Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

SPNEGO with Tomcat error: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)

I am trying to implement a browser based single sign on using SPNEGO with Tomcat.

I have followed all the instructions on these two pages:

  • http://spnego.sourceforge.net/pre_flight.html
  • http://spnego.sourceforge.net/spnego_tomcat.html

When I accessed hello_spnego.jsp from Firefox or Chrome, I was asked for username and password, and then it showed me my username perfectly; worked like a charm. However, when I tried to access it with IE, I am getting this error:

HTTP Status 500 - GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)

type Exception report

message GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)

While trying to look for a solution, I came across this page: http://www.oracle.com/technetwork/articles/idm/weblogic-sso-kerberos-1619890.html

I followed the Client Configuration instructions in the second half of the page. After that, all the three browsers (Chrome, Firefox and IE) show this same error, but none of them ask for username and password anymore.

I have verified that the account used to talk to the KDC is working correctly. Also, I have the username and password specified in the web.xml file, so I don't have a separate KeyTab file.

For diagnosis purposes, here are the contents of my krb5.conf and login.conf files:

krb5.conf

[libdefaults]
    default_realm = DEVID.LOCAL
    default_tkt_enctypes = aes256-cts aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc arcfour-hmac arcfour-hmac-md5
    default_tgs_enctypes = aes256-cts aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc arcfour-hmac arcfour-hmac-md5
    permitted_enctypes   = aes256-cts aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc arcfour-hmac arcfour-hmac-md5

[realms]
    DEVID.LOCAL  = {
        kdc =  cdi-prod.devid.local 
        default_domain = DEVID.LOCAL 
}

[domain_realm]
    .DEVID.LOCAL = DEVID.LOCAL 

login.conf

spnego-client {
    com.sun.security.auth.module.Krb5LoginModule required;
};

spnego-server {
    com.sun.security.auth.module.Krb5LoginModule required
    storeKey=true
    isInitiator=false;
};

Since I don't have a keytab file, it's not mentioned in the login.conf file.

Also, since I'm using aes256-cts encryption, I have added the requisite JCE Policy files (http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html) in the jre/lib/security folder of the jdk.

FYI, I'm using Tomcat 8 and JDK 1.8.

I would really appreciate some insight on what's happening here. If you need more information, please let me know. Thanks in advance!

like image 837
Deb Dey Avatar asked Nov 06 '14 16:11

Deb Dey


1 Answers

Kerberos SPNEGO Checksum failed problem

source click

I made SPNEGO authentication for my web apps. During development I met a problem authenticating users using keytab file for HTTP services:

Caused by: org.ietf.jgss.GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)

I've found solution how to resolve a problem. I've used RHEL 7 on servers and clients, and FreeIPA as a KDC/LDAP server:

  1. Open /etc/krb5.conf on web app server and add into section [libdefaults] one line

    [libdefaults]

    default_tkt_​enctypes = arcfour-hmac-md5

This is most important thing. This line resolves "Checksum failed" problem

  1. On a client: kinit username Password for [email protected]:

after successful authentication in Kerberos domain we can access Kerberized web apps using curl:

curl -v -k --negotiate -u : --cacert /etc/ipa/ca.crt https://myservice.com:8090/krb

  1. In FireFox, print about:config in address bar -> I promise -> then find

network.negotiate-auth.delegation-uris​ value http://,https://

network.negotiate-auth.trusted-uris value .myservice.com​

like image 59
mike Avatar answered Jan 03 '23 15:01

mike