java - SSO for Tomcat users with SPNEGO fails -


i have app running on tomcat server. app authenticates active directory using spnego module.

steps take make setup work are:

  1. add tomcat app ad domain
  2. make rest api login call app. rest api call perform authentication/authorization ad using spnego.

as part of brand new app initialization, start app first time , add app-host ad domain. make api call performs ad authorization fails following error.

type exception report:

message gssexception: failure unspecified @ gss-api level (mechanism level: invalid argument (400) - cannot find key of appropriate type decrypt ap rep - rc4 hmac)  description server encountered internal error prevented fulfilling request.  exception  javax.servlet.servletexception: gssexception: failure unspecified @ gss-api level (mechanism level: invalid argument (400) - cannot find key of appropriate type decrypt ap rep - rc4 hmac)     net.sourceforge.spnego.spnegohttpfilter.dofilter(spnegohttpfilter.java:238) root cause  gssexception: failure unspecified @ gss-api level (mechanism level: invalid argument (400) - cannot find key of appropriate type decrypt ap rep - rc4 hmac)     sun.security.jgss.krb5.krb5context.acceptseccontext(unknown source)     sun.security.jgss.gsscontextimpl.acceptseccontext(unknown source)     sun.security.jgss.gsscontextimpl.acceptseccontext(unknown source)     sun.security.jgss.spnego.spnegocontext.gss_acceptseccontext(unknown source)     sun.security.jgss.spnego.spnegocontext.acceptseccontext(unknown source)     sun.security.jgss.gsscontextimpl.acceptseccontext(unknown source)     sun.security.jgss.gsscontextimpl.acceptseccontext(unknown source)     net.sourceforge.spnego.spnegoauthenticator.dospnegoauth(spnegoauthenticator.java:444)     net.sourceforge.spnego.spnegoauthenticator.authenticate(spnegoauthenticator.java:283)     net.sourceforge.spnego.spnegohttpfilter.dofilter(spnegohttpfilter.java:234) root cause  krbexception: invalid argument (400) - cannot find key of appropriate type decrypt ap rep - rc4 hmac     sun.security.krb5.krbapreq.authenticate(unknown source)     sun.security.krb5.krbapreq.<init>(unknown source)     sun.security.jgss.krb5.initseccontexttoken.<init>(unknown source)     sun.security.jgss.krb5.krb5context.acceptseccontext(unknown source)     sun.security.jgss.gsscontextimpl.acceptseccontext(unknown source)     sun.security.jgss.gsscontextimpl.acceptseccontext(unknown source)     sun.security.jgss.spnego.spnegocontext.gss_acceptseccontext(unknown source)     sun.security.jgss.spnego.spnegocontext.acceptseccontext(unknown source)     sun.security.jgss.gsscontextimpl.acceptseccontext(unknown source)     sun.security.jgss.gsscontextimpl.acceptseccontext(unknown source)     net.sourceforge.spnego.spnegoauthenticator.dospnegoauth(spnegoauthenticator.java:444)     net.sourceforge.spnego.spnegoauthenticator.authenticate(spnegoauthenticator.java:283)     net.sourceforge.spnego.spnegohttpfilter.dofilter(spnegohttpfilter.java:234) note full stack trace of root cause available in apache tomcat/6.0.36 logs.

this indicates spnego not able find key decrypt communication ad.

the problem goes away restart tomcat. after restart if tomcat, user can perform sso based authorization.

i checked keytab file , looks ok. using rc4-hmac encryption purpose. login.conf , krb5.conf configured correctly on host. ( after restart works fine )

i ran strace on tomcat pid see if spnego reads keytab file. appears tomcat/spnego calling stat on file, never opening it. tomcat/spnego thinks whatever it's cached still correct.

here's lines call:

7832  1431560872.430550 stat("/var/pgsql/sync-dir/samba/tomcat-user.keytab",  <unfinished ...> 7832  1431560872.443416 <... stat resumed> {st_mode=s_ifreg|0600, st_size=894, ...}) = 0

i never see read though.

please let me know if has seen issue of spnego caching information , problem goes away restart tomcat


-

Comments

Post a Comment

Popular posts from this blog

apache - PHP Soap issue while content length is larger -

we have developed soap based webservice post data third party webservice. accepts 4 params. in 1 of parameters accepts xml string no size limit restriction put in place. the webservice works fine in local environment running on php 5.2 , apache2. works content length long 10 mb. in staging server running nginx , php fpm.we have updated max post size , max upload filesize in php.ini , client_max_body param in nginx.conf allow upto 50 mb. but webservice client keeps on loading in staging environment. gives 502 timeout , gives soap error. can me understand issue here?
Read more

asynchronous - Python asyncio task got bad yield -

i confused how play around asyncio module in python 3.4. have searching api search engine, , want each search request run either parallel, or asynchronously, don't have wait 1 search finish start another. here high-level searching api build objects raw search results. search engine using kind of asyncio mechanism, won't bother that. # no asyncio module used here class search(object): ... self.s = some_search_engine() ... def searching(self, *args, **kwargs): ret = {} # raw searching according args , kwargs , build wrapped results ... return ret to try async requests, wrote following test case test how can interact stuff asyncio module. # here testing script @asyncio.coroutine def handle(f, *args, **kwargs): r = yield f(*args, **kwargs) return r s = search() loop = asyncio.get_event_loop() loop.run_until_complete(handle(s.searching, arg1, arg2, ...)) loop.close() by running pytest, return runtimeerror: task got bad yield : {results s...
Read more

javascript - Complete OpenIDConnect auth when requesting via Ajax -

the normal openidconnect server works like: you go a.com/secure-resource you 302 server your browser handles , sends identity server you login there it sends a.com via post you logged in on a.com , a.com/secure-resource on browser. however have scenario i'm trying solve need help. the user logged in on idserver the user logged in on a.com the user not logged in on b.com we need send ajax call web server b.com (from domain a.com ) b.com configured use openidconnect. but because request b.com via ajax, user cannot redirected idserver. (all in response 302 ) we can go ahead , handle 302 via ajax (i'm still not sure whether work, security-wise). but is there scenario in identityserver/openidconnect designed these situations? with identityserver in scenario setup server b.com use bearer token authentication, need use access token provided a.com in headers of ajax call $.ajax({ url: 'http://b.com', headers: { ...
Read more