Duplicate :
|
FULL PRODUCT VERSION : java version "1.8.0_40" Java(TM) SE Runtime Environment (build 1.8.0_40-b26) Java HotSpot(TM) Client VM (build 25.40-b25, mixed mode) ADDITIONAL OS VERSION INFORMATION : Microsoft Windows [Version 6.3.9600] EXTRA RELEVANT SYSTEM CONFIGURATION : Tested on Tomcat 8 with Manager application SPNEGO auth, used 3 windows VM's, one configured as primary domain controller. krb5.ini [libdefaults] default_realm = KERBTEST.LOCAL default_keytab_name = FILE:C:\keytab\tomcat.keytab default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 forwardable = true [realms] KERBTEST.LOCAL = { kdc = win-dc01.kerbtest.local:88 } [domain_realm] kerbtest.local = KERBTEST.LOCAL .kerbtest.local = KERBTEST.LOCAL jaas.conf com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL" useKeyTab=true keyTab="C:/keytab/tomcat.keytab" storeKey=true debug=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL" useKeyTab=true keyTab="C:/keytab/tomcat.keytab" storeKey=true debug=true; }; See :- https://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html A DESCRIPTION OF THE PROBLEM : SPNEGO Kerberos browser based single sign on no longer works on windows in the latest JDK 8 u40. Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to krbtgt/KERBTEST.LOCAL@KERBTEST .LOCAL expiring on Thu Mar 26 01:46:29 GMT 2015 25-Mar-2015 15:46:29.086 FINE [http-nio-80-exec-3] org.apache.catalina.authenticator.SpnegoAuthentic ator.authenticate Unable to login as the service principal java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: G SSHeader did not find the right tag) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:422) at org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.ja va:243) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:576) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:108 6) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.jav a:659) at org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProto col.java:223) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag) at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) at org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato r.java:336) at org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato r.java:323) ... 18 more [Krb5LoginModule]: Entering logout [Krb5LoginModule]: logged out Subject 25-Mar-2015 15:46:29.108 FINE [http-nio-80-exec-3] org.apache.catalina.authenticator.AuthenticatorBa se.invoke Failed authenticate() test REGRESSION. Last worked in version 8u31 ADDITIONAL REGRESSION INFORMATION: java version "1.8.0_31" Java(TM) SE Runtime Environment (build 1.8.0_31-b13) Java HotSpot(TM) Client VM (build 25.31-b07, mixed mode) STEPS TO FOLLOW TO REPRODUCE THE PROBLEM : See :- https://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html Also word doc attached. EXPECTED VERSUS ACTUAL BEHAVIOR : EXPECTED - Expecting user to be authenticated with app and token to be accepted. You get one 401 in firefox followed by 200 response and tomcat Manager page. No errors in tomcat logs, you can see kerberos ticket decrypted if debug options on. ACTUAL - User is not authenticated, you get three 401 responses in firefox, in tomcat log or command console you see Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag) ERROR MESSAGES/STACK TRACES THAT OCCUR : Found ticket for HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL to go to krbtgt/KERBTEST.LOCAL@KERBTEST .LOCAL expiring on Thu Mar 26 01:46:29 GMT 2015 25-Mar-2015 15:46:29.086 FINE [http-nio-80-exec-3] org.apache.catalina.authenticator.SpnegoAuthentic ator.authenticate Unable to login as the service principal java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: G SSHeader did not find the right tag) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:422) at org.apache.catalina.authenticator.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.ja va:243) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:576) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:516) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:108 6) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.jav a:659) at org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProto col.java:223) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1558) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1515) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag) at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) at org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato r.java:336) at org.apache.catalina.authenticator.SpnegoAuthenticator$AcceptAction.run(SpnegoAuthenticato r.java:323) ... 18 more [Krb5LoginModule]: Entering logout [Krb5LoginModule]: logged out Subject 25-Mar-2015 15:46:29.108 FINE [http-nio-80-exec-3] org.apache.catalina.authenticator.AuthenticatorBa se.invoke Failed authenticate() test REPRODUCIBILITY : This bug can be reproduced always. ---------- BEGIN SOURCE ---------- Used Tomcat 8 Servlet container and its supplied Manager web app. I'm trying to get SPNEGO authentication working with Tomcat 8. I've created three Windows VMs :- Tomcat Server - Windows 8.1 32 bit VM Test Client - Windows 8.1 32 bit VM Domain Controller - Windows Server 2012 R2 64 bit VM The Tomcat Server and the Test Client are joined to the same domain kerbtest.local, they are logged in with domain logins. The firewall is disabled on the Tomcat Server VM. I've followed the guidelines on the Apache Tomcat website. jaas.conf com.sun.security.jgss.krb5.initiate { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL" useKeyTab=true keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab" storeKey=true; }; com.sun.security.jgss.krb5.accept { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal="HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL" useKeyTab=true keyTab="C:/Program Files/Apache Software Foundation/Tomcat 8.0/conf/tomcat.keytab" storeKey=true; }; krb5.ini [libdefaults] default_realm = KERBTEST.LOCAL default_keytab_name = FILE:C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat.keytab default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 forwardable=true [realms] KERBTEST.LOCAL = { kdc = win-dc01.kerbtest.local:88 } I want to use the tomcat manager app to test SPNEGO with Active Directory. I have tried to keep the setup as basic and vanilla to the instructions as possible. Users were created as instructed. Spn was created as instructed setspn -A HTTP/win-tc01.kerbtest.local tc01 keytab was created as instructed ktpass /out c:\tomcat.keytab /mapuser tc01@KERBTEST.LOCAL /princ HTTP/win-tc01.kerbtest.local@KERBTEST.LOCAL /pass tc01pass I have tried to test with firefox, chrome and IE, after ensuring http://win-tc01.kerbtest.local is a trusted site in IE. In firefox I added http://win-tc01.kerbtest.local to network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris. Tomcat is running as a Windows service under the tc01@kerbtest.local account. Visiting URL from the Test Client VM :- http://win-tc01.kerbtest.local in firefox results in 401 three times. Looking at the Network tab in developer tools in firefox shows 401 response with WWW-Authenticate: Negotiate response http header. ---------- END SOURCE ---------- CUSTOMER SUBMITTED WORKAROUND : I have got this to work by going back to earlier JDK's. I tried many settings but never saw it work on JDK 8 u40. This makes the latest JDK useless for those using SPNEGO as far as I can tell.