CAS 3.1 Spnego Support
Christoph Ohliger
ohliger at fh-rosenheim.de
Fri Sep 21 03:01:46 EDT 2007
Arnaud,
thanks for the help ... I have now other error messages, I will try to
solve now.
regards
Christoph
Arnaud Lesueur schrieb:
> Christoph,
>
> First, I have to admit that I've never tried the SPNEGO Handler
> against the MIT Kerberos Server. I've only tested against Microsoft
> KDC and I do not have time and ressources to set up such a server (BTW
> I do not have anymore my test environment on windows either ... :-/).
>
> But we should be optimist, this might be a configuration issue :-)
>
> Have a look at this page :
> http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/Troubleshooting.html
> <http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/Troubleshooting.html>
>
> *GSSException: No valid credentials provided (Mechanism level: Failed
> to find any Kerberos Ticket)*
>
> /Cause/: This may occur if no valid Kerberos credentials are
> obtained. In particular, this occurs if you want the underlying
> mechanism to obtain credentials but you forgot to indicate this by
> setting the |javax.security.auth.useSubjectCredsOnly| system
> property value to |false| (for example via
> |-Djavax.security.auth.useSubjectCredsOnly=false| in your
> execution command).
>
> /Solution/: Be sure to set the
> |javax.security.auth.useSubjectCredsOnly| system property value to
> |false| if you want the underlying mechanism to obtain
> credentials, rather than your application or a wrapper program
> (such as the Login utility used by some of the tutorials)
> performing authentication using JAAS.
>
>
> What's the value of this property on your system ? You might set it
> using the useSubjectCredsOnly property in the jcifsConfig bean if you
> want.
>
>
> Regards,
>
> -Arnaud
>
>
> On 9/20/07, *Scott Battaglia* <scott.battaglia at gmail.com
> <mailto:scott.battaglia at gmail.com> > wrote:
>
> According to the stack trace:
>
> GSSException: No valid credentials provided (Mechanism level:
> Failed to find any Kerberos Key)
>
> I don't know much about Kerberos so I'm not much help beyond
> finding exceptions in the stack trace. There are a couple of
> developers who do though (they're the one's that wrote the SPNEGO
> support) so hopefully they'll see this and respond.
>
> -Scott
>
>
> On 9/19/07, *Christoph Ohliger* < ohliger at fh-rosenheim.de
> <mailto:ohliger at fh-rosenheim.de>> wrote:
>
> Hi,
>
> I am trying to implement authentication against a MIT Kerberos
> Domain
> and have following errors. Hope anyone can give me a hint, the
> kinit
> works with the credentials ,-)
>
> regards
> Christoph Ohliger
>
> Using builtin default etypes for default_tkt_enctypes
> default etypes for default_tkt_enctypes: 3 1 23 16 17.
> Acquire TGT using AS Exchange
> Using builtin default etypes for default_tkt_enctypes
> default etypes for default_tkt_enctypes: 3 1 23 16 17.
> >>> KrbAsReq calling createMessage
> >>> KrbAsReq in createMessage
> >>> KrbKdcReq send: kdc=xx.xx.xx.xx UDP:88, timeout=30000,
> number of
> retries =3, #bytes=184
> >>> KDCCommunication: kdc= xx.xx.xx.xx UDP:88,
> timeout=30000,Attempt =1,
> #bytes=184
> >>> KrbKdcReq send: #bytes read=608
> >>> KrbKdcReq send: #bytes read=608
> >>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
> >>> KrbAsRep cons in KrbAsReq.getReply
> HTTP/server.fh-rosenheim.de <http://rosenheim.de>
> Using builtin default etypes for default_tkt_enctypes
> default etypes for default_tkt_enctypes: 3 1 23 16 17.
> principal is HTTP/server.fh-rosenheim.de at FH-ROSENHEIM.DE
> <mailto:rosenheim.de at FH-ROSENHEIM.DE>
> EncryptionKey: keyType=3 keyBytes (hex dump)=0000: F7 19 37 38
> 89 1F E6 45
> EncryptionKey: keyType=1 keyBytes (hex dump)=0000: F7 19 37 38
> 89 1F E6 45
> EncryptionKey: keyType=23 keyBytes (hex dump)=0000: AC 52 DE
> 04 0C 75 41
> 2C C1 B5 C6 A0 38 15 0D CB .R...uA,....8...
>
> EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 25 B9 2A
> 43 C7 FE 86
> 37 15 68 19 1F 80 AE 67 1A %.*C...7.h....g.
> 0010: C8 F2 94 B6 2A B9 8F 85
> EncryptionKey: keyType=17 keyBytes (hex dump)=0000: E9 CE 8D
> C3 8C 16 5A
> FB 75 11 5C 41 8A EC E7 F3 ......Z.u.\A....
>
> Commit Succeeded
>
> jcifs.spnego.AuthenticationException : Error performing Kerberos
> authentication: java.lang.reflect.InvocationTargetException
> at
> jcifs.spnego.Authentication.processKerberos(Authentication.java:447)
> at
> jcifs.spnego.Authentication.processSpnego
> (Authentication.java:346)
> at
> jcifs.spnego.Authentication.process(Authentication.java:235)
> at
> org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler.doAuthentication
> (JCIFSSpnegoAuthenticationHandler.java:56)
> at
> org.jasig.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler.authenticate(AbstractPreAndPostProcessingAuthenticationHandler.java
> :58)
> at
> org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(AuthenticationManagerImpl.java:84)
> at
> org.jasig.cas.CentralAuthenticationServiceImpl.createTicketGrantingTicket(CentralAuthenticationServiceImpl.java
> :383)
> at
> org.jasig.cas.web.flow.AbstractNonInteractiveCredentialsAction.doExecute(AbstractNonInteractiveCredentialsAction.java:79)
> at
> org.springframework.webflow.action.AbstractAction.execute(
> AbstractAction.java :203)
> at
> org.springframework.webflow.engine.AnnotatedAction.execute(AnnotatedAction.java:142)
> at
> org.springframework.webflow.engine.ActionExecutor.execute(ActionExecutor.java:61)
> at
> org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:180)
> at
> org.springframework.webflow.engine.State.enter(State.java:200)
> at
> org.springframework.webflow.engine.Transition.execute
> (Transition.java:229)
> at
> org.springframework.webflow.engine.TransitionableState.onEvent(TransitionableState.java:112)
> at
> org.springframework.webflow.engine.Flow.onEvent(Flow.java:572)
> at
> org.springframework.webflow.engine.impl.RequestControlContextImpl.signalEvent(RequestControlContextImpl.java:208)
> at
> org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:185)
> at
> org.springframework.webflow.engine.State.enter(State.java:200)
> at
> org.springframework.webflow.engine.Transition.execute(Transition.java:229)
> at
> org.springframework.webflow.engine.DecisionState.doEnter
> (DecisionState.java:58)
> at
> org.springframework.webflow.engine.State.enter(State.java:200)
> at
> org.springframework.webflow.engine.Transition.execute(Transition.java:229)
> at
> org.springframework.webflow.engine.DecisionState.doEnter
> (DecisionState.java:58)
> at
> org.springframework.webflow.engine.State.enter(State.java:200)
> at
> org.springframework.webflow.engine.Transition.execute(Transition.java:229)
> at
> org.springframework.webflow.engine.TransitionableState.onEvent
> (TransitionableState.java:112)
> at
> org.springframework.webflow.engine.Flow.onEvent(Flow.java:572)
> at
> org.springframework.webflow.engine.impl.RequestControlContextImpl.signalEvent(RequestControlContextImpl.java
> :208)
> at
> org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:185)
> at
> org.springframework.webflow.engine.State.enter(State.java:200)
> at org.springframework.webflow.engine.Flow.start
> (Flow.java:557)
> at
> org.springframework.webflow.engine.impl.RequestControlContextImpl.start(RequestControlContextImpl.java:196)
> at
> org.springframework.webflow.engine.impl.FlowExecutionImpl.start
> (FlowExecutionImpl.java:189)
> at
> org.springframework.webflow.executor.FlowExecutorImpl.launch(FlowExecutorImpl.java:206)
> at
> org.springframework.webflow.executor.support.FlowRequestHandler.handleFlowRequest
> (FlowRequestHandler.java:131)
> at
> org.springframework.webflow.executor.mvc.FlowController.handleRequestInternal(FlowController.java:172)
> at
> org.springframework.web.servlet.mvc.AbstractController.handleRequest
> (AbstractController.java:153)
> at
> org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48)
> at
> org.springframework.web.servlet.DispatcherServlet.doDispatch
> (DispatcherServlet.java:857)
> at
> org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:792)
> at
> org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java
> :475)
> at
> org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:430)
> at
> javax.servlet.http.HttpServlet.service(HttpServlet.java:689)
> at javax.servlet.http.HttpServlet.service
> (HttpServlet.java:802)
> at
> org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServlet.java:115)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java
> :237)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:214)
> at
> org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
> at
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
> at
> org.apache.catalina.core.StandardContextValve.invokeInternal
> (StandardContextValve.java:198)
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:152)
> at
> org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java
> :104)
> at
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137)
> at
> org.apache.catalina.core.StandardValveContext.invokeNext
> (StandardValveContext.java:104)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:118)
> at
> org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java
> :102)
> at
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at
> org.apache.catalina.core.StandardValveContext.invokeNext
> (StandardValveContext.java:104)
> at
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
> at
> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:929)
> at
> org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:160)
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:799)
> at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection
> (Http11Protocol.java:705)
> at
> org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:577)
> at
> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:683)
> at java.lang.Thread.run(Thread.java:595)
> Caused by: java.lang.reflect.InvocationTargetException
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke
> (NativeMethodAccessorImpl.java:39)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at
> jcifs.spnego.Authentication.processKerberos
> (Authentication.java:430)
> ... 69 more
> Caused by: java.security.PrivilegedActionException:
> java.lang.reflect.InvocationTargetException
> at java.security.AccessController.doPrivileged(Native
> Method)
> at
> javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
> ... 74 more
> Caused by: java.lang.reflect.InvocationTargetException
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke (Method.java:585)
> at
> jcifs.spnego.Authentication$ServerAction.run(Authentication.java:511)
> ... 76 more
> Caused by: GSSException: No valid credentials provided
> (Mechanism level:
> Failed to find any Kerberos Key)
> at
> sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:75)
> at
> sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:77)
> at
> sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
> at
> sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:389)
> at
> sun.security.jgss.GSSCredentialImpl.<init>(
> GSSCredentialImpl.java:45)
> at
> sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
> ... 81 more
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu <mailto:cas at tp.its.yale.edu>
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
>
> --
> -Scott Battaglia
>
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu <mailto:cas at tp.its.yale.edu>
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
>
> --
> Arnaud Lesueur
>
> LinkedIn: http://www.linkedin.com/in/lesueur
> ------------------------------------------------------------------------
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070921/17fd82af/attachment.html
More information about the cas
mailing list