Environment
NetIQ Identity Manager Roles Based Provisioning Module 4.x
Situation
User application Single sign-on (SSO) is setup with Microsoft Active Directory Kerberos as described in documentation User Application: Administration Guide.
When accessing User application web interface, instead of being authenticated through SSO, the user is getting a windows security login prompt for authentication credentials. SSO did not work properly.
When accessing User application web interface, instead of being authenticated through SSO, the user is getting a windows security login prompt for authentication credentials. SSO did not work properly.
Resolution
There are several causes of problems with User application and SSO. In order to get enough debug information, setup the following debug on your User application:
1. In Jboss/server/IDMProv/conf/login-config.xml file make this change in section
Trace server.log in jboss/server/IDMProv/log directory for any errors related to SSO:
Error:
2014-03-27 00:02:10,375 INFO [STDOUT] (http-0.0.0.0-8180-3) ERROR [RBPM] [com.novell.common.auth.sso.SSOFilter:doFilter] Failed to perform SPNEGO Kerberos V5 SSO.
com.novell.common.auth.sso.SSOFilterException: Failed to perform SPNEGO Kerberos V5 SSO.
at com.novell.common.auth.sso.KerberosFilter$SunSpengo.login(KerberosFilter.java:200)
at com.novell.common.auth.sso.KerberosFilter.login(KerberosFilter.java:116)
at com.novell.common.auth.sso.SSOFilter.doFilter(SSOFilter.java:107)
at com.novell.common.auth.sso.KerberosFilter.doFilter(KerberosFilter.java:58)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.novell.soa.common.i18n.URILoggerServletFilter.doFilter(URILoggerServletFilter.java:63)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:722)
Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at com.novell.common.auth.sso.KerberosFilter$SunSpengo.login(KerberosFilter.java:191)
... 27 more
Solution:
By default, Active directory on Windows 2008 allows for several diffent types of encryption types: RC4_HMAC, AES128_HMAC, AES256_HMAC. This can be changed in Local computer policy - Computer Configuration - Windows Settings - Security Settings - Local Policies - Security options - Network Security: Configure encryption types allowed for Kerberos. By default, no specific encryption type is selected and all of them are allowed except DES. If you choose a specific type of encryption, only that type will be allowed on the workstation. This can also be configured through Windows Group Policy Object.
If the encryption type is other than RC4-HMAC, you have to enable the principal service account for the type of encryption you allowed the system in the setting above. This can be done on a Account tab of the service principal account, checking the option "This account supports Kerberos AES 128 bit encryption or Kerberos AES 256 encryption.
If this option on the account is not selected and the system enforces encryption type AES 128 or AES 256, the kerberos ticket will not be created for the service principal account.
You can check all the Kerberos tickets issued on a workstation by running "klist" command.
This error can also be be cased, if there is a mix of Windows 2003 and 2008 servers and principal service account is enabled for DES on the Account tab.
In this case, disable the DES encryption for the principal service account. DES is also considered less secure type of encryption.
Error:
2014-03-27 01:30:57,397 INFO [STDOUT] (http-0.0.0.0-8180-2) ERROR [RBPM] [com.novell.common.auth.sso.SSOFilter:doFilter] Failed to perform SPNEGO Kerberos V5 SSO.
com.novell.common.auth.sso.SSOFilterException: Failed to perform SPNEGO Kerberos V5 SSO.
at com.novell.common.auth.sso.KerberosFilter$SunSpengo.login(KerberosFilter.java:200)
at com.novell.common.auth.sso.KerberosFilter.login(KerberosFilter.java:116)
at com.novell.common.auth.sso.SSOFilter.doFilter(SSOFilter.java:107)
at com.novell.common.auth.sso.KerberosFilter.doFilter(KerberosFilter.java:58)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.novell.soa.common.i18n.URILoggerServletFilter.doFilter(URILoggerServletFilter.java:63)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:722)
Caused by: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:81)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:126)
at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:198)
at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:234)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:320)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:871)
at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:544)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at com.novell.common.auth.sso.KerberosFilter$SunSpengo.login(KerberosFilter.java:191)
... 27 more
Caused by: javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:759)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:559)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
at javax.security.auth.login.LoginContext$5.run(LoginContext.java:721)
at javax.security.auth.login.LoginContext$5.run(LoginContext.java:719)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:718)
at javax.security.auth.login.LoginContext.login(LoginContext.java:590)
at sun.security.jgss.GSSUtil.login(GSSUtil.java:255)
at sun.security.jgss.krb5.Krb5Util.getServiceCreds(Krb5Util.java:334)
at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Krb5AcceptCredential.java:76)
at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Krb5AcceptCredential.java:74)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:73)
... 37 more
Caused by: KrbException: Pre-authentication information was invalid (24)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:319)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:364)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:731)
... 55 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143)
at sun.security.krb5.internal.ASRep.init(ASRep.java:65)
at sun.security.krb5.internal.ASRep.<init>(ASRep.java:60)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
... 58 more
Solution:
This error is generally caused by a difference between service principal account password stored in Active directory and one entered when keytab was created. Reset the password in Active directory or recreate a keytab that login-config.xml in User application references to.
Error:
2014-03-27 01:47:10,251 INFO [STDOUT] (http-0.0.0.0-8180-1) ERROR [RBPM] [com.novell.common.auth.sso.SSOFilter:doFilter] Failed to perform SPNEGO Kerberos V5 SSO.
com.novell.common.auth.sso.SSOFilterException: Failed to perform SPNEGO Kerberos V5 SSO.
at com.novell.common.auth.sso.KerberosFilter$SunSpengo.login(KerberosFilter.java:200)
at com.novell.common.auth.sso.KerberosFilter.login(KerberosFilter.java:116)
at com.novell.common.auth.sso.SSOFilter.doFilter(SSOFilter.java:107)
at com.novell.common.auth.sso.KerberosFilter.doFilter(KerberosFilter.java:58)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.novell.soa.common.i18n.URILoggerServletFilter.doFilter(URILoggerServletFilter.java:63)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:722)
Caused by: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:81)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:126)
at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:198)
at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:234)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:320)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:871)
at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:544)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at com.novell.common.auth.sso.KerberosFilter$SunSpengo.login(KerberosFilter.java:191)
... 27 more
Caused by: javax.security.auth.login.LoginException: Password can not be obtained from sharedstate
at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:842)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:715)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:559)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
at javax.security.auth.login.LoginContext$5.run(LoginContext.java:721)
at javax.security.auth.login.LoginContext$5.run(LoginContext.java:719)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:718)
at javax.security.auth.login.LoginContext.login(LoginContext.java:590)
at sun.security.jgss.GSSUtil.login(GSSUtil.java:255)
at sun.security.jgss.krb5.Krb5Util.getServiceCreds(Krb5Util.java:334)
at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Krb5AcceptCredential.java:76)
at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Krb5AcceptCredential.java:74)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:73)
... 37 more
Solution:
Verify that domain name was entered correctly in krb5.conf or krb5.ini file.
Error:
2014-03-31 23:56:01,788 INFO [STDOUT] (http-0.0.0.0-8180-6) ERROR [RBPM] [com.novell.common.auth.sso.SSOFilter:doFilter] Failed to perform SPNEGO Kerberos V5 SSO.
com.novell.common.auth.sso.SSOFilterException: Failed to perform SPNEGO Kerberos V5 SSO.
at com.novell.common.auth.sso.KerberosFilter$SunSpengo.login(KerberosFilter.java:200)
at com.novell.common.auth.sso.KerberosFilter.login(KerberosFilter.java:116)
at com.novell.common.auth.sso.SSOFilter.doFilter(SSOFilter.java:107)
at com.novell.common.auth.sso.KerberosFilter.doFilter(KerberosFilter.java:58)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.novell.soa.common.i18n.URILoggerServletFilter.doFilter(URILoggerServletFilter.java:63)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:722)
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:788)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:871)
at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:544)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at com.novell.common.auth.sso.KerberosFilter$SunSpengo.login(KerberosFilter.java:191)
... 27 more
Caused by: KrbException: Specified version of key is not available (44)
at sun.security.krb5.EncryptionKey.findKey(EncryptionKey.java:588)
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:270)
at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:144)
at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:771)
... 34 more
Solution:
Regenerate the keytab file by running ktpass according to the documentation referenced above. The error is caused by a difference in a key version number stored in Active directory for the service principal user and keytab. This is usually cased by reseting the service principal user password.
Error: No errors in server.log, only a windows security prompt for credentials.
Solution: In some instances, the user authenticating to User application using SSO may have a large number of group membership. Large number of group memberships will cause the size of the Kerberos token to increase. In some cases, it might be larger than the default size of the http header. If this is the case, the above scenario may happen.
The default size of the http header will have to be increased in JBoss in
jboss/server/IDMProv/deploy/jbossweb.sar/server.xml
In this file, find a section for your http connector that will start with
<Connector protocol="
and add the following parameter
maxHttpHeaderSize="32768"
Save the file and restart JBoss.
Error:
2014-09-29 11:50:44,547 INFO [STDOUT] (http-0.0.0.0-8180-12) ERROR [RBPM] [com.novell.common.auth.sso.SSOFilter:doFilter] Failed to perform SPNEGO Kerberos V5 SSO.
com.novell.common.auth.sso.SSOFilterException: Failed to perform SPNEGO Kerberos V5 SSO.
at com.novell.common.auth.sso.KerberosFilter$SunSpengo.login(KerberosFilter.java:200)
at com.novell.common.auth.sso.KerberosFilter.login(KerberosFilter.java:116)
at com.novell.common.auth.sso.SSOFilter.doFilter(SSOFilter.java:107)
at com.novell.common.auth.sso.KerberosFilter.doFilter(KerberosFilter.java:58)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.novell.common.auth.sso.SSOFilter.doFilter(SSOFilter.java:87)
at com.novell.common.auth.sso.SAPFilter.doFilter(SAPFilter.java:37)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
at org.jboss.web.tomcat.service.session.ClusteredSessionValve.handleRequest(ClusteredSessionValve.java:135)
at org.jboss.web.tomcat.service.session.ClusteredSessionValve.invoke(ClusteredSessionValve.java:94)
at org.jboss.web.tomcat.service.session.LockingValve.invoke(LockingValve.java:62)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:722)
Caused by: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:81)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:126)
at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:198)
at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:234)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:320)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:871)
at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:544)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at com.novell.common.auth.sso.KerberosFilter$SunSpengo.login(KerberosFilter.java:191)
... 31 more
Caused by: javax.security.auth.login.LoginException: Client not found in Kerberos database (6)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:759)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:559)
at sun.reflect.GeneratedMethodAccessor656.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
at javax.security.auth.login.LoginContext$5.run(LoginContext.java:721)
at javax.security.auth.login.LoginContext$5.run(LoginContext.java:719)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:718)
at javax.security.auth.login.LoginContext.login(LoginContext.java:590)
at sun.security.jgss.GSSUtil.login(GSSUtil.java:255)
at sun.security.jgss.krb5.Krb5Util.getServiceCreds(Krb5Util.java:334)
at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Krb5AcceptCredential.java:76)
at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Krb5AcceptCredential.java:74)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:73)
... 41 more
Caused by: KrbException: Client not found in Kerberos database (6)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:319)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:364)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:731)
... 58 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143)
at sun.security.krb5.internal.ASRep.init(ASRep.java:65)
at sun.security.krb5.internal.ASRep.<init>(ASRep.java:60)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
Solution:
This is a known issue with Windows 2008 based domain controllers.
For more information please consult Microsoft Knowledge base Article ID: 951191
An error code is returned when a Kerberos client requests a TGT against a Windows Server 2008-based domain controller: "KERB5KDC_ERR_C_PRINICPAL_UNKNOWN"
1. In Jboss/server/IDMProv/conf/login-config.xml file make this change in section
<application-policy name = "com.sun.security.jgss.krb5.accept">2. In User application Administration tab set up the following logging:
<module-option name = "debug">true</module-option>
restart Jboss.
log name: com.novell.common.auth.sso to Trace
click submit
Trace server.log in jboss/server/IDMProv/log directory for any errors related to SSO:
Error:
2014-03-27 00:02:10,375 INFO [STDOUT] (http-0.0.0.0-8180-3) ERROR [RBPM] [com.novell.common.auth.sso.SSOFilter:doFilter] Failed to perform SPNEGO Kerberos V5 SSO.
com.novell.common.auth.sso.SSOFilterException: Failed to perform SPNEGO Kerberos V5 SSO.
at com.novell.common.auth.sso.KerberosFilter$SunSpengo.login(KerberosFilter.java:200)
at com.novell.common.auth.sso.KerberosFilter.login(KerberosFilter.java:116)
at com.novell.common.auth.sso.SSOFilter.doFilter(SSOFilter.java:107)
at com.novell.common.auth.sso.KerberosFilter.doFilter(KerberosFilter.java:58)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.novell.soa.common.i18n.URILoggerServletFilter.doFilter(URILoggerServletFilter.java:63)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:722)
Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at com.novell.common.auth.sso.KerberosFilter$SunSpengo.login(KerberosFilter.java:191)
... 27 more
Solution:
By default, Active directory on Windows 2008 allows for several diffent types of encryption types: RC4_HMAC, AES128_HMAC, AES256_HMAC. This can be changed in Local computer policy - Computer Configuration - Windows Settings - Security Settings - Local Policies - Security options - Network Security: Configure encryption types allowed for Kerberos. By default, no specific encryption type is selected and all of them are allowed except DES. If you choose a specific type of encryption, only that type will be allowed on the workstation. This can also be configured through Windows Group Policy Object.
If the encryption type is other than RC4-HMAC, you have to enable the principal service account for the type of encryption you allowed the system in the setting above. This can be done on a Account tab of the service principal account, checking the option "This account supports Kerberos AES 128 bit encryption or Kerberos AES 256 encryption.
If this option on the account is not selected and the system enforces encryption type AES 128 or AES 256, the kerberos ticket will not be created for the service principal account.
You can check all the Kerberos tickets issued on a workstation by running "klist" command.
This error can also be be cased, if there is a mix of Windows 2003 and 2008 servers and principal service account is enabled for DES on the Account tab.
In this case, disable the DES encryption for the principal service account. DES is also considered less secure type of encryption.
Error:
2014-03-27 01:30:57,397 INFO [STDOUT] (http-0.0.0.0-8180-2) ERROR [RBPM] [com.novell.common.auth.sso.SSOFilter:doFilter] Failed to perform SPNEGO Kerberos V5 SSO.
com.novell.common.auth.sso.SSOFilterException: Failed to perform SPNEGO Kerberos V5 SSO.
at com.novell.common.auth.sso.KerberosFilter$SunSpengo.login(KerberosFilter.java:200)
at com.novell.common.auth.sso.KerberosFilter.login(KerberosFilter.java:116)
at com.novell.common.auth.sso.SSOFilter.doFilter(SSOFilter.java:107)
at com.novell.common.auth.sso.KerberosFilter.doFilter(KerberosFilter.java:58)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.novell.soa.common.i18n.URILoggerServletFilter.doFilter(URILoggerServletFilter.java:63)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:722)
Caused by: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:81)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:126)
at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:198)
at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:234)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:320)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:871)
at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:544)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at com.novell.common.auth.sso.KerberosFilter$SunSpengo.login(KerberosFilter.java:191)
... 27 more
Caused by: javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:759)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:559)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
at javax.security.auth.login.LoginContext$5.run(LoginContext.java:721)
at javax.security.auth.login.LoginContext$5.run(LoginContext.java:719)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:718)
at javax.security.auth.login.LoginContext.login(LoginContext.java:590)
at sun.security.jgss.GSSUtil.login(GSSUtil.java:255)
at sun.security.jgss.krb5.Krb5Util.getServiceCreds(Krb5Util.java:334)
at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Krb5AcceptCredential.java:76)
at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Krb5AcceptCredential.java:74)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:73)
... 37 more
Caused by: KrbException: Pre-authentication information was invalid (24)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:319)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:364)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:731)
... 55 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143)
at sun.security.krb5.internal.ASRep.init(ASRep.java:65)
at sun.security.krb5.internal.ASRep.<init>(ASRep.java:60)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
... 58 more
Solution:
This error is generally caused by a difference between service principal account password stored in Active directory and one entered when keytab was created. Reset the password in Active directory or recreate a keytab that login-config.xml in User application references to.
Error:
2014-03-27 01:47:10,251 INFO [STDOUT] (http-0.0.0.0-8180-1) ERROR [RBPM] [com.novell.common.auth.sso.SSOFilter:doFilter] Failed to perform SPNEGO Kerberos V5 SSO.
com.novell.common.auth.sso.SSOFilterException: Failed to perform SPNEGO Kerberos V5 SSO.
at com.novell.common.auth.sso.KerberosFilter$SunSpengo.login(KerberosFilter.java:200)
at com.novell.common.auth.sso.KerberosFilter.login(KerberosFilter.java:116)
at com.novell.common.auth.sso.SSOFilter.doFilter(SSOFilter.java:107)
at com.novell.common.auth.sso.KerberosFilter.doFilter(KerberosFilter.java:58)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.novell.soa.common.i18n.URILoggerServletFilter.doFilter(URILoggerServletFilter.java:63)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:722)
Caused by: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:81)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:126)
at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:198)
at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:234)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:320)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:871)
at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:544)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at com.novell.common.auth.sso.KerberosFilter$SunSpengo.login(KerberosFilter.java:191)
... 27 more
Caused by: javax.security.auth.login.LoginException: Password can not be obtained from sharedstate
at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:842)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:715)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:559)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
at javax.security.auth.login.LoginContext$5.run(LoginContext.java:721)
at javax.security.auth.login.LoginContext$5.run(LoginContext.java:719)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:718)
at javax.security.auth.login.LoginContext.login(LoginContext.java:590)
at sun.security.jgss.GSSUtil.login(GSSUtil.java:255)
at sun.security.jgss.krb5.Krb5Util.getServiceCreds(Krb5Util.java:334)
at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Krb5AcceptCredential.java:76)
at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Krb5AcceptCredential.java:74)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:73)
... 37 more
Solution:
Verify that domain name was entered correctly in krb5.conf or krb5.ini file.
Error:
2014-03-31 23:56:01,788 INFO [STDOUT] (http-0.0.0.0-8180-6) ERROR [RBPM] [com.novell.common.auth.sso.SSOFilter:doFilter] Failed to perform SPNEGO Kerberos V5 SSO.
com.novell.common.auth.sso.SSOFilterException: Failed to perform SPNEGO Kerberos V5 SSO.
at com.novell.common.auth.sso.KerberosFilter$SunSpengo.login(KerberosFilter.java:200)
at com.novell.common.auth.sso.KerberosFilter.login(KerberosFilter.java:116)
at com.novell.common.auth.sso.SSOFilter.doFilter(SSOFilter.java:107)
at com.novell.common.auth.sso.KerberosFilter.doFilter(KerberosFilter.java:58)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.novell.soa.common.i18n.URILoggerServletFilter.doFilter(URILoggerServletFilter.java:63)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:722)
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:788)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:871)
at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:544)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at com.novell.common.auth.sso.KerberosFilter$SunSpengo.login(KerberosFilter.java:191)
... 27 more
Caused by: KrbException: Specified version of key is not available (44)
at sun.security.krb5.EncryptionKey.findKey(EncryptionKey.java:588)
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:270)
at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:144)
at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:771)
... 34 more
Solution:
Regenerate the keytab file by running ktpass according to the documentation referenced above. The error is caused by a difference in a key version number stored in Active directory for the service principal user and keytab. This is usually cased by reseting the service principal user password.
Error: No errors in server.log, only a windows security prompt for credentials.
Solution: In some instances, the user authenticating to User application using SSO may have a large number of group membership. Large number of group memberships will cause the size of the Kerberos token to increase. In some cases, it might be larger than the default size of the http header. If this is the case, the above scenario may happen.
The default size of the http header will have to be increased in JBoss in
jboss/server/IDMProv/deploy/jbossweb.sar/server.xml
In this file, find a section for your http connector that will start with
<Connector protocol="
and add the following parameter
maxHttpHeaderSize="32768"
Save the file and restart JBoss.
Error:
2014-09-29 11:50:44,547 INFO [STDOUT] (http-0.0.0.0-8180-12) ERROR [RBPM] [com.novell.common.auth.sso.SSOFilter:doFilter] Failed to perform SPNEGO Kerberos V5 SSO.
com.novell.common.auth.sso.SSOFilterException: Failed to perform SPNEGO Kerberos V5 SSO.
at com.novell.common.auth.sso.KerberosFilter$SunSpengo.login(KerberosFilter.java:200)
at com.novell.common.auth.sso.KerberosFilter.login(KerberosFilter.java:116)
at com.novell.common.auth.sso.SSOFilter.doFilter(SSOFilter.java:107)
at com.novell.common.auth.sso.KerberosFilter.doFilter(KerberosFilter.java:58)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.novell.common.auth.sso.SSOFilter.doFilter(SSOFilter.java:87)
at com.novell.common.auth.sso.SAPFilter.doFilter(SAPFilter.java:37)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
at org.jboss.web.tomcat.service.session.ClusteredSessionValve.handleRequest(ClusteredSessionValve.java:135)
at org.jboss.web.tomcat.service.session.ClusteredSessionValve.invoke(ClusteredSessionValve.java:94)
at org.jboss.web.tomcat.service.session.LockingValve.invoke(LockingValve.java:62)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:722)
Caused by: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:81)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:126)
at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:198)
at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:234)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:320)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:871)
at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:544)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at com.novell.common.auth.sso.KerberosFilter$SunSpengo.login(KerberosFilter.java:191)
... 31 more
Caused by: javax.security.auth.login.LoginException: Client not found in Kerberos database (6)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:759)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:559)
at sun.reflect.GeneratedMethodAccessor656.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
at javax.security.auth.login.LoginContext$5.run(LoginContext.java:721)
at javax.security.auth.login.LoginContext$5.run(LoginContext.java:719)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:718)
at javax.security.auth.login.LoginContext.login(LoginContext.java:590)
at sun.security.jgss.GSSUtil.login(GSSUtil.java:255)
at sun.security.jgss.krb5.Krb5Util.getServiceCreds(Krb5Util.java:334)
at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Krb5AcceptCredential.java:76)
at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Krb5AcceptCredential.java:74)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:73)
... 41 more
Caused by: KrbException: Client not found in Kerberos database (6)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:319)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:364)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:731)
... 58 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143)
at sun.security.krb5.internal.ASRep.init(ASRep.java:65)
at sun.security.krb5.internal.ASRep.<init>(ASRep.java:60)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
Solution:
This is a known issue with Windows 2008 based domain controllers.
For more information please consult Microsoft Knowledge base Article ID: 951191
An error code is returned when a Kerberos client requests a TGT against a Windows Server 2008-based domain controller: "KERB5KDC_ERR_C_PRINICPAL_UNKNOWN"