SSO for Tomcat users with SPNEGO not working
I have an application running on tomcat server. This application is authenticated against Active Directory using the module SPNEGO
.
We take the following steps:
- Add
Tomcat APP
to domainAD
- Make a request
REST API
to enter the APP. This challengeREST API
will authenticate / authorize AD withSPNEGO
.
As part of the new APP initialization, we launch the application for the first time and add this application domain to the AD domain. Then make an API call doing AD authorization with the following error.
Enter the exception report:
message GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
description The server encountered an internal error that prevented it from fulfilling this request.
exception
javax.servlet.ServletException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:238)
root cause
GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source)
sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:444)
net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:283)
net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:234)
root cause
KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC
sun.security.krb5.KrbApReq.authenticate(Unknown Source)
sun.security.krb5.KrbApReq.<init>(Unknown Source)
sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source)
sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:444)
net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:283)
net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:234)
note The full stack trace of the root cause is available in the Apache Tomcat/6.0.36 logs.
This means that SPNEGO cannot find the key to decrypt the communication with AD.
The problem disappears when I restart tomcat. After this restart, if Tomcat, the user can SUCCESSFULLY authorize based on SSO.
I checked the keytab file and everything looks fine. For this purpose, we use RC4-HMAC encryption. Also login.conf and krb5.conf are configured correctly on the host. (Since after reboot everything works fine)
I ran strace on tomcat pid to see if SPNEGO reads the keytab file. It looks like Tomcat / SPNEGO calls stat on the file, but never opens it. Tomcat / SPNEGO thinks everything in the cache is still correct.
Here's the lines for this call:
7832 1431560872.430550 stat("/var/pgsql/sync-dir/samba/tomcat-user.keytab", <unfinished ...>
7832 1431560872.443416 <... stat resumed> {st_mode=S_IFREG|0600, st_size=894, ...}) = 0
I've never seen this read, though.
Please let me know if anyone has seen this caching issue SPNEGO
and the issue disappears when we restart Tomcat
source to share
No one has answered this question yet
Check out similar questions: