3 Replies Latest reply: Apr 8, 2011 9:40 AM by 811845 RSS

    Help-kerberos works with spnego keytab file but not in netbeans and Metro

    811845
      Hi,

      Appreciate if someone can shed some light on this problem and guide on what else am I missing.

      I'm trying to call .NET based WCF webservice (MS Dynamics CRM - OrganizationSvc) from a java client. Started looking at Metro framework for interoperability. I was able to generate all the proxy classes and was able to write the code to invoke web service. However the challenge was using Kerberos based authentication and related setup.

      I primarily followed the link below which was very helpful but had to dig more to get more specific details.
      http://blogs.sun.com/enterprisetechtips/entry/building_kerberos_based_secure_services

      Tried to follow netbeans route and hit some roadblocks in verifying the setup (krb5.conf & login.conf & wsit-client.xml). So, came across SPNEGO and used their examples, made changes accordingly and after experimenting with various configuration settings(krb5.conf and login.conf), finallyI was able to run HelloKDC & HelloKeytab files successfully.

      krb5.conf_

      [libdefaults]
      default_realm = NA.CONVERGYS.COM

      [realms]
      NA.CONVERGYS.COM = {
      kdc = CDCWW13.na.convergys.com
      admin_server = CDCWW13.na.convergys.com
      }

      [domain_realm]
      .na.convergys.com = NA.CONVERGYS.COM

      login.conf_

      spnego-server {
      com.sun.security.auth.module.Krb5LoginModule required
      useKeyTab=true
      keyTab="C:/WINDOWS/orldwv705_feb03.keytab"
      doNotPrompt=false
      storeKey=true
      principal="HOST/ORLDWV705.na.convergys.com"
      debug=true;
      };

      C:\spnego-r7>klist -k C:\WINDOWS\orldwv705_feb03.keytab

      Key tab: C:\WINDOWS\orldwv705_feb03.keytab, 1 entry found.

      [1] Service principal: HOST/ORLDWV705.na.convergys.com@NA.CONVERGYS.COM
      KVNO: 7


      With these settings, I was able to successfully make the call & Hello Keytab was able to get the Ticket and authenticate.

      http://spnego.sourceforge.net/index.html
      http://spnego.sourceforge.net/client_keytab.html
      http://spnego.sourceforge.net/troubleshoot_hellokeytab.html

      However, when I run the example in Netbeans with the setup mentioned in the link below, I run into following exception...
      http://metro.java.net/guide/Developing_with_NetBeans.html#wsit_example_with_nb-creating_wsit_client
      http://metro.java.net/guide/_Configuring_Kerberos_for_Glassfish_and_Tomcat.html

      1) noticed that sc:KerberosConfig element in wsit-client.xml does not get updated automatically in netbeans ide, so manually edited to put the entries.
      2) also followed the setup required in glassfish domain.xml & login.conf xml.
      3) also noticed that netbeans setup requires us to use C:\Windows\krb5.ini file which is nothing but krb5.conf file referred elsewhere.)

      wsit-client.xml_

      <wsp:Policy wsu:Id="ClientKerberosPolicy"
      xmlns:sc="http://schemas.sun.com/2006/03/wss/client"
      xmlns:wspp="http://java.sun.com/xml/ns/wsit/policy"
      xmlns:scc="http://schemas.sun.com/ws/2006/05/sc/client"
      xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
      xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      <wsp:ExactlyOne>
      <wsp:All>
      <sc:KerberosConfig wspp:visibility="private"
      loginModule="KerberosClient"
      servicePrincipal="HOST/ORLDWV705.na.convergys.com"
      credentialDelegation="true" />
      </wsp:All>
      </wsp:ExactlyOne>
      </wsp:Policy>

      ERROR
      INFO: WSP5018: Loaded WSIT configuration from file: file:/C:/Documents%20and%20Settings/rchoppal/My%20Documents/NetBeansProjects/TestOrgSvc/build/web/WEB-INF/classes/META-INF/wsit-client.xml.
      WARNING: [failed to localize] WSP_0075_PROBLEMATIC_ASSERTION_STATE({http://schemas.microsoft.com/xrm/2011/Contracts/Services}AuthenticationPolicy, UNKNOWN)
      WARNING: [failed to localize] WSP_0019_SUBOPTIMAL_ALTERNATIVE_SELECTED(PARTIALLY_SUPPORTED)
      INFO: >>>KinitOptions cache name is C:\Documents and Settings\rchoppal\krb5cc_rchoppal
      INFO: >>> KrbCreds found the default ticket granting ticket in credential cache.
      SEVERE: WSITPVD0050: Error while Securing Request Message.
      com.sun.xml.wss.XWSSecurityException: Unexpected Exception in Kerberos login - unable to continue
      at com.sun.xml.ws.security.impl.kerberos.KerberosLogin.login(KerberosLogin.java:94)
      at com.sun.xml.wss.impl.misc.WSITProviderSecurityEnvironment.doKerberosLogin(WSITProviderSecurityEnvironment.java:3049)
      at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.populateKerberosContext(WSITClientAuthContext.java:911)
      at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:318)
      at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:291)
      at com.sun.enterprise.security.webservices.ClientSecurityPipe.process(ClientSecurityPipe.java:158)

      -
      -
      -
      Caused by: javax.security.auth.login.LoginException: java.lang.NullPointerException
      at sun.security.krb5.Credentials.acquireDefaultCreds(Credentials.java:451) (i tried to search open source code, but this line did'nt match exactly)
      at sun.security.krb5.Credentials.acquireTGTFromCache(Credentials.java:272)
      at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:589)
      at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:597)
      at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
      at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
      at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
      at java.security.AccessController.doPrivileged(Native Method)
      at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
      at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
      at com.sun.xml.ws.security.impl.kerberos.KerberosLogin.login(KerberosLogin.java:85)
      -
      -
      -

      SEVERE: SEC2004: Container-auth: wss: Error securing request
      javax.xml.ws.WebServiceException: WSITPVD0050: Error while Securing Request Message.
      at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:299)
      at com.sun.enterprise.security.webservices.ClientSecurityPipe.process(ClientSecurityPipe.java:158)
      -
      -
      -
      Caused by: javax.xml.ws.soap.SOAPFaultException: Unexpected Exception in Kerberos login - unable to continue
      at com.sun.xml.wss.provider.wsit.WSITAuthContextBase.getSOAPFaultException(WSITAuthContextBase.java:1617)
      at com.sun.xml.wss.provider.wsit.WSITAuthContextBase.getSOAPFaultException(WSITAuthContextBase.java:1633)
      ... 42 more

      WARNING: StandardWrapperValve[TestOrgSvcServlet]: PWC1406: Servlet.service() for servlet TestOrgSvcServlet threw exception
      javax.xml.ws.WebServiceException: Cannot secure request for {http://schemas.microsoft.com/xrm/2011/Contracts}CustomBinding_IOrganizationService
      at com.sun.enterprise.security.webservices.ClientSecurityPipe.process(ClientSecurityPipe.java:165)
      -
      -
      -

      Caused by: javax.xml.ws.WebServiceException: WSITPVD0050: Error while Securing Request Message.
      at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:299)
      at com.sun.enterprise.security.webservices.ClientSecurityPipe.process(ClientSecurityPipe.java:158)
      ... 40 more
      Caused by: javax.xml.ws.soap.SOAPFaultException: Unexpected Exception in Kerberos login - unable to continue
      at com.sun.xml.wss.provider.wsit.WSITAuthContextBase.getSOAPFaultException(WSITAuthContextBase.java:1617)
      at com.sun.xml.wss.provider.wsit.WSITAuthContextBase.getSOAPFaultException(WSITAuthContextBase.java:1633)
      ... 42 more

      Edited by: user6748004 on Feb 3, 2011 5:36 PM

      Edited by: user6748004 on Feb 3, 2011 5:38 PM
        • 1. Re: Help-kerberos works with spnego keytab file but not in netbeans and Metro
          814527
          Hi,

          Please let me know if you could you make it work.

          I am using JBoss 4.2.3.

          Thanks a lot.

          Best Regards - Roy
          • 2. Re: Help-kerberos works with spnego keytab file but not in netbeans and Metro
            852409
            Hi Ravi,

            Did you get this issue resolved? I hit the same problem. I would appreciate if you could share your experience.

            Thanks,
            Gasha
            • 3. Re: Help-kerberos works with spnego keytab file but not in netbeans and Metro
              811845
              Hi Gasha,
              The only change I did after this, was to try and use 'KerberosServer' configuration from the wsit-client.xml. Atleast, this enabled the glassfish application to load the configuration related to keytab etc, and use it to communicate with the WCF service for negotiation.

              <sc:KerberosConfig wspp:visibility="private"
              loginModule="KerberosServer"
              servicePrincipal="HOST/ORLDWV705.na.convergys.com"
              credentialDelegation="true" />

              login.conf has

              KerberosServer {
              com.sun.security.auth.module.Krb5LoginModule required
              useKeyTab=true
              keyTab="C:/WINDOWS/orldwv705_feb03.keytab"
              doNotPrompt=false
              storeKey=true
              principal="HOST/ORLDWV705.na.convergys.com"
              debug=true;
              };

              fyi.. Used the following way to create the keytab
              ------------------------------------------------------------------
              Keytab was created using below instructions
              ktpass -princ HOST/ORLDWV705.na.convergys.com@NA.CONVERGYS.COM
              -mapUser svcMSCRMDev@NA.CONVERGYS.COM
              -mapOp set
              -pass *
              -crypto DES-CBC-MD5
              -pType KRB5_NT_PRINCIPAL
              -out orldwv705.keytab

              Targeting domain controller: CDCWW13.na.convergys.com
              Successfully mapped HOST/ORLDWV705.na.convergys.com to svcMSCRMDev.
              Key created.
              Output keytab to orldwv705.keytab:
              Keytab version: 0x502
              keysize 75 HOST/ORLDWV705.na.convergys.com@NA.CONVERGYS.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x3 (DES-CBC-MD5) keylength 8 (0x0bc27ca83891dc2a)
              ------------------------------------------------------------------

              Also realised that we need to add 'HTTP/ORLDWV705.na.convergys.com' & 'http/ORLDWV705.na.convergys.com' using set SPN commands on the AD of the server where CRM is installed.

              With these changes, the negotiate authentication seems to have happened using the Kerberos token from the keytab, but later ran into an error for which I was not able to get any clue to go forward. Someone in another post about this error suggested that it worked once they changed principal names, but when I tried I did'nt get any success.

              This is where I'm struck now. What I don't know is if there is another setup from which we can try a similar interoperability example for ex.. weblogic 10.1 & eclipse which is more close to our real environment.

              SEVERE: SEC2004: Container-auth: wss: Error securing request
              java.lang.IllegalArgumentException: Missing argument
              at javax.crypto.spec.SecretKeySpec.<init>(DashoA13*..)
              at com.sun.xml.ws.security.impl.kerberos.KerberosContext.getSecretKey(KerberosContext.java:91)
              at com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:525)

              Edited by: user6748004 on Apr 8, 2011 10:39 AM