JBoss Negotiate

Krishnawat, Nagendra Nagendra.Krishnawat at westernasset.com
Mon Mar 16 14:55:08 EDT 2009

Thank you very much for the reply.

I am using SPNEGO for silent authentication. Referring https://www.jboss.org/community/docs/DOC-10680

Environment specification:

Server Machine: Microsoft windows server 2003 R2 (Name: PASKTABSVR1, Domain: wamtest.wa.local, FullName:PASKTABSVR1.wamtest.wa.local)
KDC               : windows server 2003 R2, In my case server and KDC are same machine. (Name: PASKTABSVR1, Domain: wamtest.wa.local                      FullName:PASKTABSVR1.wamtest.wa.local)
Client Machine: Microsoft windows XP professional (Name: PASKTABCL1, Domain: wamtest.wa.local  FullName:PASKTABCL1.wamtest.wa.local)

I basically followed the pdf document userguide downloaded from above link (https://www.jboss.org/community/docs/DOC-10680)

User properties are in mail attachment (properties.jpg).

SPN setting:

C:\Program Files\Support Tools>setspn -l PASKTABSVR1
Registered ServicePrincipalNames for CN=PASKTABSVR1,OU=Domain Controllers,DC=wamtest,DC=wa,DC=local:

Command used to create keytab file:

C:\Program Files\Support Tools>ktpass -crypto DES-CBC-CRC -princ host/PASKTABSVR1 at WAMTEST.WA.LOCAL -pass Autumn08 -mapus
er WAMTEST\PASKTABSVR1 -out C:\pasktabsvr1.host.keytab

Login moduoles from Jboss(login-config.xml):
<application-policy name="host">
                <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
                        <module-option name="storeKey">true</module-option>
                        <module-option name="useKeyTab">true</module-option>
                        <module-option name="principal">host/PASKTABSVR1 at WAMTEST.WA.LOCAL</module-option>
                        <module-option name="keyTab">C:/pasktabsvr1.host.keytab</module-option>
                        <module-option name="doNotPrompt">true</module-option>
                        <module-option name="debug">true</module-option>

        <application-policy name="SPNEGO">
                        <login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule" flag="requisite">
                                <module-option name="password-stacking">useFirstPass</module-option>
                                <module-option name="serverSecurityDomain">host</module-option>
                        <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
                                <module-option name="password-stacking">useFirstPass</module-option>
                                <module-option name="usersProperties">props/spnego-users.properties</module-option>
                                <module-option name="rolesProperties">props/spnego-roles.properties</module-option>

As per document there are three tests (Attachment: Negotiation_test.jpg)

Results of test in my environment (test_results.jpg):

First and second test passes, ie the client browser gets the token, in second test host login module gets authenticated ie the second test passes.
The final test, ie "secured" which is the integrated test of both client and server fails with following exception:

Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC
        at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:262)
        at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
        at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)

As per your mail I mapped different SPN, I tried:

C:\Program Files\Support Tools>setspn.exe -a HTTP/PASKTABSVR1.wamtest.wa.local PASKTABSVR1
C:\Program Files\Support Tools>setspn.exe -a HTTP/pasktabsvr1.wamtest.wa.local PASKTABSVR1       (Small case pasktansvr1)

But it didn't help, I got same exception "Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC"

Am I doing anything fundamentally wrong.


-----Original Message-----
From: Thomas Maslen [mailto:Thomas.Maslen at quest.com]
Sent: Saturday, March 14, 2009 7:21 PM
To: kerberos at mit.edu
Cc: Krishnawat, Nagendra
Subject: Re: JBoss Negotiate

Let me guess...  you're probably running JBoss on a Windows machine that is joined to the Active Directory domain?

If so, then the problem is:  you have got your SPN mappings wrong.  (i.e. the hostname in the URL that you are using in the browser doesn't match any SPN mapping that you have set up).

So, when the browser asks AD for a Kerberos service ticket to HTTP/foo.example.com, AD doesn't find an explicit SPN mapping on your service object, so it doesn't use your service object.  If AD doesn't find an explicit SPN mapping for HTTP/foo.example.com, it implicitly maps HTTP/foo.example.com to the AD Computer object for foo.example.com (equivalently, HOST/foo.example.com).  This works nicely for Microsoft IIS but for other SPNEGO implementations it produces the rather nonobvious error that you are seeing at present.

E-mail sent through the Internet is not secure. Western Asset
therefore recommends that you do not send any confidential or
sensitive information to us via electronic mail, including social
security numbers, account numbers, or personal identification
numbers. Delivery, and or timely delivery of Internet mail is not
guaranteed. Western Asset therefore recommends that you do not send
time sensitive or action-oriented messages to us via electronic

More information about the Kerberos mailing list