SSO for Tomcat users with SPNEGO not working

Question

SSO for Tomcat users with SPNEGO not working

I have an application running on tomcat server. This application is authenticated against Active Directory using the module SPNEGO

.

We take the following steps:

Add Tomcat APP

to domainAD
Make a request REST API

to enter the APP. This challenge REST API

will authenticate / authorize AD with SPNEGO

.

As part of the new APP initialization, we launch the application for the first time and add this application domain to the AD domain. Then make an API call doing AD authorization with the following error.

Enter the exception report:

message GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)

description The server encountered an internal error that prevented it from fulfilling this request.

exception

javax.servlet.ServletException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
    net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:238)
root cause

GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
    sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
    sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source)
    sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source)
    sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:444)
    net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:283)
    net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:234)
root cause

KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC
    sun.security.krb5.KrbApReq.authenticate(Unknown Source)
    sun.security.krb5.KrbApReq.<init>(Unknown Source)
    sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
    sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
    sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source)
    sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source)
    sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:444)
    net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:283)
    net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:234)
note The full stack trace of the root cause is available in the Apache Tomcat/6.0.36 logs.

This means that SPNEGO cannot find the key to decrypt the communication with AD.

The problem disappears when I restart tomcat. After this restart, if Tomcat, the user can SUCCESSFULLY authorize based on SSO.

I checked the keytab file and everything looks fine. For this purpose, we use RC4-HMAC encryption. Also login.conf and krb5.conf are configured correctly on the host. (Since after reboot everything works fine)

I ran strace on tomcat pid to see if SPNEGO reads the keytab file. It looks like Tomcat / SPNEGO calls stat on the file, but never opens it. Tomcat / SPNEGO thinks everything in the cache is still correct.

Here's the lines for this call:

7832  1431560872.430550 stat("/var/pgsql/sync-dir/samba/tomcat-user.keytab",  <unfinished ...>
7832  1431560872.443416 <... stat resumed> {st_mode=S_IFREG|0600, st_size=894, ...}) = 0

I've never seen this read, though.

Please let me know if anyone has seen this caching issue SPNEGO

and the issue disappears when we restart Tomcat

+3

java tomcat spnego single-sign-on

apps May 14 '15 @ 1:13 am

source to share

No one has answered this question yet

Check out similar questions:

604

Difference between Apache HTTP Server and Apache Tomcat?

ten

Kerberos after upgrading from Java6 to Java7

five

GSSContext with null SrcName

2

Generating MS AD key for Spring-security-kerberos-client

1

GSSException when running SPNEGO Kerberos with Integrated Windows Authentication

0

Spring / SPNEGO security issue: checksum failed

0

Jdbc kerberos oracle authentication

0

GSS-API Exception - Unable to find the appropriate key type to decrypt AP REP - AES128

0

Tomcat 6 with SPNEGO SSO still prompts for username and password

-1

GSSException: Error not specified in GSS-API (engine level: encryption type AES256CTS with HMAC SHA1-96 not supported / not supported) using spnego

SSO for Tomcat users with SPNEGO not working

More articles: