kerberos / spnego
miten mehta
imiten at yahoo.com
Thu Oct 11 01:13:02 EDT 2012
Hi Benjamin,
When I obtain kerberos credentials using Network Identity Manager on Win7 against debian kdc I get dialog that kerberos 4 related credential not fetched. I see the ticket for krb5 in manager.
The logs show below:
==> krb5kdc.log <==
Oct 11 10:28:19 pinkydebian krb5kdc[948](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.225: NEEDED_PREAUTH: msm at PRIMESYSTEMS.COM for krbtgt/PRIMESYSTEMS.COM at PRIMESYSTEMS.COM, Additional pre-authentication required
Oct 11 10:28:20 pinkydebian krb5kdc[948](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.225: ISSUE: authtime 1349931500, etypes {rep=18 tkt=18 ses=18}, msm at PRIMESYSTEMS.COM for krbtgt/PRIMESYSTEMS.COM at PRIMESYSTEMS.COM
Oct 11 10:28:20 pinkydebian krb5kdc[948](info): TGS_REQ (1 etypes {1}) 192.168.1.225: BAD_ENCRYPTION_TYPE: authtime 0, msm at PRIMESYSTEMS.COM for krbtgt/PRIMESYSTEMS.COM at PRIMESYSTEMS.COM, KDC has no support for encryption type
Oct 11 10:28:20 pinkydebian krb5kdc[948](info): TGS_REQ (1 etypes {1}) 192.168.1.225: BAD_ENCRYPTION_TYPE: authtime 0, msm at PRIMESYSTEMS.COM for krbtgt/PRIMESYSTEMS.COM at PRIMESYSTEMS.COM, KDC has no support for encryption type
sspi is I guess not really making any difference. I set to false or true I see below wherein principal is anonymousUser may be just created since it cannot find any passed. I expect msm being passed.
==> catalina.out <==
10:10:39 DEBUG web.FilterChainProxy - Converted URL to lowercase, from: '/supervisor_teller.xhtml'; to: '/supervisor_teller.xhtml'
10:10:39 DEBUG web.FilterChainProxy - Candidate is: '/supervisor_teller.xhtml'; pattern is /deny.xhtml; matched=false
10:10:39 DEBUG web.FilterChainProxy - Converted URL to lowercase, from: '/supervisor_teller.xhtml'; to: '/supervisor_teller.xhtml'
10:10:39 DEBUG web.FilterChainProxy - Candidate is: '/supervisor_teller.xhtml'; pattern is /**; matched=true
10:10:39 DEBUG web.FilterChainProxy - /supervisor_teller.xhtml at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
10:10:39 DEBUG context.HttpSessionSecurityContextRepository - No HttpSession currently exists
10:10:39 DEBUG context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
10:10:39 DEBUG web.FilterChainProxy - /supervisor_teller.xhtml at position 2 of 8 in additional filter chain; firing Filter: 'SpnegoAuthenticationProcessingFilter'
10:10:39 DEBUG web.FilterChainProxy - /supervisor_teller.xhtml at position 3 of 8 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
10:10:39 DEBUG web.FilterChainProxy - /supervisor_teller.xhtml at position 4 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
10:10:39 DEBUG web.FilterChainProxy - /supervisor_teller.xhtml at position 5 of 8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
10:10:39 DEBUG authentication.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken at 6faa93c2: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails at ffffe21a: RemoteIpAddress: 192.168.1.225; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
10:10:39 DEBUG web.FilterChainProxy - /supervisor_teller.xhtml at position 6 of 8 in additional filter chain; firing Filter: 'SessionManagementFilter'
10:10:39 DEBUG web.FilterChainProxy - /supervisor_teller.xhtml at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
10:10:39 DEBUG web.FilterChainProxy - /supervisor_teller.xhtml at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
10:10:39 DEBUG intercept.DefaultFilterInvocationSecurityMetadataSource - Converted URL to lowercase, from: '/supervisor_teller.xhtml'; to: '/supervisor_teller.xhtml'
10:10:39 DEBUG intercept.DefaultFilterInvocationSecurityMetadataSource - Candidate is: '/supervisor_teller.xhtml'; pattern is /secure/extreme/**; matched=false
10:10:39 DEBUG intercept.DefaultFilterInvocationSecurityMetadataSource - Candidate is: '/supervisor_teller.xhtml'; pattern is /supervisor_teller.xhtml; matched=true
10:10:39 DEBUG intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /supervisor_teller.xhtml; Attributes: [ROLE_TELLER, ROLE_SUPERVISOR]
10:10:39 DEBUG intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken at 6faa93c2: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails at ffffe21a: RemoteIpAddress: 192.168.1.225; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
10:10:39 DEBUG vote.AffirmativeBased - Voter: org.springframework.security.access.vote.RoleVoter at 1531252, returned: -1
10:10:39 DEBUG vote.AffirmativeBased - Voter: org.springframework.security.access.vote.AuthenticatedVoter at d7f248, returned: 0
10:10:39 DEBUG access.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:71)
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:204)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:106)
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:97)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:100)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:78)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:35)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter.doFilter(SpnegoAuthenticationProcessingFilter.java:152)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:168)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1002)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:585)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:722)
10:10:39 DEBUG savedrequest.HttpSessionRequestCache - DefaultSavedRequest added to Session: DefaultSavedRequest[http://pinkydebian:8080/jsf-sso/supervisor_teller.xhtml]
10:10:39 DEBUG access.ExceptionTranslationFilter - Calling Authentication entry point.
10:10:39 DEBUG web.SpnegoEntryPoint - Sending back Negotiate Header for request: http://pinkydebian:8080/jsf-sso/supervisor_teller.xhtml
10:10:39 DEBUG context.HttpSessionSecurityContextRepository - SecurityContext is empty or anonymous - context will not be stored in HttpSession.
10:10:39 DEBUG context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
________________________________
From: miten mehta <imiten at yahoo.com>
To: Benjamin Kaduk <kaduk at MIT.EDU>
Cc: "kerberos at mit.edu" <kerberos at MIT.EDU>
Sent: Thursday, October 11, 2012 10:23 AM
Subject: Re: kerberos / spnego
Hi,
I am using MIT kerberos both on debian and windows downloaded from http://www.kerberos.org/software/index.html.
Regards,
Miten.
________________________________
From: Benjamin Kaduk <kaduk at MIT.EDU>
To: miten mehta <imiten at yahoo.com>
Cc: "kerberos at mit.edu" <kerberos at MIT.EDU>
Sent: Thursday, October 11, 2012 1:24 AM
Subject: Re: kerberos / spnego
On Wed, 10 Oct 2012, miten mehta wrote:
> Hi Benjamin,
>
> I configured firefox for no sspi and also added domain primesystems.com
I do not remember seeing you specify what kerberos implementation you are using. SSPI should only be disabled in some situations, and I don't know which situation you are in.
-Ben Kaduk
More information about the Kerberos
mailing list