Clever Geek Handbook

SSO for Tomcat users with SPNEGO not working

I have an application running on tomcat server. This application is authenticated against Active Directory using the module SPNEGO

.

We take the following steps:

  • Add Tomcat APP

    to domainAD

  • Make a request REST API

    to enter the APP. This challenge REST API

    will authenticate / authorize AD with SPNEGO

    .

As part of the new APP initialization, we launch the application for the first time and add this application domain to the AD domain. Then make an API call doing AD authorization with the following error.

Enter the exception report:

message GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)

description The server encountered an internal error that prevented it from fulfilling this request.

exception

javax.servlet.ServletException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
    net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:238)
root cause

GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
    sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
    sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source)
    sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source)
    sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:444)
    net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:283)
    net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:234)
root cause

KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC
    sun.security.krb5.KrbApReq.authenticate(Unknown Source)
    sun.security.krb5.KrbApReq.<init>(Unknown Source)
    sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
    sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
    sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source)
    sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source)
    sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:444)
    net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:283)
    net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:234)
note The full stack trace of the root cause is available in the Apache Tomcat/6.0.36 logs.

This means that SPNEGO cannot find the key to decrypt the communication with AD.

The problem disappears when I restart tomcat. After this restart, if Tomcat, the user can SUCCESSFULLY authorize based on SSO.

I checked the keytab file and everything looks fine. For this purpose, we use RC4-HMAC encryption. Also login.conf and krb5.conf are configured correctly on the host. (Since after reboot everything works fine)

I ran strace on tomcat pid to see if SPNEGO reads the keytab file. It looks like Tomcat / SPNEGO calls stat on the file, but never opens it. Tomcat / SPNEGO thinks everything in the cache is still correct.

Here's the lines for this call:

7832  1431560872.430550 stat("/var/pgsql/sync-dir/samba/tomcat-user.keytab",  <unfinished ...>
7832  1431560872.443416 <... stat resumed> {st_mode=S_IFREG|0600, st_size=894, ...}) = 0

I've never seen this read, though.

Please let me know if anyone has seen this caching issue SPNEGO

and the issue disappears when we restart Tomcat

+3


source to share


No one has answered this question yet

Check out similar questions:



More articles:


All Articles