,782
    302
    184
    Thanks Jim I have tried firefox, IE and Chrome. you are correct in that Firefox is the most kerberos friendly apparently.

    Yes Simon I have a correct keytab and krb5.ini.

    I tested these using kinit :-

    Krb5.ini – Configures Kerberos 5, used for tools like kinit, klist and also Tomcat.
    Code:
    [libdefaults]
    default_realm = KERBTEST.LOCAL
    default_keytab_name = FILE:C:\keytab\tomcat.keytab
    default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
    default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
    forwardable = true
    
    [realms]
    KERBTEST.LOCAL = {
    kdc = win-dc01.kerbtest.local:88
    }
    
    [domain_realm]
    kerbtest.local = KERBTEST.LOCAL
    .kerbtest.local = KERBTEST.LOCAL
    
    Jaas.conf – Java JAAS / GSS config
    Code:
    com.sun.security.jgss.krb5.initiate {
    com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=true
    principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
    useKeyTab=true
    keyTab="C:/keytab/tomcat.keytab"
    storeKey=true
    debug=true;
    };
    
    com.sun.security.jgss.krb5.accept {
    com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=true
    principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
    useKeyTab=true
    keyTab="C:/keytab/tomcat.keytab"
    storeKey=true
    debug=true;
    };
    
    To list the keys in the keytab (Java JDK bin must be on PATH environment variable).

    klist -e -f -k -t c:\keytab\tomcat.keytab

    Key tab: c:\keytab\tomcat.keytab, 5 entries found.

    [1] Service principal: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
    KVNO: 15
    Key type: 1
    Time stamp: Jan 01, 1970 01:00:00

    [2] Service principal: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
    KVNO: 15
    Key type: 3
    Time stamp: Jan 01, 1970 01:00:00

    [3] Service principal: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
    KVNO: 15
    Key type: 23
    Time stamp: Jan 01, 1970 01:00:00

    [4] Service principal: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
    KVNO: 15
    Key type: 18
    Time stamp: Jan 01, 1970 01:00:00

    [5] Service principal: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
    KVNO: 15
    Key type: 17
    Time stamp: Jan 01, 1970 01:00:00

    Key type 23 is RC4-HMAC.

    To test getting TGT ticket from KDC using Kinit :-

    java -Dsun.security.krb5.debug=true -Djava.security.krb5.conf=c:\windows\krb5.ini sun.security.krb5.internal.tools.Kinit -t -k c:\keytab\tomcat.keytab HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL

    Java config name: c:\windows\krb5.ini
    Loaded from Java config
    >>>KinitOptions cache name is C:\Users\tc01.KERBTEST\krb5cc_tc01
    Principal is c:\keytab\tomcat.keytab@KERBTEST.LOCAL
    >>> Kinit using keytab
    >>> Kinit keytab file name: -k
    >>> Kinit realm name is KERBTEST.LOCAL
    >>> Creating KrbAsReq
    >>> KrbKdcReq local addresses for win-tc01 are:
    win-tc01/192.168.0.3
    IPv4 address
    win-tc01/fe80:0:0:0:95f0:c1e4:a0f3:f45%3
    IPv6 address
    win-tc01/fe80:0:0:0:cd8:21c6:3f57:fffc%5
    IPv6 address
    win-tc01/2001:0:9d38:90d7:cd8:21c6:3f57:fffc
    IPv6 address
    >>> KdcAccessibility: reset
    Looking for keys for: c:\keytab\tomcat.keytab@KERBTEST.LOCAL
    default etypes for default_tkt_enctypes: 23 18 17.
    Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes
    available; only have keys of following type: No error
    KrbException: Do not have keys of types listed in default_tkt_enctypes available
    ; only have keys of following type:
    at sun.security.krb5.internal.crypto.EType.getDefaults(Unknown Source)
    at sun.security.krb5.KrbAsReqBuilder.build(Unknown Source)
    at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source)
    at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source)
    at sun.security.krb5.internal.tools.Kinit.<init>(Unknown Source)
    at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)
    C:\Windows>java -Dsun.security.krb5.debug=true -Djava.security.krb5.conf=c:\wind
    ows\krb5.ini sun.security.krb5.internal.tools.Kinit -k -t c:\keytab\tomcat.keyta
    b HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
    >>>KinitOptions cache name is C:\Users\tc01.KERBTEST\krb5cc_tc01
    Principal is HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
    >>> Kinit using keytab
    >>> Kinit keytab file name: c:\keytab\tomcat.keytab
    Java config name: c:\windows\krb5.ini
    Loaded from Java config
    >>> Kinit realm name is KERBTEST.LOCAL
    >>> Creating KrbAsReq
    >>> KrbKdcReq local addresses for win-tc01 are:
    win-tc01/192.168.0.3
    IPv4 address
    win-tc01/fe80:0:0:0:95f0:c1e4:a0f3:f45%3
    IPv6 address
    win-tc01/fe80:0:0:0:cd8:21c6:3f57:fffc%5
    IPv6 address
    win-tc01/2001:0:9d38:90d7:cd8:21c6:3f57:fffc
    IPv6 address
    >>> KdcAccessibility: reset
    >>> KeyTabInputStream, readName(): KERBTEST.LOCAL
    >>> KeyTabInputStream, readName(): HTTP
    >>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
    >>> KeyTab: load() entry length: 70; type: 1
    >>> KeyTabInputStream, readName(): KERBTEST.LOCAL
    >>> KeyTabInputStream, readName(): HTTP
    >>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
    >>> KeyTab: load() entry length: 70; type: 3
    >>> KeyTabInputStream, readName(): KERBTEST.LOCAL
    >>> KeyTabInputStream, readName(): HTTP
    >>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
    >>> KeyTab: load() entry length: 78; type: 23
    >>> KeyTabInputStream, readName(): KERBTEST.LOCAL
    >>> KeyTabInputStream, readName(): HTTP
    >>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
    >>> KeyTab: load() entry length: 94; type: 18
    >>> KeyTabInputStream, readName(): KERBTEST.LOCAL
    >>> KeyTabInputStream, readName(): HTTP
    >>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
    >>> KeyTab: load() entry length: 78; type: 17
    Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
    Added key: 17version: 15
    Added key: 18version: 15
    Added key: 23version: 15
    Found unsupported keytype (3) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
    Found unsupported keytype (1) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
    default etypes for default_tkt_enctypes: 23 18 17.
    >>> KrbAsReq creating message
    >>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number of
    retries =3, #bytes=272
    >>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt
    =1, #bytes=272
    >>> KrbKdcReq send: #bytes read=213
    >>>Pre-Authentication Data:
    PA-DATA type = 19
    PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.l
    ocal, s2kparams = null
    PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
    >>>Pre-Authentication Data:
    PA-DATA type = 2
    PA-ENC-TIMESTAMP
    >>>Pre-Authentication Data:
    PA-DATA type = 16
    >>>Pre-Authentication Data:
    PA-DATA type = 15
    >>> KdcAccessibility: remove win-dc01.kerbtest.local:88
    >>> KDCRep: init() encoding tag is 126 req type is 11
    >>>KRBError:
    sTime is Thu Mar 26 00:10:28 GMT 2015 1427328628000
    suSec is 635591
    error code is 25
    error Message is Additional pre-authentication required
    sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL
    eData provided.
    msgType is 30
    >>>Pre-Authentication Data:
    PA-DATA type = 19
    PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.l
    ocal, s2kparams = null
    PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
    >>>Pre-Authentication Data:
    PA-DATA type = 2
    PA-ENC-TIMESTAMP
    >>>Pre-Authentication Data:
    PA-DATA type = 16
    >>>Pre-Authentication Data:
    PA-DATA type = 15
    KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
    default etypes for default_tkt_enctypes: 23 18 17.
    Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
    Added key: 17version: 15
    Added key: 18version: 15
    Added key: 23version: 15
    Found unsupported keytype (3) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
    Found unsupported keytype (1) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
    Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
    Added key: 17version: 15
    Added key: 18version: 15
    Added key: 23version: 15
    Found unsupported keytype (3) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
    Found unsupported keytype (1) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
    default etypes for default_tkt_enctypes: 23 18 17.
    >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
    >>> KrbAsReq creating message
    >>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number of
    retries =3, #bytes=359
    >>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt
    =1, #bytes=359
    >>> KrbKdcReq send: #bytes read=100
    >>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000, number of
    retries =3, #bytes=359
    >>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,Attempt
    =1, #bytes=359
    >>>DEBUG: TCPClient reading 1653 bytes
    >>> KrbKdcReq send: #bytes read=1653
    >>> KdcAccessibility: remove win-dc01.kerbtest.local:88
    Looking for keys for: HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
    Added key: 17version: 15
    Added key: 18version: 15
    Added key: 23version: 15
    Found unsupported keytype (3) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
    Found unsupported keytype (1) for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
    >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
    >>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
    New ticket is stored in cache file C:\Users\tc01.KERBTEST\krb5cc_tc01

    Since I get a ticket I assume krb5.ini and keytab are correct.

    So it seems either a browser issue, a windows ticket cache issue, the token gets corrupted somewhere during transit, the wrong type token gets sent, or GSS-API is not supported on these new operating systems ?

    I've seem some talk about NegoEx but not sure if its the problem.
     
    Last edited: Mar 27, 2015
    Certifications: CITP, BSc, HND, SCJP, SCJD, SCWCD, SCBCD, SCEA, N+, Sec+, Proj+, Server+, Linux+, MCTS, MCPD, MCSA, MCITP, CCDH
  6. jk2447

    jk2447 Petabyte Poster Moderator

    5,484
    354
    249
    Sorry mate I think we definitely need an expert on this one. I should have known you'd of tried different browsers. Looking online there are plenty of examples where Win7 and 2008R2 are used but 2012 and 8.1 is very thin on the ground isn't it :(
     
    Certifications: BSc (Hons), HND IT, HND Computing, ITIL-F, MBCS CITP, MCP (270,290,291,293,294,298,299,410,411,412) MCTS (401,620,624,652) MCSA:Security, MCSE: Security, Security+, CPTS, VCP4, CCA (XenApp6.5), MCSA 2012, VCP5, VCP6-NV
  7. dmarsh

    dmarsh Terabyte Poster

    3,782
    302
    184
    So I went to an older JDK version and it started working, so all I can conclude is that its broken in newer JDK's for some reason...
     
    Certifications: CITP, BSc, HND, SCJP, SCJD, SCWCD, SCBCD, SCEA, N+, Sec+, Proj+, Server+, Linux+, MCTS, MCPD, MCSA, MCITP, CCDH
    jk2447 likes this.
  8. jk2447

    jk2447 Petabyte Poster Moderator

    5,484
    354
    249
    Good work mate, wonder if it's worth sending them your findings
     
    Certifications: BSc (Hons), HND IT, HND Computing, ITIL-F, MBCS CITP, MCP (270,290,291,293,294,298,299,410,411,412) MCTS (401,620,624,652) MCSA:Security, MCSE: Security, Security+, CPTS, VCP4, CCA (XenApp6.5), MCSA 2012, VCP5, VCP6-NV
  9. dmarsh

    dmarsh Terabyte Poster

    3,782
    302
    184
    Yeah if I get time to nail it down I'll try tell Oracle or Open JDK
     
    Certifications: CITP, BSc, HND, SCJP, SCJD, SCWCD, SCBCD, SCEA, N+, Sec+, Proj+, Server+, Linux+, MCTS, MCPD, MCSA, MCITP, CCDH
    jk2447 likes this.

Share This Page

Loading...