cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Baker <john.ba...@camelotgroup.co.uk>
Subject RE: Kerberos and credential propagation
Date Thu, 26 Apr 2012 08:00:44 GMT
If you're saying things broke with Java 1.7 then it's worth noting there are some known bugs
in the Keberos module prior to update 4.

-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@apache.org] 
Sent: 25 April 2012 17:04
To: users@cxf.apache.org
Subject: Re: Kerberos and credential propagation

Could you enable debug logging in WSS4J? It may shed some light on the root exception. Add
log4j to the pom and change the rootLogger from WARN to DEBUG in src/test/resource/log4j.properties.

Could you try with a more recent version of JDK 1.6 such as 1.6.0_31?

Colm.



On Wed, Apr 25, 2012 at 4:49 PM, Henk-Jan <h.visscher@cordares.nl> wrote:
> Thanks for your answer Freeman
>
> I already tried the examples you mentioned before but couldn't get 
> them to work. However, as they seemed to address the problem I was 
> facing I gave them another try, to no avail.
>
> Until yesterday, after I installed java 7 (java version "1.7.0_03") 
> suddenly everything was working fine. But as we're deploying our 
> services to WAS which uses java 6 this is no acceptable solution.
>
> Maybe someone can help me to get the examples working under java 6 ? 
> Or point me to some possible working alternatives?
>
> I also stumbled upon the following bug, but I don't think it applies 
> to my
> problem: http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7061379
>
> My configuration:
>
> Source: https://svn.apache.org/repos/asf/cxf/trunk/
> Redhat Linux server : narvi.sfb
> SPN (*): HTTP/_kerbisspoc-service.melkweg.tld
> KDC server: corx01.melkweg.tld
>
> (*): both the client & the server use the same SPN
>
> Content of /etc/krb5.conf:
>
> [libdefaults]
> default_realm = MELKWEG.TLD
>
> [realms]
> MELKWEG.TLD = {
>    kdc = corx01.melkweg.tld
> }
>
> [domain_realm]
> .sfb = MELKWEG.TLD
>
> Content of Login.jaas:
>
> client {
>    com.sun.security.auth.module.Krb5LoginModule required
>    refreshKrb5Config=true
>    useKeyTab=true
>    debug=true
>    keyTab="/etc/_kerbisspoc.keytab"
>    principal="HTTP/_kerbisspoc-service.melkweg.tld@";
> };
>
> server {
>    com.sun.security.auth.module.Krb5LoginModule required
>    debug=true
>    refreshKrb5Config=true
>    useKeyTab=true
>    storeKey=true
>    keyTab="/etc/_kerbisspoc.keytab"
>    principal="HTTP/_kerbisspoc-service.melkweg.tld@MELKWEG.TLD";
> };
>
> Context of client.xml (relevant part):
>
>    <bean id="kerberosValidator"
>        class="org.apache.ws.security.validate.KerberosTokenValidator">
>        <property name="contextName" value="server"/>
>        <property name="serviceName"
> value="HTTP/_kerbisspoc-service.melkweg.tld@"/>
>    </bean>
>
> Context of server.xml (relevant part):
>
>    <jaxws:client
> name="{http://www.example.org/contract/DoubleIt}DoubleItKerberosSymmetricPort"
>                  createdFromAPI="true">
>       <jaxws:properties>
>           <entry key="ws-security.encryption.properties"
>
> value="org/apache/cxf/systest/ws/wssec10/client/bob.properties"/>
>           <entry key="ws-security.encryption.username" value="bob"/>
>           <entry key="ws-security.kerberos.client">
>               <bean
> class="org.apache.cxf.ws.security.kerberos.KerberosClient">
>                   <constructor-arg ref="cxf"/>
>                   <property name="contextName" value="client"/>
>                   <property name="serviceName"
> value="HTTP/_kerbisspoc-service.melkweg.tld@"/>
>               </bean>
>           </entry>
>       </jaxws:properties>
>    </jaxws:client>
>
>
> Command line for the test:
>
> mvn test -Pnochecks -Dsun.security.krb5.debug=true 
> -Dtest=KerberosTokenTest 
> -Djava.security.auth.login.config=src/test/resources/kerberos.jaas
>
> Output using version "1.6.0_25":
>
> -------------------------------------------------------
>  T E S T S
> -------------------------------------------------------
>
> Running org.apache.cxf.systest.ws.kerberos.KerberosTokenTest
> In testKerberosOverSymmetric.
> Unrestricted policies installed
> Debug is  true storeKey false useTicketCache false useKeyTab true 
> doNotPrompt false ticketCache is null isInitiator true KeyTab is 
> /etc/_kerbisspoc.keytab refreshKrb5Config is true principal is 
> HTTP/_kerbisspoc-service.melkweg.tld@ tryFirstPass is false 
> useFirstPass is false storePass is false clearPass is false Refreshing 
> Kerberos configuration Config name: /etc/krb5.conf
>>>> KdcAccessibility: reset
>>>> KeyTabInputStream, readName(): MELKWEG.TLD KeyTabInputStream, 
>>>> readName(): HTTP KeyTabInputStream, readName(): 
>>>> _kerbisspoc-service.melkweg.tld
>>>> KeyTab: load() entry length: 83; type: 23
> Added key: 23version: 4
> Ordering keys wrt default_tkt_enctypes list Using builtin default 
> etypes for default_tkt_enctypes default etypes for 
> default_tkt_enctypes: 3 1 23 16 17 18.
> principal's key obtained from the keytab Acquire TGT using AS Exchange 
> Using builtin default etypes for default_tkt_enctypes default etypes 
> for default_tkt_enctypes: 3 1 23 16 17 18.
>>>> KrbAsReq calling createMessage
>>>> KrbAsReq in createMessage
>>>> KrbKdcReq send: kdc=corx01.melkweg.tld UDP:88, timeout=30000, 
>>>> number of retries =3, #bytes=166
>>>> KDCCommunication: kdc=corx01.melkweg.tld UDP:88, 
>>>> timeout=30000,Attempt =1, #bytes=166 KrbKdcReq send: #bytes 
>>>> read=631 KrbKdcReq send: #bytes read=631
>>>> KdcAccessibility: remove corx01.melkweg.tld
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsRep cons in KrbAsReq.getReply 
>>>> HTTP/_kerbisspoc-service.melkweg.tld
> principal is HTTP/_kerbisspoc-service.melkweg.tld@MELKWEG.TLD
> EncryptionKey: keyType=23 keyBytes (hex dump)=0000: E7 F7 BA 95 A4 39 
> BC C1
> C7 75 22 6B CF 95 B5 E9  .....9...u"k....
>
> Commit Succeeded
>
> Found ticket for HTTP/_kerbisspoc-service.melkweg.tld@MELKWEG.TLD to 
> go to krbtgt/MELKWEG.TLD@MELKWEG.TLD expiring on Thu Apr 26 03:30:36 
> CEST 2012 Entered Krb5Context.initSecContext with state=STATE_NEW 
> Found ticket for HTTP/_kerbisspoc-service.melkweg.tld@MELKWEG.TLD to 
> go to krbtgt/MELKWEG.TLD@MELKWEG.TLD expiring on Thu Apr 26 03:30:36 
> CEST 2012 Service ticket not found in the subject
>>>> Credentials acquireServiceCreds: same realm
> Using builtin default etypes for default_tgs_enctypes default etypes 
> for default_tgs_enctypes: 3 1 23 16 17 18.
>>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbKdcReq send: kdc=corx01.melkweg.tld UDP:88, timeout=30000, 
>>>> number of retries =3, #bytes=665
>>>> KDCCommunication: kdc=corx01.melkweg.tld UDP:88, 
>>>> timeout=30000,Attempt =1, #bytes=665 KrbKdcReq send: #bytes 
>>>> read=627 KrbKdcReq send: #bytes read=627
>>>> KdcAccessibility: remove corx01.melkweg.tld
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbApReq: APOptions are 00000000 00000000 00000000 00000000
>>>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
> Krb5Context setting mySeqNumber to: 19043227 Krb5Context setting 
> peerSeqNumber to: 0 Created InitSecContextToken:
> 0000: 01 00 6E 82 02 1F 30 82   02 1B A0 03 02 01 05 A1  ..n...0.........
> 0010: 03 02 01 0E A2 07 03 05   00 00 00 00 00 A3 82 01  ................
> 0020: 2B 61 82 01 27 30 82 01   23 A0 03 02 01 05 A1 0D  +a..'0..#.......
> 0030: 1B 0B 4D 45 4C 4B 57 45   47 2E 54 4C 44 A2 32 30  
> ..MELKWEG.TLD.20
> 0040: 30 A0 03 02 01 00 A1 29   30 27 1B 04 48 54 54 50  
> 0......)0'..HTTP
> 0050: 1B 1F 5F 6B 65 72 62 74   6F 6D 70 6F 63 2D 73 65  
> .._kerbtompoc-se
> 0060: 72 76 69 63 65 2E 6D 65   6C 6B 77 65 67 2E 74 6C  
> rvice.melkweg.tl
> 0070: 64 A3 81 D8 30 81 D5 A0   03 02 01 17 A1 03 02 01  d...0...........
> 0080: 02 A2 81 C8 04 81 C5 4D   9E 3F A3 AD 9D AC 7A 13  .......M.?....z.
> 0090: 7A FB F5 A5 0A 0A 3C E0   27 53 B3 78 FA 21 7F 30  
> z.....<.'S.x.!.0
> 00A0: 38 6D 20 95 B3 27 DA 77   31 00 3D CE 98 36 EA 58  8m 
> ..'.w1.=..6.X
> 00B0: 39 60 85 44 4C 3B 81 AA   CE EB 2D D6 6B 94 8A 1B  9`.DL;....-.k...
> 00C0: C3 54 92 A1 18 E0 41 75   2B 78 CE 43 FF 04 5E 64  
> .T....Au+x.C..^d
> 00D0: 22 90 AA EC C1 20 62 D9   9F E2 9F 96 BD FB BF 31  ".... 
> b........1
> 00E0: 37 E3 C5 74 43 E4 F8 44   C1 84 24 51 4F A1 76 10  7..tC..D..$QO.v.
> 00F0: 70 5E 96 F9 E4 1B D2 28   9D B8 B6 82 CC 7A FA 59  
> p^.....(.....z.Y
> 0100: 07 96 0A 1D A7 01 32 09   DA C7 D5 BE AC DE 1A A0  ......2.........
> 0110: 49 A5 46 3E B6 C2 F1 8C   39 41 7C C4 AA 32 AA 2A  
> I.F>....9A...2.*
> 0120: 68 7B 66 0A EF 82 E3 93   A3 0E B0 83 6C 0A 2F 09  h.f.........l./.
> 0130: 6E D8 59 93 E7 2B 5A 7C   C1 88 C7 D8 1E 27 E4 C2  n.Y..+Z......'..
> 0140: 61 D9 0A 54 B6 03 9D 85   9A 15 54 55 A4 81 D6 30  
> a..T......TU...0
> 0150: 81 D3 A0 03 02 01 03 A2   81 CB 04 81 C8 4E AA 1D  .............N..
> 0160: 9A 0F 00 61 07 0C FB E7   CE A1 2F 33 D3 74 25 CC  ...a....../3.t%.
> 0170: 5F 67 E8 89 2A 3A B4 66   71 BB A0 0F F0 E5 83 2A  
> _g..*:.fq......*
> 0180: E3 DD 83 0D DE 16 44 C7   A2 6A 76 01 AD 25 04 B8  ......D..jv..%..
> 0190: D3 25 A0 AF 70 C0 DA BB   F8 36 A5 F9 9F DA 92 BF  .%..p....6......
> 01A0: D1 27 96 C7 52 3B 13 B7   8F 32 C9 BA 64 E6 0C C2  .'..R;...2..d...
> 01B0: 2D 60 55 5D 7C 92 7E D7   B9 A6 8B 5C FD 2E FF D6  -`U].......\....
> 01C0: EA 64 C0 2B 42 3D 09 71   85 BD 65 DE 61 AD 6A 3B  
> .d.+B=.q..e.a.j;
> 01D0: F9 1A F6 B2 DD E1 7A 40   98 F1 86 6C CD B9 E2 5B  
> ......z@...l...[
> 01E0: D6 F2 A5 E8 4E 15 4B 65   0E 38 3F 8C A9 8C FC 97  ....N.Ke.8?.....
> 01F0: 93 0A 51 70 6F B4 6E CF   E1 67 96 95 B1 08 E6 23  
> ..Qpo.n..g.....#
> 0200: BF E9 1B FB 81 18 3B 10   5D 3C 1F 80 55 3A 8E AE  ......;.]<..U:..
> 0210: EE 5A 70 0A 3A 18 0A 9A   78 83 D5 1B 4D 9F F7 AA  .Zp.:...x...M...
> 0220: D2 3A 8B 55 B6                                     .:.U.
>
> Debug is  true storeKey true useTicketCache false useKeyTab true 
> doNotPrompt false ticketCache is null isInitiator true KeyTab is 
> /etc/_kerbisspoc.keytab refreshKrb5Config is true principal is 
> HTTP/_kerbisspoc-service.melkweg.tld@MELKWEG.TLD tryFirstPass is false 
> useFirstPass is false storePass is false clearPass is false Refreshing 
> Kerberos configuration Config name: /etc/krb5.conf Refreshing Keytab
>>>> KdcAccessibility: reset
>>>> KeyTabInputStream, readName(): MELKWEG.TLD KeyTabInputStream, 
>>>> readName(): HTTP KeyTabInputStream, readName(): 
>>>> _kerbisspoc-service.melkweg.tld
>>>> KeyTab: load() entry length: 83; type: 23
> Added key: 23version: 4
> Ordering keys wrt default_tkt_enctypes list Using builtin default 
> etypes for default_tkt_enctypes default etypes for 
> default_tkt_enctypes: 3 1 23 16 17 18.
> principal's key obtained from the keytab Acquire TGT using AS Exchange 
> Using builtin default etypes for default_tkt_enctypes default etypes 
> for default_tkt_enctypes: 3 1 23 16 17 18.
>>>> KrbAsReq calling createMessage
>>>> KrbAsReq in createMessage
>>>> KrbKdcReq send: kdc=corx01.melkweg.tld UDP:88, timeout=30000, 
>>>> number of retries =3, #bytes=166
>>>> KDCCommunication: kdc=corx01.melkweg.tld UDP:88, 
>>>> timeout=30000,Attempt =1, #bytes=166 KrbKdcReq send: #bytes 
>>>> read=631 KrbKdcReq send: #bytes read=631
>>>> KdcAccessibility: remove corx01.melkweg.tld
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsRep cons in KrbAsReq.getReply 
>>>> HTTP/_kerbisspoc-service.melkweg.tld
> principal is HTTP/_kerbisspoc-service.melkweg.tld@MELKWEG.TLD
> EncryptionKey: keyType=23 keyBytes (hex dump)=0000: E7 F7 BA 95 A4 39 
> BC C1
> C7 75 22 6B CF 95 B5 E9  .....9...u"k....
>
> Added server's keyKerberos Principal
> HTTP/_kerbisspoc-service.melkweg.tld@MELKWEG.TLDKey Version 4key
> EncryptionKey: keyType=23 keyBytes (hex dump)=
> 0000: E7 F7 BA 95 A4 39 BC C1   C7 75 22 6B CF 95 B5 E9  .....9...u"k....
>
>        [Krb5LoginModule] added Krb5Principal 
> HTTP/_kerbisspoc-service.melkweg.tld@MELKWEG.TLD to Subject Commit 
> Succeeded
>
> Tests run: 12, Failures: 0, Errors: 1, Skipped: 11, Time elapsed: 
> 11.529 sec <<< FAILURE!
> testKerberosOverSymmetric(org.apache.cxf.systest.ws.kerberos.KerberosT
> okenTest)
> Time elapsed: 4.094 sec  <<< ERROR!
> javax.xml.ws.soap.SOAPFaultException: General security error (An error 
> occurred in trying to validate a ticket)
>    at
> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:156
> )
>    at $Proxy42.doubleIt(Unknown Source)
>    at
> org.apache.cxf.systest.ws.kerberos.KerberosTokenTest.testKerberosOverS
> ymmetric(KerberosTokenTest.java:131)
>    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>    at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j
> ava:39)
>    at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccess
> orImpl.java:25)
>    at java.lang.reflect.Method.invoke(Method.java:597)
>    at
> org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkM
> ethod.java:44)
>    at
> org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCall
> able.java:15)
>    at
> org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMet
> hod.java:41)
>    at
> org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMeth
> od.java:20)
>    at
> org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.jav
> a:31)
>    at
> org.junit.runners.BlockJUnit4ClassRunner.runNotIgnored(BlockJUnit4Clas
> sRunner.java:79)
>    at
> org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunn
> er.java:71)
>    at
> org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunn
> er.java:49)
>    at org.junit.runners.ParentRunner$3.run(ParentRunner.java:193)
>    at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:52)
>    at 
> org.junit.runners.ParentRunner.runChildren(ParentRunner.java:191)
>    at org.junit.runners.ParentRunner.access$000(ParentRunner.java:42)
>    at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:184)
>    at
> org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.j
> ava:28)
>    at
> org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.jav
> a:31)
>    at org.junit.runners.ParentRunner.run(ParentRunner.java:236)
>    at
> org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider
> .java:236)
>    at
> org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4P
> rovider.java:134)
>    at
> org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.
> java:113)
>    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>    at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j
> ava:39)
>    at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccess
> orImpl.java:25)
>    at java.lang.reflect.Method.invoke(Method.java:597)
>    at
> org.apache.maven.surefire.util.ReflectionUtils.invokeMethodWithArray(R
> eflectionUtils.java:189)
>    at
> org.apache.maven.surefire.booter.ProviderFactory$ProviderProxy.invoke(
> ProviderFactory.java:165)
>    at
> org.apache.maven.surefire.booter.ProviderFactory.invokeProvider(Provid
> erFactory.java:85)
>    at
> org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(Forke
> dBooter.java:103)
>    at
> org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:7
> 4) Caused by: org.apache.cxf.binding.soap.SoapFault: General security 
> error (An error occurred in trying to validate a ticket)
>    at
> org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.unmar
> shalFault(Soap11FaultInInterceptor.java:75)
>    at
> org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handl
> eMessage(Soap11FaultInInterceptor.java:46)
>    at
> org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handl
> eMessage(Soap11FaultInInterceptor.java:35)
>    at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseIntercepto
> rChain.java:262)
>    at
> org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessa
> ge(AbstractFaultChainInitiatorObserver.java:113)
>    at
> org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMe
> ssage(CheckFaultInterceptor.java:69)
>    at
> org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMe
> ssage(CheckFaultInterceptor.java:34)
>    at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseIntercepto
> rChain.java:262)
>    at 
> org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:798)
>    at
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleRe
> sponseInternal(HTTPConduit.java:1656)
>    at
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleRe
> sponse(HTTPConduit.java:1521)
>    at
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HT
> TPConduit.java:1429)
>    at
> org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56
> )
>    at 
> org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:659)
>    at
> org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndin
> gInterceptor.handleMessage(MessageSenderInterceptor.java:62)
>    at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseIntercepto
> rChain.java:262)
>    at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:532)
>    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:464)
>    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:367)
>    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:320)
>    at 
> org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:89)
>    at
> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134
> )
>    ... 34 more
>
> Results :
>
> Tests in error:
>
> testKerberosOverSymmetric(org.apache.cxf.systest.ws.kerberos.KerberosTokenTest):
> General security error (An error occurred in trying to validate a 
> ticket)
>
> Tests run: 12, Failures: 0, Errors: 1, Skipped: 11
>
> Output using version "1.7.0_3":
>
> -------------------------------------------------------
>  T E S T S
> -------------------------------------------------------
> Running org.apache.cxf.systest.ws.kerberos.KerberosTokenTest
> In testKerberosOverSymmetric.
> Unrestricted policies installed
> Debug is  true storeKey false useTicketCache false useKeyTab true 
> doNotPrompt false ticketCache is null isInitiator true KeyTab is 
> /etc/_kerbisspoc.keytab refreshKrb5Config is true principal is 
> HTTP/_kerbisspoc-service.melkweg.tld@ tryFirstPass is false 
> useFirstPass is false storePass is false clearPass is false Refreshing 
> Kerberos configuration Config name: /etc/krb5.conf
>>>> KdcAccessibility: reset
>>>> KdcAccessibility: reset
>>>> KeyTabInputStream, readName(): MELKWEG.TLD KeyTabInputStream, 
>>>> readName(): HTTP KeyTabInputStream, readName(): 
>>>> _kerbisspoc-service.melkweg.tld
>>>> KeyTab: load() entry length: 83; type: 23
> Added key: 23version: 4
> Ordering keys wrt default_tkt_enctypes list Using builtin default 
> etypes for default_tkt_enctypes default etypes for 
> default_tkt_enctypes: 18 17 16 23 1 3.
> Added key: 23version: 4
> Ordering keys wrt default_tkt_enctypes list Using builtin default 
> etypes for default_tkt_enctypes default etypes for 
> default_tkt_enctypes: 18 17 16 23 1 3.
> Using builtin default etypes for default_tkt_enctypes default etypes 
> for default_tkt_enctypes: 18 17 16 23 1 3.
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=corx01.melkweg.tld UDP:88, timeout=30000, 
>>>> number of retries =3, #bytes=166
>>>> KDCCommunication: kdc=corx01.melkweg.tld UDP:88, 
>>>> timeout=30000,Attempt =1, #bytes=166 KrbKdcReq send: #bytes 
>>>> read=631
>>>> KdcAccessibility: remove corx01.melkweg.tld
> Added key: 23version: 4
> Ordering keys wrt default_tkt_enctypes list Using builtin default 
> etypes for default_tkt_enctypes default etypes for 
> default_tkt_enctypes: 18 17 16 23 1 3.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsRep cons in KrbAsReq.getReply 
>>>> HTTP/_kerbisspoc-service.melkweg.tld
> principal is HTTP/_kerbisspoc-service.melkweg.tld@MELKWEG.TLD
> Will use keytab
> Commit Succeeded
>
> Found ticket for HTTP/_kerbisspoc-service.melkweg.tld@MELKWEG.TLD to 
> go to krbtgt/MELKWEG.TLD@MELKWEG.TLD expiring on Thu Apr 26 03:33:58 
> CEST 2012 Entered Krb5Context.initSecContext with state=STATE_NEW 
> Found ticket for HTTP/_kerbisspoc-service.melkweg.tld@MELKWEG.TLD to 
> go to krbtgt/MELKWEG.TLD@MELKWEG.TLD expiring on Thu Apr 26 03:33:58 
> CEST 2012 Service ticket not found in the subject
>>>> Credentials acquireServiceCreds: same realm
> Using builtin default etypes for default_tgs_enctypes default etypes 
> for default_tgs_enctypes: 18 17 16 23 1 3.
>>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbKdcReq send: kdc=corx01.melkweg.tld UDP:88, timeout=30000, 
>>>> number of retries =3, #bytes=665
>>>> KDCCommunication: kdc=corx01.melkweg.tld UDP:88, 
>>>> timeout=30000,Attempt =1, #bytes=665 KrbKdcReq send: #bytes 
>>>> read=643
>>>> KdcAccessibility: remove corx01.melkweg.tld
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbApReq: APOptions are 00000000 00000000 00000000 00000000
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
> Krb5Context setting mySeqNumber to: 87301791 Krb5Context setting 
> peerSeqNumber to: 0 Created InitSecContextToken:
>
> 0000: 01 00 6E 82 02 2B 30 82   02 27 A0 03 02 01 05 A1  ..n..+0..'......
> 0010: 03 02 01 0E A2 07 03 05   00 00 00 00 00 A3 82 01  ................
> 0020: 33 61 82 01 2F 30 82 01   2B A0 03 02 01 05 A1 0D  3a../0..+.......
> 0030: 1B 0B 4D 45 4C 4B 57 45   47 2E 54 4C 44 A2 32 30  
> ..MELKWEG.TLD.20
> 0040: 30 A0 03 02 01 00 A1 29   30 27 1B 04 48 54 54 50  
> 0......)0'..HTTP
> 0050: 1B 1F 5F 6B 65 72 62 69   73 73 70 6F 63 2D 73 65  
> .._kerbisspoc-se
> 0060: 72 76 69 63 65 2E 6D 65   6C 6B 77 65 67 2E 74 6C  
> rvice.melkweg.tl
> 0070: 64 A3 81 E0 30 81 DD A0   03 02 01 17 A1 03 02 01  d...0...........
> 0080: 04 A2 81 D0 04 81 CD BB   FE 9C 11 EC DB 48 8D 5E  
> .............H.^
> 0090: D5 C7 B8 C8 A9 6F 42 E3   09 F1 C5 33 C7 A6 5C B5  .....oB....3..\.
> 00A0: EE B8 E5 6C 8E EC 5C BB   15 07 17 1E 10 BC D2 78  
> ...l..\........x
> 00B0: 5E 06 6F FC 7E D7 54 9A   7C DD CC 55 90 98 F1 BF  ^.o...T....U....
> 00C0: 45 BD 98 31 44 0F 6E F9   E6 99 8E FD 2C C8 DA E5  E..1D.n.....,...
> 00D0: 92 2D A0 3D 9A 87 EC BD   44 CC 7C 72 ED B7 21 58  
> .-.=....D..r..!X
> 00E0: 66 2D A4 36 A0 F9 4E 0E   D4 7B 69 4B 2E 12 5B A4  f-.6..N...iK..[.
> 00F0: 77 B0 10 8E B4 6F 4A 9E   D1 89 BC 7C 53 E5 17 60  
> w....oJ.....S..`
> 0100: 0B FB 7F 25 7C 56 E3 39   83 1C 97 38 85 ED C8 6A  
> ...%.V.9...8...j
> 0110: C4 88 13 1D 48 4F 48 07   76 60 4D B7 CD 43 B1 A0  ....HOH.v`M..C..
> 0120: B8 BB 8D F5 C6 14 CF 8D   41 30 4E BC A4 C3 99 D1  ........A0N.....
> 0130: E7 FE F6 42 9D 44 1F 39   E7 37 B6 04 BD FF ED 37  
> ...B.D.9.7.....7
> 0140: CD C1 6A 79 B4 6C 2B 65   09 22 E1 2C 5B A8 21 76  
> ..jy.l+e.".,[.!v
> 0150: D5 91 AB 7D A4 81 DA 30   81 D7 A0 03 02 01 17 A2  .......0........
> 0160: 81 CF 04 81 CC B7 75 8C   38 22 08 CE BE C4 B8 9C  ......u.8"......
> 0170: 85 19 DC F9 8F 64 33 A2   9D 9A 8C C6 7A 72 DA 2E  .....d3.....zr..
> 0180: 77 BC 6C D6 09 08 E9 4A   D6 CC C5 6B 95 89 3D 63  
> w.l....J...k..=c
> 0190: E0 B9 B1 A0 8F 70 B8 41   01 80 F4 C9 34 16 36 D1  .....p.A....4.6.
> 01A0: 34 55 91 14 4D DE BF 7A   54 D3 7C 39 A2 02 59 A8  4U..M..zT..9..Y.
> 01B0: 1B 40 70 FC D3 86 E7 62   92 4B 42 75 4F 92 8A 1C  .@p....b.KBuO...
> 01C0: B4 2F 09 77 F4 27 86 72   37 54 29 99 59 88 3E 42  
> ./.w.'.r7T).Y.>B
> 01D0: 00 EB 73 74 44 AA 9B 28   F7 7E 58 00 8F D9 06 ED  ..stD..(..X.....
> 01E0: 59 52 3C EF B9 A9 45 B4   97 BC CC D4 1F 4F D7 45  
> YR<...E......O.E
> 01F0: 66 58 A3 31 34 A4 63 C0   E9 19 5D 80 71 37 34 33  
> fX.14.c...].q743
> 0200: 5E 2D 45 77 53 BF 6A 1F   21 41 0A 4B C6 DF 60 54  
> ^-EwS.j.!A.K..`T
> 0210: D4 EE C4 A1 55 48 6B AF   0C BD 52 46 8B C4 C9 FB  ....UHk...RF....
> 0220: 75 76 5F 99 D6 26 26 DC   5B 10 E9 18 88 E2 9B 57  
> uv_..&&.[......W
> 0230: 07                                                 .
>
> Debug is  true storeKey true useTicketCache false useKeyTab true 
> doNotPrompt false ticketCache is null isInitiator true KeyTab is 
> /etc/_kerbisspoc.keytab refreshKrb5Config is true principal is 
> HTTP/_kerbisspoc-service.melkweg.tld@MELKWEG.TLD tryFirstPass is false 
> useFirstPass is false storePass is false clearPass is false Refreshing 
> Kerberos configuration Config name: /etc/krb5.conf
>>>> KdcAccessibility: reset
> Added key: 23version: 4
> Ordering keys wrt default_tkt_enctypes list Using builtin default 
> etypes for default_tkt_enctypes default etypes for 
> default_tkt_enctypes: 18 17 16 23 1 3.
> Added key: 23version: 4
> Ordering keys wrt default_tkt_enctypes list Using builtin default 
> etypes for default_tkt_enctypes default etypes for 
> default_tkt_enctypes: 18 17 16 23 1 3.
> Using builtin default etypes for default_tkt_enctypes default etypes 
> for default_tkt_enctypes: 18 17 16 23 1 3.
>>>> KrbAsReq creating message
>>>> KrbKdcReq send: kdc=corx01.melkweg.tld UDP:88, timeout=30000, 
>>>> number of retries =3, #bytes=166
>>>> KDCCommunication: kdc=corx01.melkweg.tld UDP:88, 
>>>> timeout=30000,Attempt =1, #bytes=166 KrbKdcReq send: #bytes 
>>>> read=631
>>>> KdcAccessibility: remove corx01.melkweg.tld
> Added key: 23version: 4
> Ordering keys wrt default_tkt_enctypes list Using builtin default 
> etypes for default_tkt_enctypes default etypes for 
> default_tkt_enctypes: 18 17 16 23 1 3.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsRep cons in KrbAsReq.getReply 
>>>> HTTP/_kerbisspoc-service.melkweg.tld
> principal is HTTP/_kerbisspoc-service.melkweg.tld@MELKWEG.TLD
> Will use keytab
> Added key: 23version: 4
> Ordering keys wrt default_tkt_enctypes list Using builtin default 
> etypes for default_tkt_enctypes default etypes for 
> default_tkt_enctypes: 18 17 16 23 1 3.
> Commit Succeeded
>
> Found KeyTab
> Found KerberosKey for HTTP/_kerbisspoc-service.melkweg.tld@MELKWEG.TLD
> Entered Krb5Context.acceptSecContext with state=STATE_NEW Added key: 
> 23version: 4 Ordering keys wrt default_tkt_enctypes list Using builtin 
> default etypes for default_tkt_enctypes default etypes for 
> default_tkt_enctypes: 18 17 16 23 1 3.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
> Using builtin default etypes for permitted_enctypes default etypes for 
> permitted_enctypes: 18 17 16 23 1 3.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
> replay cache for HTTP/_kerbisspoc-service.melkweg.tld@MELKWEG.TLD is null.
> object 0: 1335368038927/927468
> object 0: 1335368038927/927468
>>>> KrbApReq: authenticate succeed.
> Krb5Context setting peerSeqNumber to: 87301791 Krb5Context setting 
> mySeqNumber to: 87301791 Tests run: 12, Failures: 0, Errors: 0, 
> Skipped: 11, Time elapsed: 7.707 sec
>
> Results :
>
> Tests run: 12, Failures: 0, Errors: 0, Skipped: 11
>
> So, does anybody know if this is my own fault, or if it is caused by a 
> bug in java?
>
> --
> View this message in context: 
> http://cxf.547215.n5.nabble.com/Kerberos-and-credential-propagation-tp
> 5646577p5665237.html Sent from the cxf-user mailing list archive at 
> Nabble.com.



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com


******************************************************************************
The information contained in this email may be confidential. It is intended
only for the use of the named recipient. If you are not the named recipient
please delete this email and notify the sender of the delivery error. If you
have received this email and are not the named recipient, any disclosure,
reproduction, distribution or other dissemination or use of the information
contained in this email is strictly prohibited.
 
The transmission of email cannot be guaranteed to be secure or error free as
information could be intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses. The sender therefore does not accept
liability for any errors or omissions in the contents of this message which
arise as a result of email transmission. If verification is required please
request a hard copy version.

The Camelot group of companies includes:
Camelot UK Lotteries Limited (reg. no 2822203), Camelot Business Solutions
Limited (reg. no 07553982), Camelot Strategic Solutions Limited (reg. no
07553980), Camelot Global Services Limited (reg. no 02822300) and Camelot
Commercial Services Limited (reg. no 06911097), all of which are registered
in England and Wales and have their registered office at:
Tolpits Lane
Watford
WD18 9RN
Tel : 01923 425000
******************************************************************************

Mime
View raw message