Join Log in
Score:0
avatar Server

Kerberos Works If Previously Not Pre-Authorized

cn flag
Jamie Mellway

I'm moving an application from WebLogic to JBoss EAP 6.4 and I almost have it working. The issue is that I can only get Kerberos authentication to work if I play with the isInitiator property in my standalone-full-ha.xml for the spnego-server.

If I set isInitiator=true, then I get the error on app-start "Pre-authentication information was invalid".

If I set isInitiator=false, then I get "NTLM specified. Downgraded to Basic Auth (and/or SSL) but downgrade not supported" when I go to the page.

However, if I then go back to isInitiator=true after it had failed with false, it works for a day.

It goes back to "Pre-authentication information was invalid" the next day. I have to attempt to connect with isInitiator=false again to get it to work again.

My standalone-full-ha.xaml looks like this:

 <system-properties>
        <property name="java.net.preferIPv4Stack" value="true"/>
        <property name="org.apache.coyote.http11.Http11Protocol.SERVER" value=""/>
        <property name="java.security.auth.login.config" value="/app/jb-8443/login.conf"/>
        <property name="java.security.krb5.conf" value="/app/jb-8443/krb5.conf"/>
        <property name="sun.security.krb5.debug" value="true"/>
        <property name="jboss.security.disable.secdomain.option" value="true"/>
        <property name="javax.security.auth.useSubjectCredsOnly" value="false"/>
    </system-properties>
...
 <security-domain name="spnego-client" cache-type="default">
                    <authentication>
                        <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required"/>
                    </authentication>
                </security-domain>
                <security-domain name="spnego-server" cache-type="default">
                    <authentication>
                        <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
                            <module-option name="storeKey" value="true"/>
                            <module-option name="useKeyTab" value="true"/>
                            <module-option name="useTicketCache" value="false"/>
                            <module-option name="isInitiator" value="true"/>
                            <module-option name="keyTab" value="/app/jb-8443/krb5.keytab"/>
                            <module-option name="debug" value="true"/>
                            <module-option name="principal" value="[email protected]"/>
                            <module-option name="doNotPrompt" value="true"/>
                        </login-module>
                    </authentication>
                </security-domain>
                <security-domain name="com.sun.security.jgss.krb5.initiate" cache-type="default">
                    <authentication>
                        <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
                            <module-option name="storeKey" value="true"/>
                            <module-option name="useKeyTab" value="true"/>
                            <module-option name="useTicketCache" value="false"/>
                            <module-option name="isInitiator" value="true"/>
                            <module-option name="keyTab" value="/app/jb-8443/krb5.keytab"/>
                            <module-option name="debug" value="true"/>
                            <module-option name="principal" value="[email protected]"/>
                            <module-option name="doNotPrompt" value="true"/>
                        </login-module>
                    </authentication>
                </security-domain>
                <security-domain name="com.sun.security.jgss.krb5.accept" cache-type="default">
                    <authentication>
                        <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
                            <module-option name="storeKey" value="true"/>
                            <module-option name="useKeyTab" value="true"/>
                            <module-option name="useTicketCache" value="false"/>
                            <module-option name="isInitiator" value="true"/>
                            <module-option name="keyTab" value="/app/pyks0app/jb-8443/krb5.keytab"/>
                            <module-option name="debug" value="true"/>
                            <module-option name="principal" value="[email protected]"/>
                            <module-option name="doNotPrompt" value="true"/>
                        </login-module>
                    </authentication>
                </security-domain>

The login.conf has:

com.sun.security.jgss.krb5.initiate {
    com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=true
    principal="[email protected]"
    useKeyTab=true
    useTicketCache=false
    debug=true
    keyTab="/app/jb-8443/krb5.keytab"
    storeKey=true;
};

com.sun.security.jgss.krb5.accept {
    com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=true
    principal="[email protected]"
    useKeyTab=true
    keyTab="/app/jb-8443/krb5.keytab"
    storeKey=true
    useTicketCache=false
    isInitiator=false
    refreshKrb5Config=true
    moduleBanner=true
    storePass=true;
};
spnego-client {
 com.sun.security.auth.module.Krb5LoginModule required;
};
spnego-server {
 com.sun.security.auth.module.Krb5LoginModule required
 storeKey=true
 useKeyTab=true
 useTicketCache=false
 keyTab="/app/jb-8443/krb5.keytab"
 debug=true
 principal="[email protected]"
 doNotPrompt=true;
};

The WebLogic deployment only had the spnego-client and spnego-server parts. I added the com.sun.security.jgss.krb5.initiate and com.sun.security.jgss.krb5.accept parts and after I added them I could connecting using the isInitiator flip trick.

Is there a way around this? Such as skipping pre-authentication if it hadn't connected today? If something cached for only 24h, keep it alive longer?

Are those initiate and accept parts needed on top of the spnego-server?

101
0 + 0
eap
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.