JDK-8080122 : SPNEGO GSS token processing broken in latest JDK
  • Type: Bug
  • Component: security-libs
  • Sub-Component: org.ietf.jgss
  • Affected Version: 8u40
  • Priority: P3
  • Status: Closed
  • Resolution: Duplicate
  • OS: windows_8
  • CPU: x86
  • Submitted: 2015-03-29
  • Updated: 2015-05-18
  • Resolved: 2015-05-18
Related Reports
Duplicate :  
JDK-8078439 - SPNEGO auth fails if client proposes MS krb5 OID
Description
FULL PRODUCT VERSION :
java version "1.8.0_40"
Java(TM) SE Runtime Environment (build 1.8.0_40-b26)
Java HotSpot(TM) Client VM (build 25.40-b25, mixed mode)

ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.3.9600]

EXTRA RELEVANT SYSTEM CONFIGURATION :
Tested on Tomcat 8 with Manager application SPNEGO auth, used 3 windows VM's, one configured as primary domain controller. 

krb5.ini
[libdefaults]
default_realm = KERBTEST.LOCAL
default_keytab_name = FILE:C:\keytab\tomcat.keytab
default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
forwardable = true

[realms]
KERBTEST.LOCAL = {
        kdc = win-dc01.kerbtest.local:88
}

[domain_realm]
kerbtest.local = KERBTEST.LOCAL
.kerbtest.local = KERBTEST.LOCAL

jaas.conf

com.sun.security.jgss.krb5.initiate {
    com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=true
    principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
    useKeyTab=true
    keyTab="C:/keytab/tomcat.keytab"
    storeKey=true
    debug=true;
};

com.sun.security.jgss.krb5.accept {
    com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=true
    principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
    useKeyTab=true
    keyTab="C:/keytab/tomcat.keytab"
    storeKey=true
    debug=true;
};

See :-
https://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html

A DESCRIPTION OF THE PROBLEM :
SPNEGO Kerberos browser based single sign on no longer works on windows in the latest JDK 8 u40.

Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to krbtgt/KERBTEST.LOCAL@KERBTEST
.LOCAL expiring on Thu Mar 26 01:46:29 GMT 2015
25-Mar-2015 15:46:29.086 FINE [http-nio-80-exec-3] org.apache.catalina.authenticator.SpnegoAuthentic
ator.authenticate Unable to login as the service principal
java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism
level: G
SSHeader did not find the right tag)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.ja
va:243)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:576)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)

at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:108
6)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.jav
a:659)
at org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProto
col.java:223)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find
the right
tag)
at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
r.java:336)
at org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
r.java:323)
... 18 more

[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
25-Mar-2015 15:46:29.108 FINE [http-nio-80-exec-3] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Failed authenticate() test

REGRESSION.  Last worked in version 8u31

ADDITIONAL REGRESSION INFORMATION: 
java version "1.8.0_31"
Java(TM) SE Runtime Environment (build 1.8.0_31-b13)
Java HotSpot(TM) Client VM (build 25.31-b07, mixed mode)

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
See :-
https://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html

Also word doc attached.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Expecting user to be authenticated with app and token to be accepted.

You get one 401 in firefox followed by 200 response and tomcat Manager page.

No errors in tomcat logs, you can see kerberos ticket decrypted if debug options on.
ACTUAL -
User is not authenticated,  you get three 401 responses in firefox, in tomcat log or command console you see

Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find
the right
tag)

ERROR MESSAGES/STACK TRACES THAT OCCUR :
Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to krbtgt/KERBTEST.LOCAL@KERBTEST
.LOCAL expiring on Thu Mar 26 01:46:29 GMT 2015
25-Mar-2015 15:46:29.086 FINE [http-nio-80-exec-3] org.apache.catalina.authenticator.SpnegoAuthentic
ator.authenticate Unable to login as the service principal
java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism
level: G
SSHeader did not find the right tag)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.ja
va:243)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:576)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)

at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:108
6)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.jav
a:659)
at org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProto
col.java:223)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find
the right
tag)
at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
r.java:336)
at org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato
r.java:323)
... 18 more

[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
25-Mar-2015 15:46:29.108 FINE [http-nio-80-exec-3] org.apache.catalina.authenticator.AuthenticatorBa
se.invoke Failed authenticate() test

REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
Used Tomcat 8 Servlet container and its supplied Manager web app.

I'm trying to get SPNEGO authentication working with Tomcat 8. 

I've created three Windows VMs :-

Tomcat Server - Windows 8.1 32 bit VM
Test Client - Windows 8.1 32 bit VM
Domain Controller - Windows Server 2012 R2 64 bit VM 

The Tomcat Server and the Test Client are joined to the same domain kerbtest.local, they are
logged in with domain logins.

The firewall is disabled on the Tomcat Server VM.

I've followed the guidelines on the Apache Tomcat website. 

jaas.conf 

com.sun.security.jgss.krb5.initiate {
    com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=true
    principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
    useKeyTab=true
    keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
    storeKey=true;
};

com.sun.security.jgss.krb5.accept {
    com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=true
    principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL"
    useKeyTab=true
    keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab"
    storeKey=true;
};

krb5.ini 

[libdefaults]
default_realm = KERBTEST.LOCAL
default_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.keytab
default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
forwardable=true

[realms]
KERBTEST.LOCAL = {
        kdc = win-dc01.kerbtest.local:88
}

I want to use the tomcat manager app to test SPNEGO with Active Directory.

I have tried to keep the setup as basic and vanilla to the instructions as possible.

Users were created as instructed.

Spn was created as instructed
setspn -A HTTP/win-tc01.kerbtest.local tc01

keytab was created as instructed
ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL
/pass tc01pass

I have tried to test with firefox, chrome and IE, after ensuring http://win-tc01.kerbtest.local
is a trusted site in IE. In firefox I added http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris
and network.negotiate-auth.trusted-uris.

Tomcat is running as a Windows service under the tc01@kerbtest.local account.

Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in firefox results
in 401 three times.

Looking at the Network tab in developer tools in firefox shows 401 response with WWW-Authenticate:
Negotiate response http header.

---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
I have got this to work by going back to earlier JDK's.

I tried many settings but never saw it work on JDK 8 u40.

This makes the latest JDK useless for those using SPNEGO as far as I can tell.