Help with Kerberos and SPNEGO

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Anyone want to help me get some Kerberos and SPNEGO stuff working ?

Any tips or resources ? thanks !

David

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

All these security experts and not one offer ?

I'm having problems performing SPNEGO authentication from a Windows 8.1 browser client to Tomcat 8, both on windows and the KDC is Windows Server 2012 RC2.

Error :-

java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: G
> > SSHeader did not find the right tag)

 

Have you had a look at this posting? http://stackoverflow.com/questions/...tlm-not-kerberos-with-kerberos-spring-securit

Specifically the keytab.ini file that they mentioned.

 

Thanks Jim I have tried firefox, IE and Chrome. you are correct in that Firefox is the most kerberos friendly apparently.

Yes Simon I have a correct keytab and krb5.ini.

I tested these using kinit :-

Krb5.ini – Configures Kerberos 5, used for tools like kinit, klist and also Tomcat.

Code:

[libdefaults]
default_realm = KERBTEST.LOCAL
default_keytab_name = FILE:C:\keytab\tomcat.keytab
default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
forwardable = true

[realms]
KERBTEST.LOCAL = {
kdc = win-dc01.kerbtest.local:88
}

[domain_realm]
kerbtest.local = KERBTEST.LOCAL
.kerbtest.local = KERBTEST.LOCAL

Jaas.conf – Java JAAS / GSS config

Code:

com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/[email protected]"
useKeyTab=true
keyTab="C:/keytab/tomcat.keytab"
storeKey=true
debug=true;
};

com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/[email protected]"
useKeyTab=true
keyTab="C:/keytab/tomcat.keytab"
storeKey=true
debug=true;
};

To list the keys in the keytab (Java JDK bin must be on PATH environment variable).

klist -e -f -k -t c:\keytab\tomcat.keytab

Key tab: c:\keytab\tomcat.keytab, 5 entries found.

[1] Service principal: HTTP/[email protected]
KVNO: 15
Key type: 1
Time stamp: Jan 01, 1970 01:00:00

[2] Service principal: HTTP/[email protected]
KVNO: 15
Key type: 3
Time stamp: Jan 01, 1970 01:00:00

[3] Service principal: HTTP/[email protected]
KVNO: 15
Key type: 23
Time stamp: Jan 01, 1970 01:00:00

[4] Service principal: HTTP/[email protected]
KVNO: 15
Key type: 18
Time stamp: Jan 01, 1970 01:00:00

[5] Service principal: HTTP/[email protected]
KVNO: 15
Key type: 17
Time stamp: Jan 01, 1970 01:00:00

Key type 23 is RC4-HMAC.

To test getting TGT ticket from KDC using Kinit :-

java -Dsun.security.krb5.debug=true -Djava.security.krb5.conf=c:\windows\krb5.ini sun.security.krb5.internal.tools.Kinit -t -k c:\keytab\tomcat.keytab HTTP/[email protected]

Java config name: c:\windows\krb5.ini
Loaded from Java config
>>>KinitOptions cache name is C:\Users\tc01.KERBTEST\krb5cc_tc01
Principal is c:\keytab\[email protected]
>>> Kinit using keytab
>>> Kinit keytab file name: -k
>>> Kinit realm name is KERBTEST.LOCAL
>>> Creating KrbAsReq
>>> KrbKdcReq local addresses for win-tc01 are:
win-tc01/192.168.0.3
IPv4 address
win-tc01/fe80:0:0:0:95f0:c1e4:a0f3:f45%3
IPv6 address
win-tc01/fe80:0:0:0:cd8:21c6:3f57:fffc%5
IPv6 address
win-tc01/2001:0:9d38:90d7:cd8:21c6:3f57:fffc
IPv6 address
>>> KdcAccessibility: reset
Looking for keys for: c:\keytab\[email protected]
default etypes for default_tkt_enctypes: 23 18 17.
Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes
available; only have keys of following type: No error
KrbException: Do not have keys of types listed in default_tkt_enctypes available
; only have keys of following type:
at sun.security.krb5.internal.crypto.EType.getDefaults(Unknown Source)
at sun.security.krb5.KrbAsReqBuilder.build(Unknown Source)
at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source)
at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source)
at sun.security.krb5.internal.tools.Kinit.<init>(Unknown Source)
at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)
C:\Windows>java -Dsun.security.krb5.debug=true -Djava.security.krb5.conf=c:\wind
ows\krb5.ini sun.security.krb5.internal.tools.Kinit -k -t c:\keytab\tomcat.keyta
b HTTP/[email protected]
>>>KinitOptions cache name is C:\Users\tc01.KERBTEST\krb5cc_tc01
Principal is HTTP/[email protected]
>>> Kinit using keytab
>>> Kinit keytab file name: c:\keytab\tomcat.keytab
Java config name: c:\windows\krb5.ini
Loaded from Java config
>>> Kinit realm name is KERBTEST.LOCAL
>>> Creating KrbAsReq
>>> KrbKdcReq local addresses for win-tc01 are:
win-tc01/192.168.0.3
IPv4 address
win-tc01/fe80:0:0:0:95f0:c1e4:a0f3:f45%3
IPv6 address
win-tc01/fe80:0:0:0:cd8:21c6:3f57:fffc%5
IPv6 address
win-tc01/2001:0:9d38:90d7:cd8:21c6:3f57:fffc
IPv6 address
>>> KdcAccessibility: reset
>>> KeyTabInputStream, readName(): KERBTEST.LOCAL
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>> KeyTab: load() entry length: 70; type: 1
>>> KeyTabInputStream, readName(): KERBTEST.LOCAL
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>> KeyTab: load() entry length: 70; type: 3
>>> KeyTabInputStream, readName(): KERBTEST.LOCAL
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>> KeyTab: load() entry length: 78; type: 23
>>> KeyTabInputStream, readName(): KERBTEST.LOCAL
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>> KeyTab: load() entry length: 94; type: 18
>>> KeyTabInputStream, readName(): KERBTEST.LOCAL
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): win-tc01.kerbtest.local
>>> KeyTab: load() entry length: 78; type: 17
Looking for keys for: HTTP/[email protected]
Added key: 17version: 15
Added key: 18version: 15
Added key: 23version: 15
Found unsupported keytype (3) for HTTP/[email protected]
Found unsupported keytype (1) for HTTP/[email protected]
default etypes for default_tkt_enctypes: 23 18 17.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number of
retries =3, #bytes=272
>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt
=1, #bytes=272
>>> KrbKdcReq send: #bytes read=213
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.l
ocal, s2kparams = null
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Thu Mar 26 00:10:28 GMT 2015 1427328628000
suSec is 635591
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/[email protected]
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18, salt = KERBTEST.LOCALHTTPwin-tc01.kerbtest.l
ocal, s2kparams = null
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 18 17.
Looking for keys for: HTTP/[email protected]
Added key: 17version: 15
Added key: 18version: 15
Added key: 23version: 15
Found unsupported keytype (3) for HTTP/[email protected]
Found unsupported keytype (1) for HTTP/[email protected]
Looking for keys for: HTTP/[email protected]
Added key: 17version: 15
Added key: 18version: 15
Added key: 23version: 15
Found unsupported keytype (3) for HTTP/[email protected]
Found unsupported keytype (1) for HTTP/[email protected]
default etypes for default_tkt_enctypes: 23 18 17.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000, number of
retries =3, #bytes=359
>>> KDCCommunication: kdc=win-dc01.kerbtest.local UDP:88, timeout=30000,Attempt
=1, #bytes=359
>>> KrbKdcReq send: #bytes read=100
>>> KrbKdcReq send: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000, number of
retries =3, #bytes=359
>>> KDCCommunication: kdc=win-dc01.kerbtest.local TCP:88, timeout=30000,Attempt
=1, #bytes=359
>>>DEBUG: TCPClient reading 1653 bytes
>>> KrbKdcReq send: #bytes read=1653
>>> KdcAccessibility: remove win-dc01.kerbtest.local:88
Looking for keys for: HTTP/[email protected]
Added key: 17version: 15
Added key: 18version: 15
Added key: 23version: 15
Found unsupported keytype (3) for HTTP/[email protected]
Found unsupported keytype (1) for HTTP/[email protected]
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/win-tc01.kerbtest.local
New ticket is stored in cache file C:\Users\tc01.KERBTEST\krb5cc_tc01

Since I get a ticket I assume krb5.ini and keytab are correct.

So it seems either a browser issue, a windows ticket cache issue, the token gets corrupted somewhere during transit, the wrong type token gets sent, or GSS-API is not supported on these new operating systems ?

I've seem some talk about NegoEx but not sure if its the problem.

 

So I went to an older JDK version and it started working, so all I can conclude is that its broken in newer JDK's for some reason...

 

Yeah if I get time to nail it down I'll try tell Oracle or Open JDK