SPNEGO with Tomcat error: GSSException: error not specified at GSS-API level (engine level: checksum error)
I am trying to implement a browser based single sign using SPNEGO with Tomcat.
I followed all the instructions on these two pages:
When I accessed hello_spnego.jsp from Firefox or Chrome, I was asked for a username and password, and then it showed me its username perfectly; worked like a charm. However, when I tried to access it from IE, I get this error:
HTTP Status 500 - GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
type Exception report
message GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
While trying to find a solution, I came across this page: http://www.oracle.com/technetwork/articles/idm/weblogic-sso-kerberos-1619890.html
I followed the client setup instructions in the second half of the page. After that, all three browsers (Chrome, Firefox and IE) show the same error, but none of them ask for username and password anymore.
I have verified that the account used to communicate with the KDC is working correctly. Also, I have the username and password specified in the web.xml file, so I don't have a separate KeyTab file.
For diagnostic purposes, here are the contents of my krb5.conf and login.conf files:
krb5.conf
[libdefaults]
default_realm = DEVID.LOCAL
default_tkt_enctypes = aes256-cts aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc arcfour-hmac arcfour-hmac-md5
default_tgs_enctypes = aes256-cts aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc arcfour-hmac arcfour-hmac-md5
permitted_enctypes = aes256-cts aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc arcfour-hmac arcfour-hmac-md5
[realms]
DEVID.LOCAL = {
kdc = cdi-prod.devid.local
default_domain = DEVID.LOCAL
}
[domain_realm]
.DEVID.LOCAL = DEVID.LOCAL
login.conf
spnego-client {
com.sun.security.auth.module.Krb5LoginModule required;
};
spnego-server {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
isInitiator=false;
};
Since I don't have a keytab file, it is not mentioned in the login.conf file.
Also, since I am using aes256-cts encryption, I added the required JCE policy files ( http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html ) to the jre/lib/security
jdk folders.
FYI, I am using Tomcat 8 and JDK 1.8.
I would really appreciate what's going on here. If you need more information, please let me know. Thanks in advance!
source to share
I had the same problem and found the answer in this post :
... go to IE Advanced Settings (Internet Options tab> Advanced tab) and uncheck "Enable Integrated Windows Authentication", this error disappears and I can see the registered custom handle on IE also ...
undo any changes you made after following the oracle article before trying it.
source to share
Kerberos error SPNEGO Checksum
source click
I have done SPNEGO authentication for my web applications. During development, I ran into the problem of authenticating users using the keytab file for HTTP services:
Caused by: org.ietf.jgss.GSSException: Failure not specified at GSS-API level (Engine level: Checksum failed)
I found a solution how to solve the problem. I used RHEL 7 on servers and clients and FreeIPA as the KDC / LDAP server:
-
Open / etc / krb5.conf on the web application server and add one line to the [libdefaults] section
[libdefaults]
default_tkt_ enctypes = arcfour-hmac-md5
It is most important. This line resolves the "Checksum" problem
- On the client: Username kinit Password for username@MYSERVICE.COM:
after successfully authenticating to the Kerberos domain, we can access Kerberized web applications using curl:
curl -v -k -negotiate -u: --cacert / etc / ipa / ca.crt https://myservice.com:8090/krb
- In FireFox, type about: config in the address bar -> I promise -> then find
network.negotiate-auth.delegation-uris value http: //, https: //
network.negotiate-auth.trusted-uris value.myservice.com
source to share