Jboss-negotiation-toolkit "secure" test fails (SPNEGO authentication fails)

Question

Jboss-negotiation-toolkit "secure" test fails (SPNEGO authentication fails)

I posted the same question on the JBoss PicketBox forum a few days ago but have not received any answers yet ( https://community.jboss.org/thread/220959 ). So I thought that maybe I'll try StackOverflow to reach a larger audience.

I've been trying to get jboss-negotiation-toolkit to work for several weeks and I think I've tried everything other people have come across. I am now stuck at the point where I cannot get a "secure" version of the servlet. The "Security Domain Test" as well as the "Basic Negotiation" works great, but JBoss keeps throwing a "LoginException" when trying to open a secure link. I'm pretty sure this is due to some AD / Kerberos setup, but I couldn't make more progress.

11:49:43,514 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Login failure: javax.security.auth.login.LoginException: Continuation Required.
    at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:174) [jboss-negotiation-spnego-2.2.0.SP1.jar:2.2.0.SP1]
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.6.0_33]
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [rt.jar:1.6.0_33]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [rt.jar:1.6.0_33]
    at java.lang.reflect.Method.invoke(Method.java:597) [rt.jar:1.6.0_33]
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) [rt.jar:1.6.0_33]
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) [rt.jar:1.6.0_33]
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) [rt.jar:1.6.0_33]
    at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.6.0_33]
    at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) [rt.jar:1.6.0_33]
    at javax.security.auth.login.LoginContext.login(LoginContext.java:579) [rt.jar:1.6.0_33]
    at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
    ...

Does anyone face the same problem or does anyone have any suggestions as to where the problem might be? Sorry for the huge post, but below are all the setup details and how I set up things that are far off trying to provide as much detail as possible.

Here's our setup:

Windows 2008 AD (QAAD)
- DNS name: qaad.dev.company.com
- Domain: QUALITY (QUALITY.COMPANY.COM)
CentOS 6.2 is running JBoss AS 7.1.1.Final (BARDEV1)
- Expanded: jboss-negotiation-toolkit-2.2.2.Final
- DNS name: bardev1.dev.company.com
The tested WinXP and Win7 clients are connected to the QUALITY domain

BARDEV1 is currently joined to a quality domain ( is it necessary or should it work without being domain joined? ).

JBoss SPNEGO configuration :

<security-domain name="qaad_kerberos" cache-type="default">
    <authentication>
        <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
            <module-option name="storeKey" value="true"/>
            <module-option name="useKeyTab" value="true"/>
            <module-option name="principal" value="HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM"/>
            <module-option name="keyTab" value="/opt/jboss-as-7.1.1.final/standalone/configuration/bardev1_qaad_rc4.keytab"/>
            <module-option name="doNotPrompt" value="true"/>
            <module-option name="debug" value="true"/>
            <module-option name="refreshKrb5Config" value="false"/>
        </login-module>
    </authentication>
</security-domain>
<security-domain name="SPNEGO" cache-type="default">
    <authentication>
        <login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule" flag="required">
            <module-option name="password-stacking" value="useFirstPass"/>
            <module-option name="serverSecurityDomain" value="qaad_kerberos"/>
        </login-module>
    </authentication>
</security-domain>

/etc/krb5.conf is set to:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = QUALITY.COMPANY.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac

[realms]
QUALITY.COMPANY.COM = {
  kdc = qaad.dev.company.com
  admin_server = qaad.dev.company.com
  default_domain = quality.company.com
}

[domain_realm]
.quality.company.com = QUALITY.COMPANY.COM
quality.company.com = QUALITY.COMPANY.COM

The QAAD field contains the "computer" account for "bardev1". This account has a delegation setting: "Trust this computer to delegate to any service (Kerberos only)". keytab was generated in QAAD field and SPN with the following commands:

setspn -S HTTP / bardev1.dev.company.com@QUALITY.COMPANY.COM bardev1
ktpass / out bardev1_qaad_rc4.keytab / princ HTTP / bardev1.dev.company.com@QUALITY.COMPANY.COM / mapuser quality \ administrator -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL / pass * / kvno 0
- (Note: had to install / kvno 0 because otherwise I got: KrbException: The specified version of the key is not available (44))
setspn -L bardev1
- Output: Registered ServicePrincipalNames for CN = bardev1, CN = Computers, DC = Quality, DC = Company, DC = com: HTTP / bardev1.dev.company.com@QUALITY.COMPANY.COM HOST / bardev1.dev.company.com HOST / BARDEV1
setpn -L admin
- Output: Registered ServicePrincipalNames for CN = Administrator, CN = Users, DC = Quality, DC = Company, DC = com: HTTP / bardev1.dev.company.com

I'm using the Administrator account for the initial tests, so I don't have to deal with new user accounts. This account has a delegation to 'Trust this computer to bend some service (Kerberos only)' and has no other account settings such as "use DES encryption caching ...", "account supports AES 128/256 ... 'or' kerberos preauth is not required ' Are any of these needed?

On client computers, to force browsers to use the registered user credentials, I have to set the url:

http: // bardev1: 8080 / jboss-negotiation-toolkit-2.2.2.Final

If I put it like:

http://bardev1.dev.company.com:8080/jboss-negotiation-toolkit-2.2.2.Final

then i get username and password.

I tried running setpn and ktpass with "HTTP / bardev1@QUALITY.COMPANY.COM " with the same results, that is, working with basic and subject checks, not secure.

Output from "SecurityDomainTest":

JBoss Magazine:

      12:01:33,229 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /opt/jboss-as-7.1.1.final/standalone/configuration/bardev1_qaad_rc4_domain.keytab refreshKrb5Config is false principal is HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
      12:01:33,238 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) principal key obtained from the keytab
      12:01:33,241 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Acquire TGT using AS Exchange
      12:01:33,259 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) principal is HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM
      12:01:33,269 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 30 89 05 17 EB 07 89 AE   06 E2 B1 5D 58 B6 6E A4  0..........]X.n.
      12:01:33,273 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
      12:01:33,276 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Added server keyKerberos Principal HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COMKey Version 0key EncryptionKey: keyType=23 keyBytes (hex dump)=
      12:01:33,283 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) 0000: 30 89 05 17 EB 07 89 AE   06 E2 B1 5D 58 B6 6E A4  0..........]X.n.
      12:01:33,285 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
      12:01:33,285 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
      12:01:33,286 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)          [Krb5LoginModule] added Krb5Principal  HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM to Subject
      12:01:33,288 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Commit Succeeded
      12:01:33,290 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
      12:01:33,295 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)          [Krb5LoginModule]: Entering logout
      12:01:33,296 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)          [Krb5LoginModule]: logged out Subject

Browser:

      Negotiation Toolkit
      Security Domain Test
      Testing security-domain 'qaad_kerberos'

      Authenticated
      Subject:
      Principal: HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM
      Private Credential: Ticket (hex) =
      0000: 61 82 04 A6 30 82 04 A2 A0 03 02 01 05 A1 16 1B a...0...........
      0010: 14 51 55 41 4C 49 54 59 2E 53 59 4D 50 48 4F 4E .QUALITY.COMPANY
      0020: 4F 2E 43 4F 4D A2 29 30 27 A0 03 02 01 02 A1 20 O.COM.)0'......
      0030: 30 1E 1B 06 6B 72 62 74 67 74 1B 14 51 55 41 4C 0...krbtgt..QUAL
      ...
      04A0: 1C 85 74 1A 9B EF B9 EE D2 A8 ..t.......

      Client Principal = HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM
      Server Principal = krbtgt/QUALITY.COMPANY.COM@QUALITY.COMPANY.COM
      Session Key = EncryptionKey: keyType=23 keyBytes (hex dump)=
      0000: 67 2B 5A 9B FE 97 00 2B 68 0B D2 0F 35 FA D1 CB g+Z....+h...5...

      Forwardable Ticket true
      Forwarded Ticket false
      Proxiable Ticket false
      Proxy Ticket false
      Postdated Ticket false
      Renewable Ticket false
      Initial Ticket false
      Auth Time = Tue Feb 05 12:01:33 CST 2013
      Start Time = Tue Feb 05 12:01:33 CST 2013
      End Time = Tue Feb 05 22:01:33 CST 2013
      Renew Till = null
      Client Addresses Null
      Private Credential: Kerberos Principal HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COMKey Version 0key EncryptionKey: keyType=23 keyBytes (hex dump)=
      0000: 30 89 05 17 EB 07 89 AE 06 E2 B1 5D 58 B6 6E A4 0..........]X.n.

Conclusion from "Basic Negotiations":

JBoss Magazine:

      12:48:01,226 INFO  [org.jboss.security.negotiation.toolkit.BasicNegotiationServlet] (http-bardev1.dev.company.com-10.10.5.232-8080-1) No Authorization Header, sending 401
      12:48:01,243 INFO  [org.jboss.security.negotiation.toolkit.BasicNegotiationServlet] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Authorization header received - decoding token.

Browser:

      Negotiation Toolkit
      Basic Negotiation
      WWW-Authenticate - Negotiate YIILwgYGKwYBBQUCoIILtjCCC7KgJDAiBgkqhkiC9xIBAgIGCSq ... i4=

      NegTokenInit
      Message Oid - SPNEGO
      Mech Types - {Kerberos V5 Legacy} {Kerberos V5} {NTLM}
      Req Flags -
      Mech Token -YIILgAYJKoZIhvcSAQICAQBuggtvMIILa6A ... Gi4=
      Mech List Mic -

Exit from the "Provided" section:

JBoss Magazine:

      12:51:52,877 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /opt/jboss-as-7.1.1.final/standalone/configuration/bardev1_qaad_rc4_domain.keytab refreshKrb5Config is false principal is HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
      12:51:52,894 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) principal key obtained from the keytab
      12:51:52,895 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Acquire TGT using AS Exchange
      12:51:52,929 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) principal is HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM
      12:51:52,933 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 30 89 05 17 EB 07 89 AE   06 E2 B1 5D 58 B6 6E A4  0..........]X.n.
      12:51:52,937 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
      12:51:52,939 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Added server keyKerberos Principal HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COMKey Version 0key EncryptionKey: keyType=23 keyBytes (hex dump)=
      12:51:52,944 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) 0000: 30 89 05 17 EB 07 89 AE   06 E2 B1 5D 58 B6 6E A4  0..........]X.n.
      12:51:52,945 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
      12:51:52,946 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
      12:51:52,947 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)          [Krb5LoginModule] added Krb5Principal  HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM to Subject
      12:51:52,949 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Commit Succeeded
      12:51:52,950 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
      12:51:52,950 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)          [Krb5LoginModule]: Entering logout
      12:51:52,952 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)          [Krb5LoginModule]: logged out Subject
      12:51:52,953 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Login failure: javax.security.auth.login.LoginException: Continuation Required.
                at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:174) [jboss-negotiation-spnego-2.2.0.SP1.jar:2.2.0.SP1]
                at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.6.0_33]
                at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [rt.jar:1.6.0_33]
                at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [rt.jar:1.6.0_33]
                at java.lang.reflect.Method.invoke(Method.java:597) [rt.jar:1.6.0_33]
                at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) [rt.jar:1.6.0_33]
                at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) [rt.jar:1.6.0_33]
                at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) [rt.jar:1.6.0_33]
                at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.6.0_33]
                at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) [rt.jar:1.6.0_33]
                at javax.security.auth.login.LoginContext.login(LoginContext.java:579) [rt.jar:1.6.0_33]
                at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
                at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:383) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
                at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:371) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
                at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:160) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
                at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:214) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
                at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:187) [jboss-negotiation-common-2.2.0.SP1.jar:2.2.0.SP1]
                at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:455) [jbossweb-7.0.13.Final.jar:]
                at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
                at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]
                at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]
                at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]
                at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]
                at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]
                at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]
                at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:]
                at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_33]


      12:51:52,985 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /opt/jboss-as-7.1.1.final/standalone/configuration/bardev1_qaad_rc4_domain.keytab refreshKrb5Config is false principal is HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
      12:51:52,989 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) principal key obtained from the keytab
      12:51:52,990 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Acquire TGT using AS Exchange
      12:51:53,015 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) principal is HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM
      12:51:53,058 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 30 89 05 17 EB 07 89 AE   06 E2 B1 5D 58 B6 6E A4  0..........]X.n.
      12:51:53,060 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
      12:51:53,061 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Added server keyKerberos Principal HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COMKey Version 0key EncryptionKey: keyType=23 keyBytes (hex dump)=
      12:51:53,063 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) 0000: 30 89 05 17 EB 07 89 AE   06 E2 B1 5D 58 B6 6E A4  0..........]X.n.
      12:51:53,065 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
      12:51:53,065 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
      12:51:53,066 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)          [Krb5LoginModule] added Krb5Principal  HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM to Subject
      12:51:53,068 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Commit Succeeded
      12:51:53,068 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
      12:51:53,081 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)          [Krb5LoginModule]: Entering logout
      12:51:53,082 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)          [Krb5LoginModule]: logged out Subject

Browser:

      HTTP Status 403 - Access to the requested resource has been denied

Additional tests / settings performed

I also tried to start a jboss instance on the Windows QAAD server itself, updated the setspn and ktpass commands, but with the same results, the "protected" test failed with LoginException.

I also tried using a different AD server (COLLAB running on a Windows 2003 AD server), but again with the same results.

So I'm pretty sure this is a setup / configuration / environment issue, but I just can't figure it out.

+3

jboss7.x active-directory windows-authentication spnego single-sign-on

Andi Heusser 08 Feb At 22:39

source to share

1 answer

Rajeesh · Answer 1 · 2013-12-05T12:58:56+0000

I know it's pretty late.

I faced the same problem and found out that we need to modify the web.xml jboss-negotiation-toolkit a bit.

Modify the security constraint and login-config web.xml to look like this:

<security-constraint>
  <web-resource-collection>
    <web-resource-name>Restricted</web-resource-name>
    <url-pattern>/Secured/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
    <role-name>*</role-name>
  </auth-constraint>
  <user-data-constraint>
    <transport-guarantee>NONE</transport-guarantee>
  </user-data-constraint>
</security-constraint>
<login-config>
<auth-method>SPNEGO</auth-method>
<realm-name>SPNEGO</realm-name>
<form-login-config>
  <form-login-page>/login.html</form-login-page>
  <form-error-page>/error.html</form-error-page>
</form-login-config>    
</login-config>
<security-role>
  <role-name>*</role-name>
</security-role>

then change jboss spnego config in standalone.xml file to look like

<security-domain name="qaad_kerberos" cache-type="default">
<authentication>
    <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
        <module-option name="storeKey" value="true"/>
        <module-option name="useKeyTab" value="true"/>
        <module-option name="principal" value="HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM"/>
        <module-option name="keyTab" value="/opt/jboss-as-7.1.1.final/standalone/configuration/bardev1_qaad_rc4.keytab"/>
        <module-option name="doNotPrompt" value="true"/>
        <module-option name="debug" value="true"/>
        <module-option name="refreshKrb5Config" value="false"/>
    </login-module>
</authentication>
</security-domain>
<security-domain name="SPNEGO" cache-type="default">
<authentication>
    <login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule" flag="required">
        <module-option name="password-stacking" value="useFirstPass"/>
        <module-option name="serverSecurityDomain" value="qaad_kerberos"/>
    </login-module>
    <login-module code="org.jboss.security.negotiation.AdvancedLdapLoginModule" flag="requisite">
        <module-option name="bindAuthentication" value="GSSAPI"/>
        <module-option name="jaasSecurityDomain" value="qaad_kerberos"/>
        <module-option name="java.naming.provider.url" value="ldap://your kdc hostname:389"/>
        <module-option name="baseCtxDN" value="DC=MYDOMAIN,DC=COM"/>
        <module-option name="baseFilter" value="(userPrincipalName={0})"/>
        <module-option name="roleAttributeID" value="memberOf"/>
        <module-option name="roleAttributeIsDN" value="true"/>
        <module-option name="roleNameAttributeID" value="cn"/>
        <module-option name="recurseRoles" value="true"/>
        <module-option name="password-stacking" value="useFirstPass"/>
        <module-option name="allowEmptyPassword" value="false"/>
        <module-option name="debug" value="true"/>
    </login-module>
</authentication>
</security-domain>

Jboss-negotiation-toolkit "secure" test fails (SPNEGO authentication fails)

Additional tests / settings performed

More articles: