I've got a Java client app and a Java server app, and I'm trying to authenticate to the server via Kerberos. The client basically uses http-components and SPNEGO to make a HTTP GET call, but I always get 401 Unauthorized
as a result.
I can not spot the error in the Kerberos login sequence below, maybe you guys can:
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt f
alse ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is fa
lse principal is null tryFirstPass is false useFirstPass is false storePass is f
alse clearPass is false
Kerberos-Benutzername [GP_Myuser]: [email protected]
Kerberos-Passwort f³r [email protected]:
[Krb5LoginModule] user entered username: GP_Myuser@EESERV.
LOCAL
default etypes for default_tkt_enctypes: 23.
Acquire TGT using AS Exchange
default etypes for default_tkt_enctypes: 23.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=atlnztdc01.eeserv.local UDP:88, timeout=30000, number of retries =3, #bytes=144
>>> KDCCommunication: kdc=atlnztdc01.eeserv.local UDP:88, timeout=30000,Attempt=1, #bytes=144
>>> KrbKdcReq send: #bytes read=181
>>> KrbKdcReq send: #bytes read=181
>>> KdcAccessibility: remove atlnztdc01.eeserv.local:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Tue Jul 05 16:28:31 CEST 2011 1309876111000
suSec is 250145
error code is 25
error Message is Additional pre-authentication required
realm is EESERV.LOCAL
sname is krbtgt/EESERV.LOCAL
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23
PA-ETYPE-INFO salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23
PA-ETYPE-INFO2 salt = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
default etypes for default_tkt_enctypes: 23.
>>>KrbAsReq salt is EESERV.LOCALGP_Myuser
default etypes for default_tkt_enctypes: 23.
Pre-Authenticaton: find key for etype = 23
AS-REQ: Add PA_ENC_TIMESTAMP now
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=atlnztdc01.eeserv.local UDP:88, timeout=30000, number of
retries =3, #bytes=222
>>> KDCCommunication: kdc=atlnztdc01.eeserv.local UDP:88, timeout=30000,Attempt=1, #bytes=222
>>> KrbKdcReq send: #bytes read=1450
>>> KrbKdcReq send: #bytes read=1450
>>> KdcAccessibility: remove atlnztdc01.eeserv.local:88
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply GP_Myuser
default etypes for default_tkt_enctypes: 23.
principal is [email protected]
EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 3D F9 1C A6 3B 94 7B 27 B3
6C D7 E5 70 77 84 22 =...;..'.l..pw."
Commit Succeeded
Found ticket for [email protected] to go to krbtgt/EESERV.LOCAL@EESER
V.LOCAL expiring on Wed Jul 06 02:28:32 CEST 2011
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
default etypes for default_tgs_enctypes: 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbKdcReq send: kdc=atlnztdc01.eeserv.local UDP:88, timeout=30000, number of
retries =3, #bytes=1452
>>> KDCCommunication: kdc=atlnztdc01.eeserv.local UDP:88, timeout=30000,Attempt
=1, #bytes=1452
>>> KrbKdcReq send: #bytes read=1436
>>> KrbKdcReq send: #bytes read=1436
>>> KdcAccessibility: remove atlnztdc01.eeserv.local:88
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbApReq: APOptions are 00100000 00000000 00000000 00000000
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Krb5Context setting mySeqNumber to: 512880730
Created InitSecContextToken:
0000: 01 00 6E 82 05 51 30 82 05 4D A0 03 02 01 05 A1 ..n..Q0..M......
0010: 03 02 01 0E A2 07 03 05 00 20 00 00 00 A3 82 04 ......... ......
0020: 6E 61 82 04 6A 30 82 04 66 A0 03 02 01 05 A1 0E na..j0..f.......
0030: 1B 0C 45 45 53 45 52 56 2E 4C 4F 43 41 4C A2 24 ..EESERV.LOCAL.$
0040: 30 22 A0 03 02 01 00 A1 1B 30 19 1B 04 48 54 54 0".......0...HTT
0050: 50 1B 11 61 6C 66 2D 74 65 73 74 2E 65 6C 69 6E P..alf-test.server
0060: 2E 63 6F 6D A3 82 04 27 30 82 04 23 A0 03 02 01 .com...'0..#....
0070: 17 A1 03 02 01 03 A2 82 04 15 04 82 04 11 C2 1E ................
0080: 14 D0 18 19 AF 82 D3 92 7F 62 96 A9 92 F7 94 5B .........b.....[
0090: FF CA FE 66 2F C8 A9 C6 36 A2 2E FF EB FB CA 3D ...f/...6......=
00A0: 5D 5B 59 B5 0F E3 B7 B6 29 C2 62 A3 45 44 42 00 ][Y.....).b.EDB.
00B0: DA 14 3D 83 1E 50 3D AA A9 9F 0C A6 49 4E F3 51 ..=..P=.....IN.Q
00C0: 67 68 14 A4 D3 49 E6 6F 1C 2C 7D 04 7B F2 6E BD gh...I.o.,....n.
00D0: 23 07 DD CD 09 DC 89 62 73 0E 06 EE 68 28 39 A4 #......bs...h(9.
00E0: 22 3C 92 C0 22 C0 6B 0B 42 4B 95 B5 E5 AC 77 30 "<..".k.BK....w0
00F0: D8 75 A1 8D E8 FC A5 5A D6 1D A8 5B D4 15 82 C5 .u.....Z...[....
0100: AE 1E 36 48 72 01 9B 3C FA A9 60 20 1D 9A 84 20 ..6Hr..<..` ...
0110: 41 3F FA 71 A8 07 9C 50 73 FA 03 2B 8D 94 98 C8 A?.q...Ps..+....
0120: 57 A2 87 09 BF 87 26 62 2B 49 40 6A 67 C4 F1 00 W.....&b+I@jg...
0130: 66 55 D7 75 6D A6 2F 28 3C 68 86 1F 29 E1 7E 10 fU.um./(<h..)...
0140: CD 2B F0 78 A7 23 D9 18 8D 5D 98 F9 7D 00 11 78 .+.x.#...].....x
0150: 7B 5E D3 5E EA EE 74 82 B7 93 A4 DA 0E 3C 61 E6 .^.^..t......<a.
0160: B3 D5 5A F3 67 8C 03 4C 0E E6 42 96 8F E0 99 98 ..Z.g..L..B.....
0170: C2 A0 C6 D3 8F B4 A4 CA 99 C1 8A F0 6E 00 E0 BE ............n...
0180: 95 7F 1F F5 E7 15 3D 0F CD 22 51 D9 41 D0 5F 01 ......=.."Q.A._.
0190: 48 EB 47 64 B8 74 BC BE 76 0F AE 4B F4 E6 3A 1E H.Gd.t..v..K..:.
01A0: 2A 62 85 FA 7E 07 E7 8D 60 EC B9 23 10 E3 1B 1E *b......`..#....
01B0: C5 90 D2 25 BB C5 2C 05 A3 E2 39 D1 FF 70 CF E7 ...%..,...9..p..
01C0: D5 C6 13 E6 BC 60 55 89 C1 B9 FB 0F E4 5D E7 A5 .....`U......]..
01D0: 95 BA F9 70 EC 06 CB 62 E8 AD F3 29 BA 34 FF C2 ...p...b...).4..
01E0: 95 76 21 9B 0D 0B DE 66 05 0E EE 33 31 E7 BE 52 .v!....f...31..R
01F0: 64 DB 91 8B 55 96 5F E7 2D 2A EA E2 D3 BC 5F CD d...U._.-*...._.
0200: 46 E5 45 A1 07 68 28 BF 1D 32 7D 04 C0 60 97 78 F.E..h(..2...`.x
0210: 4F 8E 4C 92 2B F1 B2 C3 9B 04 D9 43 02 7F A5 27 O.L.+......C...'
0220: A4 8E 48 EE 5E A9 3B 7E 7F C0 54 0D A5 75 D2 B3 ..H.^.;...T..u..
0230: FC 72 3A 80 F4 9A F1 34 7C 51 54 13 F7 9E FE 79 .r:....4.QT....y
0240: 8F 15 5A A7 9E 47 9B 36 10 33 F3 08 EA F2 33 BB ..Z..G.6.3....3.
0250: 9F 45 61 ED 91 1F CF 30 05 76 C0 56 FB 38 51 25 .Ea....0.v.V.8Q%
0260: 27 1F 39 A5 C9 F9 0C D2 00 F2 6B E2 28 09 B2 30 '.9.......k.(..0
0270: A2 63 68 FE 46 A5 33 E0 60 BB B2 B5 DA 5A 78 2A .ch.F.3.`....Zx*
0280: 37 FE 16 0D 8E E6 97 52 47 28 B2 D0 92 DB F3 CD 7......RG(......
0290: 9A 5F 98 16 4E C9 96 2C 00 7C FE 96 B0 DE CD 6D ._..N..,.......m
02A0: 5A BC 13 1B E2 E7 F6 74 DE DC 2B B7 16 AB C0 0F Z......t..+.....
02B0: BA 4C 08 C3 4F 25 3C 1A 9A E5 36 32 8E D9 C7 10 .L..O%<...62....
02C0: 62 F2 13 BB 62 B4 C5 F2 9D 69 DB 6C 0C 37 E1 AF b...b....i.l.7..
02D0: F5 C6 D9 CD B5 F6 60 A2 93 DD 98 8C B2 59 C7 7A ......`......Y.z
02E0: 50 4D 27 7B CC DA C9 28 9D 05 9C E8 FC 57 F8 4A PM'....(.....W.J
02F0: 12 67 ED 7E 23 AB B5 FB 8A B7 CE 4D DA 1B 7F 1A .g..#......M....
0300: B3 6F DF 42 9F C4 90 C9 35 D9 77 33 CD 6C C5 B5 .o.B....5.w3.l..
0310: C2 A8 15 8C AE BD AE 5F 0A 0A AB 7C 8C F8 E2 9F ......._........
0320: 27 3C 27 85 B3 97 D9 9D DA 6E 56 25 3B BA D5 FB '<'......nV%;...
0330: AB 24 8B BE B7 26 12 7F B6 25 E5 26 DE 8D 54 AA .$...&...%.&..T.
0340: 0B 68 DB 4B 81 AD 9C FD 88 0F 7D 6A 97 79 E5 0F .h.K.......j.y..
0350: 5B 82 43 6F 05 AE C0 EB 77 A6 E3 39 BE 85 6E F0 [.Co....w..9..n.
0360: B5 F5 0B 13 E7 CC 7B 1E 81 4F 37 77 BB 02 26 C2 .........O7w..&.
0370: D7 2C 80 CD 62 91 A7 0C F8 D1 76 5C 21 39 A0 93 .,..b.....v\!9..
0380: 83 04 0A F7 1F C3 4B 0B 34 85 2D 90 75 4E FE 31 ......K.4.-.uN.1
0390: 61 BF D8 F3 36 B5 40 BA 06 F8 47 33 D4 DD EE 2A [email protected]...*
03A0: 9C FB 5E 51 7A 25 F7 C1 3F 4D 58 73 F2 4A 50 EA ..^Qz%..?MXs.JP.
03B0: 68 09 27 85 F3 2E BB EA 8E B4 D3 7C DC 3B 52 71 h.'..........;Rq
03C0: 87 34 1B 6F 80 D1 D2 F1 7D C3 9E C4 C3 79 8A A7 .4.o.........y..
03D0: DA 0B A2 69 7C DE D5 67 C7 20 AD 97 A2 98 6A E3 ...i...g. ....j.
03E0: A3 59 BD D2 B6 19 18 1D AB A7 58 3A 56 16 ED 2A .Y........X:V..*
03F0: 75 73 4E DB 02 B5 77 4B F5 9D 1D A4 36 ED 39 26 usN...wK....6.9&
0400: B8 A4 CD 7C 79 5E 11 3C 36 9D DA DA E7 F5 D2 9F ....y^.<6.......
0410: BA 4B 45 E0 67 E5 4F 33 9E 0B 60 E6 76 EB 02 AC .KE.g.O3..`.v...
0420: CC 24 C4 EB 37 C4 31 B7 EA F3 EA 5B 39 D6 E3 0A .$..7.1....[9...
0430: DC F8 DE 8B 18 8C E0 25 5C 4B 85 38 B0 99 04 9C .......%\K.8....
0440: 61 75 17 E3 E6 0C 88 D9 7B C4 9A 2D 25 B3 C1 FE au.........-%...
0450: 9F FD 12 4F E0 DF CF E6 C1 BA 68 00 32 E8 1F 9A ...O......h.2...
0460: 2F 0E FB 44 59 53 8B 43 C5 B6 24 D3 76 B4 04 D2 /..DYS.C..$.v...
0470: 39 A9 21 41 EC A3 78 D1 9B 07 64 10 5B 64 EB 18 9.!A..x...d.[d..
0480: 08 5B 2C 45 90 53 C9 90 A0 4C 15 AF 8A D4 80 A4 .[,E.S...L......
0490: 81 C5 30 81 C2 A0 03 02 01 17 A2 81 BA 04 81 B7 ..0.............
04A0: CB D6 6F 4E E7 6C 78 93 EF 6D EA 0C C8 A9 6B 37 ..oN.lx..m....k7
04B0: EB 0E 9C C5 86 9E E6 BA 0D 88 26 BA FE A8 83 86 ..........&.....
04C0: D4 06 52 50 AF 48 BC 8F 66 08 F1 1E A4 97 5E 05 ..RP.H..f.....^.
04D0: 24 B4 DC 44 94 F3 5D 3D 07 17 10 33 15 D8 E0 0C $..D..]=...3....
04E0: E8 E8 0F 70 E6 23 B3 FF D5 23 63 02 A4 6B 86 C9 ...p.#...#c..k..
04F0: 88 96 FA 8B 02 3C E6 C6 19 7E 86 58 D5 07 80 8F .....<.....X....
0500: 21 10 7A F8 2D E2 C0 AE 33 19 A3 87 8F 18 03 A0 !.z.-...3.......
0510: 22 13 37 66 D5 CA 02 02 E9 51 87 D5 E5 7D 3E 84 ".7f.....Q....>.
0520: 6E 62 4A 0B 04 8D CF 79 07 DE 69 3B 49 95 B1 80 nbJ....y..i;I...
0530: F4 9A 86 62 8D BD F4 DA FB BC 69 97 9A 8D DE 92 ...b......i.....
0540: 0E 8A 65 E7 7C 62 E1 3D E6 93 AD 6F 0A 53 00 B0 ..e..b.=...o.S..
0550: 2F E7 09 A6 1B 01 72 /.....r
05.07.2011 16:28:33 org.apache.http.impl.client.DefaultRequestDirector tryExecute
INFO: I/O exception (org.apache.http.NoHttpResponseException) caught when proces
sing request: The target server failed to respond
05.07.2011 16:28:33 org.apache.http.impl.client.DefaultRequestDirector tryExecute
INFO: Retrying request
----------------------------------------
HTTP/1.1 401 Unauthorized
----------------------------------------
<html><head>
<meta http-equiv="Refresh" content="0; url=/share/page?pt=login">
</head><body><p>Please <a href="/share/page?pt=login">log in</a>.</p>
</body></html>
----------------------------------------
This problem can occur when a domain controller doesn't have a certificate installed for smart card authentication (for example, with a “Domain Controller” or “Domain Controller Authentication” template), the user's password has expired, or the wrong password was provided.
Resolution. To resolve this problem, update the registry on each computer that participates in the Kerberos authentication process, including the client computers. We recommend that you update all of your Windows-based systems, especially if your users have to log on across multiple domains or forests.
Kerberos is a computer network security protocol that authenticates service requests between two or more trusted hosts across an untrusted network, like the internet. It uses secret-key cryptography and a trusted third party for authenticating client-server applications and verifying users' identities.
Your Kerberos configuration might be completely fine. The 401 messsage means that the authentication itself probably went fine. However, i suspect the webapp only allows users if they are assigned a Role. The SPNego mechanism does not assign such role out-of-the-box. You still need to configure a Realm that performs the mapping.
See also my question on the Tomcat users mailing list. https://mail-archives.apache.org/mod_mbox/tomcat-users/201210.mbox/%[email protected]%3E
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With