This discussion is archived
3 Replies Latest reply: Apr 8, 2011 7:40 AM by 811845 RSS

Help-kerberos works with spnego keytab file but not in netbeans and Metro

811845 Newbie
Currently Being Moderated
Hi,

Appreciate if someone can shed some light on this problem and guide on what else am I missing.

I'm trying to call .NET based WCF webservice (MS Dynamics CRM - OrganizationSvc) from a java client. Started looking at Metro framework for interoperability. I was able to generate all the proxy classes and was able to write the code to invoke web service. However the challenge was using Kerberos based authentication and related setup.

I primarily followed the link below which was very helpful but had to dig more to get more specific details.
http://blogs.sun.com/enterprisetechtips/entry/building_kerberos_based_secure_services

Tried to follow netbeans route and hit some roadblocks in verifying the setup (krb5.conf & login.conf & wsit-client.xml). So, came across SPNEGO and used their examples, made changes accordingly and after experimenting with various configuration settings(krb5.conf and login.conf), finallyI was able to run HelloKDC & HelloKeytab files successfully.

krb5.conf_

[libdefaults]
default_realm = NA.CONVERGYS.COM

[realms]
NA.CONVERGYS.COM = {
kdc = CDCWW13.na.convergys.com
admin_server = CDCWW13.na.convergys.com
}

[domain_realm]
.na.convergys.com = NA.CONVERGYS.COM

login.conf_

spnego-server {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="C:/WINDOWS/orldwv705_feb03.keytab"
doNotPrompt=false
storeKey=true
principal="HOST/ORLDWV705.na.convergys.com"
debug=true;
};

C:\spnego-r7>klist -k C:\WINDOWS\orldwv705_feb03.keytab

Key tab: C:\WINDOWS\orldwv705_feb03.keytab, 1 entry found.

[1] Service principal: HOST/ORLDWV705.na.convergys.com@NA.CONVERGYS.COM
KVNO: 7


With these settings, I was able to successfully make the call & Hello Keytab was able to get the Ticket and authenticate.

http://spnego.sourceforge.net/index.html
http://spnego.sourceforge.net/client_keytab.html
http://spnego.sourceforge.net/troubleshoot_hellokeytab.html

However, when I run the example in Netbeans with the setup mentioned in the link below, I run into following exception...
http://metro.java.net/guide/Developing_with_NetBeans.html#wsit_example_with_nb-creating_wsit_client
http://metro.java.net/guide/_Configuring_Kerberos_for_Glassfish_and_Tomcat.html

1) noticed that sc:KerberosConfig element in wsit-client.xml does not get updated automatically in netbeans ide, so manually edited to put the entries.
2) also followed the setup required in glassfish domain.xml & login.conf xml.
3) also noticed that netbeans setup requires us to use C:\Windows\krb5.ini file which is nothing but krb5.conf file referred elsewhere.)

wsit-client.xml_

<wsp:Policy wsu:Id="ClientKerberosPolicy"
xmlns:sc="http://schemas.sun.com/2006/03/wss/client"
xmlns:wspp="http://java.sun.com/xml/ns/wsit/policy"
xmlns:scc="http://schemas.sun.com/ws/2006/05/sc/client"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:ExactlyOne>
<wsp:All>
<sc:KerberosConfig wspp:visibility="private"
loginModule="KerberosClient"
servicePrincipal="HOST/ORLDWV705.na.convergys.com"
credentialDelegation="true" />
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>

ERROR
INFO: WSP5018: Loaded WSIT configuration from file: file:/C:/Documents%20and%20Settings/rchoppal/My%20Documents/NetBeansProjects/TestOrgSvc/build/web/WEB-INF/classes/META-INF/wsit-client.xml.
WARNING: [failed to localize] WSP_0075_PROBLEMATIC_ASSERTION_STATE({http://schemas.microsoft.com/xrm/2011/Contracts/Services}AuthenticationPolicy, UNKNOWN)
WARNING: [failed to localize] WSP_0019_SUBOPTIMAL_ALTERNATIVE_SELECTED(PARTIALLY_SUPPORTED)
INFO: >>>KinitOptions cache name is C:\Documents and Settings\rchoppal\krb5cc_rchoppal
INFO: >>> KrbCreds found the default ticket granting ticket in credential cache.
SEVERE: WSITPVD0050: Error while Securing Request Message.
com.sun.xml.wss.XWSSecurityException: Unexpected Exception in Kerberos login - unable to continue
at com.sun.xml.ws.security.impl.kerberos.KerberosLogin.login(KerberosLogin.java:94)
at com.sun.xml.wss.impl.misc.WSITProviderSecurityEnvironment.doKerberosLogin(WSITProviderSecurityEnvironment.java:3049)
at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.populateKerberosContext(WSITClientAuthContext.java:911)
at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:318)
at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:291)
at com.sun.enterprise.security.webservices.ClientSecurityPipe.process(ClientSecurityPipe.java:158)

-
-
-
Caused by: javax.security.auth.login.LoginException: java.lang.NullPointerException
at sun.security.krb5.Credentials.acquireDefaultCreds(Credentials.java:451) (i tried to search open source code, but this line did'nt match exactly)
at sun.security.krb5.Credentials.acquireTGTFromCache(Credentials.java:272)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:589)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at com.sun.xml.ws.security.impl.kerberos.KerberosLogin.login(KerberosLogin.java:85)
-
-
-

SEVERE: SEC2004: Container-auth: wss: Error securing request
javax.xml.ws.WebServiceException: WSITPVD0050: Error while Securing Request Message.
at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:299)
at com.sun.enterprise.security.webservices.ClientSecurityPipe.process(ClientSecurityPipe.java:158)
-
-
-
Caused by: javax.xml.ws.soap.SOAPFaultException: Unexpected Exception in Kerberos login - unable to continue
at com.sun.xml.wss.provider.wsit.WSITAuthContextBase.getSOAPFaultException(WSITAuthContextBase.java:1617)
at com.sun.xml.wss.provider.wsit.WSITAuthContextBase.getSOAPFaultException(WSITAuthContextBase.java:1633)
... 42 more

WARNING: StandardWrapperValve[TestOrgSvcServlet]: PWC1406: Servlet.service() for servlet TestOrgSvcServlet threw exception
javax.xml.ws.WebServiceException: Cannot secure request for {http://schemas.microsoft.com/xrm/2011/Contracts}CustomBinding_IOrganizationService
at com.sun.enterprise.security.webservices.ClientSecurityPipe.process(ClientSecurityPipe.java:165)
-
-
-

Caused by: javax.xml.ws.WebServiceException: WSITPVD0050: Error while Securing Request Message.
at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:299)
at com.sun.enterprise.security.webservices.ClientSecurityPipe.process(ClientSecurityPipe.java:158)
... 40 more
Caused by: javax.xml.ws.soap.SOAPFaultException: Unexpected Exception in Kerberos login - unable to continue
at com.sun.xml.wss.provider.wsit.WSITAuthContextBase.getSOAPFaultException(WSITAuthContextBase.java:1617)
at com.sun.xml.wss.provider.wsit.WSITAuthContextBase.getSOAPFaultException(WSITAuthContextBase.java:1633)
... 42 more

Edited by: user6748004 on Feb 3, 2011 5:36 PM

Edited by: user6748004 on Feb 3, 2011 5:38 PM
  • 1. Re: Help-kerberos works with spnego keytab file but not in netbeans and Metro
    814527 Newbie
    Currently Being Moderated
    Hi,

    Please let me know if you could you make it work.

    I am using JBoss 4.2.3.

    Thanks a lot.

    Best Regards - Roy
  • 2. Re: Help-kerberos works with spnego keytab file but not in netbeans and Metro
    852409 Newbie
    Currently Being Moderated
    Hi Ravi,

    Did you get this issue resolved? I hit the same problem. I would appreciate if you could share your experience.

    Thanks,
    Gasha
  • 3. Re: Help-kerberos works with spnego keytab file but not in netbeans and Metro
    811845 Newbie
    Currently Being Moderated
    Hi Gasha,
    The only change I did after this, was to try and use 'KerberosServer' configuration from the wsit-client.xml. Atleast, this enabled the glassfish application to load the configuration related to keytab etc, and use it to communicate with the WCF service for negotiation.

    <sc:KerberosConfig wspp:visibility="private"
    loginModule="KerberosServer"
    servicePrincipal="HOST/ORLDWV705.na.convergys.com"
    credentialDelegation="true" />

    login.conf has

    KerberosServer {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    keyTab="C:/WINDOWS/orldwv705_feb03.keytab"
    doNotPrompt=false
    storeKey=true
    principal="HOST/ORLDWV705.na.convergys.com"
    debug=true;
    };

    fyi.. Used the following way to create the keytab
    ------------------------------------------------------------------
    Keytab was created using below instructions
    ktpass -princ HOST/ORLDWV705.na.convergys.com@NA.CONVERGYS.COM
    -mapUser svcMSCRMDev@NA.CONVERGYS.COM
    -mapOp set
    -pass *
    -crypto DES-CBC-MD5
    -pType KRB5_NT_PRINCIPAL
    -out orldwv705.keytab

    Targeting domain controller: CDCWW13.na.convergys.com
    Successfully mapped HOST/ORLDWV705.na.convergys.com to svcMSCRMDev.
    Key created.
    Output keytab to orldwv705.keytab:
    Keytab version: 0x502
    keysize 75 HOST/ORLDWV705.na.convergys.com@NA.CONVERGYS.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 8 etype 0x3 (DES-CBC-MD5) keylength 8 (0x0bc27ca83891dc2a)
    ------------------------------------------------------------------

    Also realised that we need to add 'HTTP/ORLDWV705.na.convergys.com' & 'http/ORLDWV705.na.convergys.com' using set SPN commands on the AD of the server where CRM is installed.

    With these changes, the negotiate authentication seems to have happened using the Kerberos token from the keytab, but later ran into an error for which I was not able to get any clue to go forward. Someone in another post about this error suggested that it worked once they changed principal names, but when I tried I did'nt get any success.

    This is where I'm struck now. What I don't know is if there is another setup from which we can try a similar interoperability example for ex.. weblogic 10.1 & eclipse which is more close to our real environment.

    SEVERE: SEC2004: Container-auth: wss: Error securing request
    java.lang.IllegalArgumentException: Missing argument
    at javax.crypto.spec.SecretKeySpec.<init>(DashoA13*..)
    at com.sun.xml.ws.security.impl.kerberos.KerberosContext.getSecretKey(KerberosContext.java:91)
    at com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:525)

    Edited by: user6748004 on Apr 8, 2011 10:39 AM

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points