CAS 3.1 Spnego Support

Thu Sep 20 15:09:55 EDT 2007

Christoph,

First, I have to admit that I've never tried the SPNEGO Handler against the
MIT Kerberos Server. I've only tested against Microsoft KDC and I do not
have time and ressources to set up such a server (BTW I do not have anymore
my test environment on windows either ... :-/).

But we should be optimist, this might be a configuration issue :-)

Have a look at this page :
http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/Troubleshooting.html

*GSSException: No valid credentials provided (Mechanism level: Failed to
find any Kerberos Ticket)*

 *Cause*: This may occur if no valid Kerberos credentials are obtained. In
particular, this occurs if you want the underlying mechanism to obtain
credentials but you forgot to indicate this by setting the
javax.security.auth.useSubjectCredsOnly system property value to false (for
example via -Djavax.security.auth.useSubjectCredsOnly=false in your
execution command).

*Solution*: Be sure to set the
javax.security.auth.useSubjectCredsOnlysystem property value to
false if you want the underlying mechanism to obtain credentials, rather
than your application or a wrapper program (such as the Login utility used
by some of the tutorials) performing authentication using JAAS.

What's the value of this property on your system ? You might set it using
the useSubjectCredsOnly property in the jcifsConfig bean if you want.

Regards,

-Arnaud

On 9/20/07, Scott Battaglia <scott.battaglia at gmail.com> wrote:
>
> According to the stack trace:
>
> GSSException: No valid credentials provided (Mechanism level:
> Failed to find any Kerberos Key)
>
> I don't know much about Kerberos so I'm not much help beyond finding
> exceptions in the stack trace.  There are a couple of developers who do
> though (they're the one's that wrote the SPNEGO support) so hopefully
> they'll see this and respond.
>
> -Scott
>
> On 9/19/07, Christoph Ohliger <ohliger at fh-rosenheim.de> wrote:
> >
> > Hi,
> >
> > I am trying to implement authentication against a MIT Kerberos Domain
> > and have following errors. Hope anyone can give me a hint, the kinit
> > works with the credentials ,-)
> >
> > regards
> > Christoph Ohliger
> >
> > Using builtin default etypes for default_tkt_enctypes
> > default etypes for default_tkt_enctypes: 3 1 23 16 17.
> > Acquire TGT using AS Exchange
> > Using builtin default etypes for default_tkt_enctypes
> > default etypes for default_tkt_enctypes: 3 1 23 16 17.
> > >>> KrbAsReq calling createMessage
> > >>> KrbAsReq in createMessage
> > >>> KrbKdcReq send: kdc=xx.xx.xx.xx UDP:88, timeout=30000, number of
> > retries =3, #bytes=184
> > >>> KDCCommunication: kdc= xx.xx.xx.xx UDP:88, timeout=30000,Attempt =1,
> > #bytes=184
> > >>> KrbKdcReq send: #bytes read=608
> > >>> KrbKdcReq send: #bytes read=608
> > >>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
> > >>> KrbAsRep cons in KrbAsReq.getReply HTTP/server.fh-rosenheim.de
> > Using builtin default etypes for default_tkt_enctypes
> > default etypes for default_tkt_enctypes: 3 1 23 16 17.
> > principal is HTTP/server.fh-rosenheim.de at FH-ROSENHEIM.DE
> > EncryptionKey: keyType=3 keyBytes (hex dump)=0000: F7 19 37 38 89 1F E6
> > 45
> > EncryptionKey: keyType=1 keyBytes (hex dump)=0000: F7 19 37 38 89 1F E6
> > 45
> > EncryptionKey: keyType=23 keyBytes (hex dump)=0000: AC 52 DE 04 0C 75 41
> > 2C   C1 B5 C6 A0 38 15 0D CB  .R...uA,....8...
> >
> > EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 25 B9 2A 43 C7 FE 86
> > 37   15 68 19 1F 80 AE 67 1A  %.*C...7.h....g.
> > 0010: C8 F2 94 B6 2A B9 8F 85
> > EncryptionKey: keyType=17 keyBytes (hex dump)=0000: E9 CE 8D C3 8C 16 5A
> > FB   75 11 5C 41 8A EC E7 F3  ......Z.u.\A....
> >
> > Commit Succeeded
> >
> > jcifs.spnego.AuthenticationException : Error performing Kerberos
> > authentication: java.lang.reflect.InvocationTargetException
> >         at
> > jcifs.spnego.Authentication.processKerberos(Authentication.java:447)
> >         at
> > jcifs.spnego.Authentication.processSpnego (Authentication.java:346)
> >         at jcifs.spnego.Authentication.process(Authentication.java:235)
> >         at
> >
> > org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler.doAuthentication(
> > JCIFSSpnegoAuthenticationHandler.java:56)
> >         at
> >
> > org.jasig.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler.authenticate
> > (AbstractPreAndPostProcessingAuthenticationHandler.java :58)
> >         at
> > org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(
> > AuthenticationManagerImpl.java:84)
> >         at
> >
> > org.jasig.cas.CentralAuthenticationServiceImpl.createTicketGrantingTicket
> > (CentralAuthenticationServiceImpl.java :383)
> >         at
> > org.jasig.cas.web.flow.AbstractNonInteractiveCredentialsAction.doExecute
> > (AbstractNonInteractiveCredentialsAction.java:79)
> >         at
> > org.springframework.webflow.action.AbstractAction.execute(
> > AbstractAction.java :203)
> >         at
> > org.springframework.webflow.engine.AnnotatedAction.execute(
> > AnnotatedAction.java:142)
> >         at
> > org.springframework.webflow.engine.ActionExecutor.execute(
> > ActionExecutor.java:61)
> >         at
> > org.springframework.webflow.engine.ActionState.doEnter(ActionState.java
> > :180)
> >         at org.springframework.webflow.engine.State.enter(State.java
> > :200)
> >         at
> > org.springframework.webflow.engine.Transition.execute (Transition.java
> > :229)
> >         at
> > org.springframework.webflow.engine.TransitionableState.onEvent(
> > TransitionableState.java:112)
> >         at org.springframework.webflow.engine.Flow.onEvent(Flow.java
> > :572)
> >         at
> >
> > org.springframework.webflow.engine.impl.RequestControlContextImpl.signalEvent
> > (RequestControlContextImpl.java:208)
> >         at
> > org.springframework.webflow.engine.ActionState.doEnter(ActionState.java
> > :185)
> >         at org.springframework.webflow.engine.State.enter(State.java
> > :200)
> >         at
> > org.springframework.webflow.engine.Transition.execute(Transition.java
> > :229)
> >         at
> > org.springframework.webflow.engine.DecisionState.doEnter (
> > DecisionState.java:58)
> >         at org.springframework.webflow.engine.State.enter(State.java
> > :200)
> >         at
> > org.springframework.webflow.engine.Transition.execute(Transition.java
> > :229)
> >         at
> > org.springframework.webflow.engine.DecisionState.doEnter (
> > DecisionState.java:58)
> >         at org.springframework.webflow.engine.State.enter(State.java
> > :200)
> >         at
> > org.springframework.webflow.engine.Transition.execute(Transition.java
> > :229)
> >         at
> > org.springframework.webflow.engine.TransitionableState.onEvent (
> > TransitionableState.java:112)
> >         at org.springframework.webflow.engine.Flow.onEvent(Flow.java
> > :572)
> >         at
> >
> > org.springframework.webflow.engine.impl.RequestControlContextImpl.signalEvent
> > (RequestControlContextImpl.java :208)
> >         at
> > org.springframework.webflow.engine.ActionState.doEnter(ActionState.java
> > :185)
> >         at org.springframework.webflow.engine.State.enter(State.java
> > :200)
> >         at org.springframework.webflow.engine.Flow.start (Flow.java:557)
> >         at
> > org.springframework.webflow.engine.impl.RequestControlContextImpl.start(
> > RequestControlContextImpl.java:196)
> >         at
> > org.springframework.webflow.engine.impl.FlowExecutionImpl.start (
> > FlowExecutionImpl.java:189)
> >         at
> > org.springframework.webflow.executor.FlowExecutorImpl.launch(
> > FlowExecutorImpl.java:206)
> >         at
> >
> > org.springframework.webflow.executor.support.FlowRequestHandler.handleFlowRequest(
> > FlowRequestHandler.java:131)
> >         at
> >
> > org.springframework.webflow.executor.mvc.FlowController.handleRequestInternal
> > (FlowController.java:172)
> >         at
> > org.springframework.web.servlet.mvc.AbstractController.handleRequest (
> > AbstractController.java:153)
> >         at
> >
> > org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle
> > (SimpleControllerHandlerAdapter.java:48)
> >         at
> > org.springframework.web.servlet.DispatcherServlet.doDispatch (
> > DispatcherServlet.java:857)
> >         at
> > org.springframework.web.servlet.DispatcherServlet.doService(
> > DispatcherServlet.java:792)
> >         at
> > org.springframework.web.servlet.FrameworkServlet.processRequest(
> > FrameworkServlet.java :475)
> >         at
> > org.springframework.web.servlet.FrameworkServlet.doGet(
> > FrameworkServlet.java:430)
> >         at javax.servlet.http.HttpServlet.service(HttpServlet.java:689)
> >         at javax.servlet.http.HttpServlet.service (HttpServlet.java:802)
> >         at
> > org.jasig.cas.web.init.SafeDispatcherServlet.service(
> > SafeDispatcherServlet.java:115)
> >         at
> > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
> > ApplicationFilterChain.java :237)
> >         at
> > org.apache.catalina.core.ApplicationFilterChain.doFilter(
> > ApplicationFilterChain.java:157)
> >         at
> > org.apache.catalina.core.StandardWrapperValve.invoke(
> > StandardWrapperValve.java:214)
> >         at
> > org.apache.catalina.core.StandardValveContext.invokeNext(
> > StandardValveContext.java:104)
> >         at
> > org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java
> > :520)
> >         at
> > org.apache.catalina.core.StandardContextValve.invokeInternal (
> > StandardContextValve.java:198)
> >         at
> > org.apache.catalina.core.StandardContextValve.invoke(
> > StandardContextValve.java:152)
> >         at
> > org.apache.catalina.core.StandardValveContext.invokeNext(
> > StandardValveContext.java :104)
> >         at
> > org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java
> > :520)
> >         at
> > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
> > :137)
> >         at
> > org.apache.catalina.core.StandardValveContext.invokeNext (
> > StandardValveContext.java:104)
> >         at
> > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
> > :118)
> >         at
> > org.apache.catalina.core.StandardValveContext.invokeNext(
> > StandardValveContext.java :102)
> >         at
> > org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java
> > :520)
> >         at
> > org.apache.catalina.core.StandardEngineValve.invoke(
> > StandardEngineValve.java:109)
> >         at
> > org.apache.catalina.core.StandardValveContext.invokeNext (
> > StandardValveContext.java:104)
> >         at
> > org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java
> > :520)
> >         at
> > org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:929)
> >         at
> > org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:160)
> >         at
> > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java
> > :799)
> >         at
> >
> > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(
> > Http11Protocol.java:705)
> >         at
> > org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java
> > :577)
> >         at
> > org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(
> > ThreadPool.java:683)
> >         at java.lang.Thread.run(Thread.java:595)
> > Caused by: java.lang.reflect.InvocationTargetException
> >         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> >         at
> > sun.reflect.NativeMethodAccessorImpl.invoke (
> > NativeMethodAccessorImpl.java:39)
> >         at
> > sun.reflect.DelegatingMethodAccessorImpl.invoke(
> > DelegatingMethodAccessorImpl.java:25)
> >         at java.lang.reflect.Method.invoke(Method.java:585)
> >         at
> > jcifs.spnego.Authentication.processKerberos (Authentication.java:430)
> >         ... 69 more
> > Caused by: java.security.PrivilegedActionException:
> > java.lang.reflect.InvocationTargetException
> >         at java.security.AccessController.doPrivileged(Native Method)
> >         at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
> >         ... 74 more
> > Caused by: java.lang.reflect.InvocationTargetException
> >         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> >         at
> > sun.reflect.NativeMethodAccessorImpl.invoke(
> > NativeMethodAccessorImpl.java:39)
> >         at
> > sun.reflect.DelegatingMethodAccessorImpl.invoke(
> > DelegatingMethodAccessorImpl.java:25)
> >         at java.lang.reflect.Method.invoke (Method.java:585)
> >         at
> > jcifs.spnego.Authentication$ServerAction.run(Authentication.java:511)
> >         ... 76 more
> > Caused by: GSSException: No valid credentials provided (Mechanism level:
> > Failed to find any Kerberos Key)
> >         at
> > sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(
> > Krb5AcceptCredential.java:75)
> >         at
> > sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(
> > Krb5MechFactory.java:77)
> >         at
> > sun.security.jgss.GSSManagerImpl.getCredentialElement(
> > GSSManagerImpl.java:149)
> >         at
> > sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:389)
> >         at
> > sun.security.jgss.GSSCredentialImpl.<init>( GSSCredentialImpl.java:45)
> >         at
> > sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java
> > :102)
> >         ... 81 more
> >
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
>
>
>
> --
> -Scott Battaglia
>
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>

-- 
Arnaud Lesueur

LinkedIn: http://www.linkedin.com/in/lesueur
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070920/464655c9/attachment.html 