5 Replies Latest reply: Nov 5, 2009 6:37 PM by 843810 RSS

    Configuring Kerberos across 2 domains?

    843810
      Hi

      I am trying to set up a 3rd party application to use Single Sign On using Kerberos authentication across two Domains and am having troubles. DOMAIN1.COM is a W2K domain and DOMAIN2 is a Citrix farm. My application is a Solaris (5.9) hosted Java app (1.4.2_08) running under a Weblogic 8.1.

      I've generated the keytab files etc and can successfully authenticate using kinit. I can successfully sign in from my desktop when I configure my environment to use only just domain, either DOMAIN1.COM or DOMAIN2, but I am hitting this error when trying to authenticate with a user accouint on DOMAIN2 (it works fine for a user account on DOMAIN1):

      ...
      <000000> <Found Negotiate with SPNEGO token>
      *<000000> <GSS exception GSSException: Failure unspecified at GSS-API level (Mechanism level: Integrity check on decrypted field failed (31))*
      ...

      The application uses the JAAS login framework to perform the authentication. The steps I have followed are:

      1. We have generated the keytab file for both domains and have tested that we can generate tickets using kinit command

      2. When I start my WL server I am using the DOMAIN1.COM domain credentials i.e.

      JAVA_OPTIONS="-ms1024m ...etc... -Djava.security.auth.login.config=krb5Login.conf -Djava.security.krb5.realm=DOMAIN1.COM -Djava.security.krb5.kdc=ldap-domain1.com -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.security.enableNegotiate=true -Dsun.security.krb5.debug=true"

      3. I've configured my krb5Login.conf to use DOMIAN1.COM e.g.

      com.sun.security.jgss.initiate
      {
      com.sun.security.auth.module.Krb5LoginModule required
      principal="HTTP/mydomain@DOMAIN1.COM" useKeyTab=true
      keyTab=krb5.keytab storeKey=true debug=true;
      };

      com.sun.security.jgss.accept
      {
      com.sun.security.auth.module.Krb5LoginModule required
      principal="HTTP/mydomain.com@DOMAIN1.COM" useKeyTab=true
      keyTab=krb5.keytab storeKey=true debug=true;
      };

      4. I've configured my /etc/krb5/krb5.conf to use DOMAIN2 as default.

      [libdefaults]
      default_realm=DOMAIN2
      default_tkt_enctypes = des-cbc-md5
      default_tgs_enctypes = des-cbc-md5

      [realms]
      DOMAIN1.COM = {
      kdc=ldap-domain1.com:88
      admin_server=ldap-domain1.com
      }
      DOMAIN2 = {
      kdc=kdc1.domain2:88
      kdc=kdc2.domain2:88
      admin_server=ADMINSERVER2
      }
      [domain_realm]
      mydomain.com=DOMAIN2

      [appdefaults]
      kinit = {
      renewable = true
      forwardable= true
      autologin = true
      forward = true
      encrypt = true
      }

      I am not a Java developer so this is all new to me so hopefully someone can give me some guidance. I've been told the reason I can't authenticate is because I don't have a trust relationship set up between the two domains. But our Active Directory team have stated that setting up a trust relationship is not an option.

      The software supplier has said that the application should work across both domains without the trust relationship but they are unwilling to assist (as they have been paid already!). The way I have been led to understand it is that when we try and access the app over the DOMAIN2 the app should default to the default domain set in the /etc/krb5/krb5.conf file. Am I misguided? I don't understand how the JAAS login framework works with Kerberos and I would greatly appreciate some guidance on a possible config or code change I can make to resolve this issue?

      Thanks
        • 1. Re: Configuring Kerberos across 2 domains?
          843810
          1. What side is the program running? client and/or server?

          2. Do not specify -Djava.security.krb5.realm/kdc on the command line, it would override the whole krb5.conf. I mean, the whole krb5.conf is not read

          3. Try adding -Dsun.security.krb5.debug=true to see what's happening
          • 2. Re: Configuring Kerberos across 2 domains?
            843810
            Hi

            Thanks for your reply, much appreciated. To answer your questions

            1. The application is hosted on the Solaris server.

            2. I removed the realm/kdc from the WL startup option and it is now giving me the error "*Cannot get kdc for realm DOMAIN1.COM*" (which was previously working) and the same message for DOMAIN2. I've checked the kdc setting in /etc/krb5/krb5.conf are correct and have tried switching the default domains between the two but still the same. The log message is as fiollows:-

            ####<Oct 30, 2009 5:37:25 PM GMT> <Debug> <SecurityDebug> <aukobpcs> <aukobpcs_dd1> <ExecuteThread: '24' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>>
            <> <000000> <Found Negotiate with SPNEGO token>
            ####<Oct 30, 2009 5:37:25 PM GMT> <Debug> <SecurityDebug> <aukobpcs> <aukobpcs_dd1> <ExecuteThread: '24' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>>
            <> <000000> <GSS exception GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
            GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
            at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)
            at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
            at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
            at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
            at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
            at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
            at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
            at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:277)
            at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246)
            at weblogic.security.providers.utils.SPNEGONegotiateToken.getUsername(SPNEGONegotiateToken.java:371)
            at weblogic.security.providers.authentication.SinglePassNegotiateIdentityAsserterProviderImpl.assertIdentity(SinglePassNegotiateIdentityAsserterProvid
            erImpl.java:201)
            at weblogic.security.service.adapters.IdentityAsserterV1Adapter.assertIdentity(IdentityAsserterV1Adapter.java:28)
            at weblogic.security.service.PrincipalAuthenticator.assertIdentity(PrincipalAuthenticator.java:672)
            at weblogic.security.service.PrincipalAuthenticator.assertIdentity(PrincipalAuthenticator.java:617)
            at weblogic.servlet.security.internal.CertSecurityModule.checkUserPerm(CertSecurityModule.java:104)
            at weblogic.servlet.security.internal.SecurityModule.beginCheck(SecurityModule.java:228)
            at weblogic.servlet.security.internal.CertSecurityModule.checkA(CertSecurityModule.java:86)
            at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:145)
            at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3823)
            at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2773)
            at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:224)
            at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:183)
            Caused by: javax.security.auth.login.LoginException: Cannot get kdc for realm DOMAIN1.COM
            at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:585)
            at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:475)
            at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
            at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
            at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
            at java.lang.reflect.Method.invoke(Method.java:324)
            at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
            at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
            at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
            at java.security.AccessController.doPrivileged(Native Method)
            at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
            at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
            at sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
            at java.security.AccessController.doPrivileged(Native Method)
            at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
            ... 21 more
            Caused by: KrbException: Cannot get kdc for realm DOMAIN1.COM
            at sun.security.krb5.KrbKdcReq.send(DashoA12275:137)
            at sun.security.krb5.KrbKdcReq.send(DashoA12275:110)
            at sun.security.krb5.KrbAsReq.send(DashoA12275:300)
            at sun.security.krb5.Credentials.acquireTGT(DashoA12275:360)
            at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:576)
            ... 35 more

            3. Debug was already enabled. I can post the logs from the initial error if required.
            • 3. Re: Configuring Kerberos across 2 domains?
              843810
              Looks like your krb5.conf is not loaded at all.

              In the debug message, there should be a line like:

              Config name: /etc/krb5/krb5.conf

              Can you see it? Or, try set -Djava.security.krb5.conf=/etc/krb5/krb5.conf on the command line, but I really believe that's unnecessary.
              • 4. Re: Configuring Kerberos across 2 domains?
                843810
                Hi
                Thanks for the reply. I couldn't see krb5.conf in the logs so I added it to the JAVA_OPTIONS and re-ran a test but it failed with the same error. Here some output from my logs:

                ####<Nov 4, 2009 5:38:07 PM GMT> <Info> <Management> <aukobpcs> <aukobpcs_dd1> <main> <<WLS Kernel>> <> <BEA-141187> <Java system properties are defined as follows:
                ...
                java.security.auth.login.config = /opt/bea/user_projects/domains/onebill_online/krb5Login.conf
                java.security.krb5.conf = /etc/krb5/krb5.conf
                java.security.policy = /opt/bea/weblogic81/server/lib/weblogic.policy
                java.specification.name = Java Platform API Specification
                java.specification.vendor = Sun Microsystems Inc.
                java.specification.version = 1.4
                java.util.prefs.PreferencesFactory = java.util.prefs.FileSystemPreferencesFactory
                java.vendor = Sun Microsystems Inc.
                java.vendor.url = http://java.sun.com/
                java.vendor.url.bug = http://java.sun.com/cgi-bin/bugreport.cgi
                java.version = 1.4.2_11
                ...
                vde.home = ./aukobpcs_dd1/ldap
                weblogic.Name = aukobpcs_dd1
                weblogic.StdoutDebugEnabled = true
                weblogic.StdoutSeverityLevel = 64
                weblogic.management.server = http://aukobpcs.dc-dublin.de:7001
                weblogic.security.enableNegotiate = true
                ...
                ####<Nov 4, 2009 5:40:22 PM GMT> <Info> <HTTP> <aukobpcs> <aukobpcs_dd1> <ExecuteThread: '23' for queue: 'weblogic.kernel.Default'> <<anonymous>> <> <BEA-101047> <[ServletContext(id=19509258,name=bpa,context-path=/bpa)] *.jsp: initialization complete>
                ####<Nov 4, 2009 5:40:22 PM GMT> <Debug> <SecurityDebug> <aukobpcs> <aukobpcs_dd1> <ExecuteThread: '23' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <PrincipalAuthenticator.assertIdentity - Token Type: Authorization>
                ####<Nov 4, 2009 5:40:22 PM GMT> <Debug> <SecurityDebug> <aukobpcs> <aukobpcs_dd1> <ExecuteThread: '23' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <Found Negotiate with SPNEGO token>
                ####<Nov 4, 2009 5:40:23 PM GMT> <Debug> <SecurityDebug> <aukobpcs> <aukobpcs_dd1> <ExecuteThread: '23' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <GSS exception GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
                GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
                     at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)
                     at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
                     at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
                     at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
                     at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
                     at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
                     at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
                     at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:277)
                     at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246)
                     at weblogic.security.providers.utils.SPNEGONegotiateToken.getUsername(SPNEGONegotiateToken.java:371)
                     at weblogic.security.providers.authentication.SinglePassNegotiateIdentityAsserterProviderImpl.assertIdentity(SinglePassNegotiateIdentityAsserterProviderImpl.java:201)
                     at weblogic.security.service.adapters.IdentityAsserterV1Adapter.assertIdentity(IdentityAsserterV1Adapter.java:28)
                     at weblogic.security.service.PrincipalAuthenticator.assertIdentity(PrincipalAuthenticator.java:672)
                     at weblogic.security.service.PrincipalAuthenticator.assertIdentity(PrincipalAuthenticator.java:617)
                     at weblogic.servlet.security.internal.CertSecurityModule.checkUserPerm(CertSecurityModule.java:104)
                     at weblogic.servlet.security.internal.SecurityModule.beginCheck(SecurityModule.java:228)
                     at weblogic.servlet.security.internal.CertSecurityModule.checkA(CertSecurityModule.java:86)
                     at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:145)
                     at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3823)
                     at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2773)
                     at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:224)
                     at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:183)
                Caused by: javax.security.auth.login.LoginException: Cannot get kdc for realm DOMAIN1.COM
                     at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:585)
                     at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:475)
                     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                     at java.lang.reflect.Method.invoke(Method.java:324)
                     at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
                     at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
                     at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
                     at java.security.AccessController.doPrivileged(Native Method)
                     at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
                     at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
                     at sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
                     at java.security.AccessController.doPrivileged(Native Method)
                     at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
                     ... 21 more
                Caused by: KrbException: Cannot get kdc for realm DOMAIN1.COM
                     at sun.security.krb5.KrbKdcReq.send(DashoA12275:137)
                     at sun.security.krb5.KrbKdcReq.send(DashoA12275:110)
                     at sun.security.krb5.KrbAsReq.send(DashoA12275:300)
                     at sun.security.krb5.Credentials.acquireTGT(DashoA12275:360)
                     at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:576)
                     ... 35 more

                If you have any other suggestions I could try that will be great, otherwise we'll look at implementing workaround to this issue (probably having a separate WL server for each domain)

                Thanks
                • 5. Re: Configuring Kerberos across 2 domains?
                  843810
                  You need -Dsun.security.krb5.debug=true to see krb5.conf in the logs.