2

I'm trying configure Spring Kerberos/SPNEGO Aauth for Active Directory and I am getting this error

    08:43:29,951 DEBUG SpnegoAuthenticationProcessingFilter:109 - Received Negotiate Header for request http://servername:8001/Web/index.jsp: Negotiate YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAAJ2E2fcp/UZu4aQ2Y/QpOd/T7U8QncuRlb7zBOEoL4ndX4cPNaGn8k1wjV64JOatfgAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo=
08:43:29,951 DEBUG ProviderManager:124 - Authentication attempt using org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider
08:43:29,952 DEBUG KerberosServiceAuthenticationProvider:85 - Try to validate Kerberos Token
08:43:29,954  WARN SpnegoAuthenticationProcessingFilter:122 - Negotiate Header was invalid: Negotiate YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAAJ2E2fcp/UZu4aQ2Y/QpOd/T7U8QncuRlb7zBOEoL4ndX4cPNaGn8k1wjV64JOatfgAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo=
org.springframework.security.authentication.BadCredentialsException: Kerberos validation not succesfull
        at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:65)
        at org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:86)
        at org.springframework.security.authentication.ProviderManager.doAuthentication(ProviderManager.java:127)
        at org.springframework.security.authentication.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:49)
        at org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter.doFilter(SpnegoAuthenticationProcessingFilter.java:118)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
        at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
        at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:80)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:356)
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:150)
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)
        at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
        at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3730)
        at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3696)
        at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
        at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
        at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2273)
        at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2179)
        at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1490)
        at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
        at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Caused by: java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:396)
        at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:63)
        ... 22 more
Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
        at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:80)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:287)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
        at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:858)
        at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:532)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
        at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:135)
        at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:125)
        ... 25 more
08:43:29,956 DEBUG SecurityContextPersistenceFilter:90 - SecurityContextHolder now cleared, as request processing completed

My spring security looks like: 

    <?xm    l version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sec="http://www.springframework.org/schema/security"
                xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">


    <sec:http entry-point-ref="spnegoEntryPoint" security-context-repository-ref="secContextRepository" use-expressions="true">
        <sec:intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
        <sec:custom-filter ref="spnegoAuthenticationProcessingFilter" position="BASIC_PROCESSING_FILTER" />
        <sec:logout invalidate-session="true" logout-url="/hello" logout-success-url="/logout" />
    </sec:http>

    <bean id="spnegoEntryPoint" class="org.springframework.security.extensions.kerberos.web.SpnegoEntryPoint" />



    <bean id="secContextRepository" class="org.springframework.security.web.context.HttpSessionSecurityContextRepository">
        <property name="allowSessionCreation" value="true" />
    </bean>

    <!-- class="org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter" -->
    <bean id="spnegoAuthenticationProcessingFilter" class="org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter">
        <property name="authenticationManager" ref="authenticationManager" />
    </bean>

    <!-- 
    <bean id="spnegoEntryPoint" class="org.springframework.security.extensions.kerberos.web.SpnegoEntryPoint" />
     -->
    <!-- LDAP Authentication provider -->
    <sec:authentication-manager alias="authenticationManager">
        <sec:authentication-provider ref="kerberosServiceAuthenticationProvider" />
    </sec:authentication-manager>


    <bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
        <constructor-arg value="ldap://domain:389" />
        <property name="userDn" value="username" />
        <property name="password" value="password"/>
        <property name="base" value="DC=domain,DC=domain,DC=domain" />
        <property name="pooled" value="true" />
    </bean>

    <bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
        <constructor-arg index="0" value="ou=people" />
        <constructor-arg index="1" value="(&amp;(userPrincipalName={0})(objectClass=user))" />
        <constructor-arg index="2" ref="contextSource" />
    </bean>

    <bean id="upsLdapAuthoritiesPopulator" class="com.web.skorpion.ldap.UpsLdapAuthoritiesPopulator"></bean>

    <bean id="ldapUserDetailsService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService" lazy-init="true">
        <constructor-arg ref="userSearch" />
        <constructor-arg ref="upsLdapAuthoritiesPopulator" />
    </bean>
    <!-- 
    <bean id="dummyUserDetailsService" class="org.springframework.security.extensions.kerberos.sample.DummyUserDetailsService"/>
     -->
    <bean id="kerberosServiceAuthenticationProvider" class="org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider">
        <property name="ticketValidator">
            <bean class="org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator">
                <property name="servicePrincipal" value="HTTP/servername@DOMAIN" />
                <property name="keyTabLocation" value="file:/apps/bin/krb5/tab.keytab" />
                <property name="debug" value="true" />
            </bean>
        </property>

        <property name="userDetailsService" ref="ldapUserDetailsService" />
    </bean>
</beans>

What causes this error. It appears at first Requests to the WLS. Unfortunately I can not locate it in Wireshark. Do I need to configure the browser to send a valid request with the correct Tag ?

user3815507
  • 43
  • 1
  • 6
  • As for Wireshark, it's a separate question, but surely it's possible to capture everything. Please note only, that under Windows 'localhost' is not a real network interface and Wireshark can't sniff the communication on that interface! You must use your IP address in the browser (ex: http://192.168.1.123:8080/myapp/) – Danubian Sailor Jul 23 '14 at 07:12
  • Looks like a duplicate of: http://stackoverflow.com/questions/2973355/defective-token-deteced-error-ntlm-not-kerberos-with-kerberos-spring-securit and http://stackoverflow.com/questions/17705727/kerberos-authentication-not-running-when-client-and-server-on-same-machine -- it seams that this exception occures when client and server run on the same machine (and this does not really work on windows) – Ralph Jul 23 '14 at 07:26
  • In this case client and server are on different machine. – user3815507 Jul 23 '14 at 07:41
  • I have KVNO set on 3 in keytab and wating on keytab with kvno 0 maybe this will help. – user3815507 Jul 23 '14 at 07:45
  • With KVNO set to 0 still not working... any ideas ? – user3815507 Jul 23 '14 at 08:39

0 Answers0