hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Boorshtein <mboorsht...@gmail.com>
Subject SPNEGO on windows 7 client
Date Mon, 03 Nov 2014 20:41:21 GMT
All,

I've got some code that works great on mac/linux using an existing ticket,
but on Windows its failing.  Here's the code:

Properties props = new Properties();
props.put("log4j.rootLogger", "info,console");
props.put("log4j.appender.console", "org.apache.log4j.ConsoleAppender");
props.put("log4j.appender.console.layout",
"org.apache.log4j.PatternLayout");
props.put("log4j.appender.console.layout.ConversionPattern",
"[%d][%t] %-5p %c{1} - %m%n");
PropertyConfigurator.configure(props);
// System.setProperty("java.security.krb5.conf","D:\\krb5.conf");
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
System.setProperty("sun.security.krb5.debug", "true");
System.setProperty("java.security.auth.login.config", "d:\\login.conf");

Credentials jaasCredentials = new Credentials() {
public String getPassword() {
return null;
}

public Principal getUserPrincipal() {
return null;
}
};

CredentialsProvider credsProvider = new BasicCredentialsProvider();
credsProvider.setCredentials(new AuthScope(null, -1, null),
jaasCredentials);
Registry<AuthSchemeProvider> authSchemeRegistry = RegistryBuilder
.<AuthSchemeProvider> create()
.register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory())
.build();
CloseableHttpClient httpclient = HttpClients.custom()
.setDefaultAuthSchemeRegistry(authSchemeRegistry)
.setDefaultCredentialsProvider(credsProvider).build();

HttpGet httpget = new HttpGet(
"http://webserver.local.domain.com/TestApp/Default.aspx");
RequestLine requestLine = httpget.getRequestLine();
CloseableHttpResponse response = httpclient.execute(httpget);

StatusLine status = response.getStatusLine();
HttpEntity entity = response.getEntity();

BufferedReader in = new BufferedReader(new InputStreamReader(
entity.getContent()));
String line = "";
/*
 * while ((line = in.readLine()) != null) { System.out.println(line); }
 */

and here's the output:

log4j:WARN No appenders could be found for logger
(org.apache.http.impl.conn.BasicClientConnectionManager).
log4j:WARN Please initialize the log4j system properly.
log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for
more info.
Java config name: null
Native config name: C:\Windows\krb5.ini
getRealmFromDNS: trying local.domain.com
getRealmFromDNS: trying local.domain.com
getRealmFromDNS: trying local.domain.com
getRealmFromDNS: trying local.domain.com
getRealmFromDNS: trying local.domain.com
>>>KinitOptions cache name is C:\Users\loggedINuser\krb5cc_loggedINuser
>> Acquire default native Credentials
>>> Obtained TGT from LSA: Credentials:
client=loggedINuser@addomain.com
server=krbtgt/addomain.com@addomain.com
authTime=20141103191609Z
startTime=20141103191609Z
endTime=20141104051609Z
renewTill=20141110191609Z
flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT
EType (int): 23
Found ticket for loggedINuser@addomain.com to go to krbtgt/
addomain.com@addomain.com expiring on Mon Nov 03 21:16:09 PST 2014
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
getRealmFromDNS: trying local.domain.com
>>> Credentials acquireServiceCreds: same realm
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 17 16 23 1 3.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KdcAccessibility: reset
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=kdc.addomain.com. UDP:88, timeout=30000, number of
retries =3, #bytes=1451
>>> KDCCommunication: kdc=kdc.addomain.com. UDP:88, timeout=30000,Attempt
=1, #bytes=1451
>>> KrbKdcReq send: #bytes read=120
>>> KdcAccessibility: remove kdc.addomain.com.:88
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
 sTime is Mon Nov 03 12:14:18 PST 2014 1415045658000
 suSec is 332963
 error code is 7
 error Message is Server not found in Kerberos database
 realm is addomain.com
 sname is HTTP/webserver.local.domain.com
 msgType is 30
KrbException: Server not found in Kerberos database (7)
at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
at sun.security.krb5.KrbTgsReq.sendAndGetCreds(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown
Source)
at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(Unknown Source)
at sun.security.jgss.spnego.SpNegoContext.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at
org.apache.http.impl.auth.GGSSchemeBase.generateGSSToken(GGSSchemeBase.java:104)
at
org.apache.http.impl.auth.SPNegoScheme.generateToken(SPNegoScheme.java:84)
at
org.apache.http.impl.auth.GGSSchemeBase.authenticate(GGSSchemeBase.java:161)
at org.apache.http.impl.auth.SPNegoScheme.authenticate(SPNegoScheme.java:79)
at
org.apache.http.client.protocol.RequestAuthenticationBase.authenticate(RequestAuthenticationBase.java:120)
at
org.apache.http.client.protocol.RequestAuthenticationBase.process(RequestAuthenticationBase.java:83)
at
org.apache.http.client.protocol.RequestTargetAuthentication.process(RequestTargetAuthentication.java:80)
at
org.apache.http.protocol.ImmutableHttpProcessor.process(ImmutableHttpProcessor.java:131)
at
org.apache.http.protocol.HttpRequestExecutor.preProcess(HttpRequestExecutor.java:165)
at
org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:485)
at
org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:106)
at
gov.dhs.uscis.icam.test.authentication.TestSPNEGO.TestPSNEGOSuccess2(TestSPNEGO.java:98)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at
org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:47)
at
org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
at
org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:44)
at
org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
at
org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
at
org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:27)
at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:271)
at
org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:70)
at
org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:50)
at org.junit.runners.ParentRunner$3.run(ParentRunner.java:238)
at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:63)
at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:236)
at org.junit.runners.ParentRunner.access$000(ParentRunner.java:53)
at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:229)
at
org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
at
org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:27)
at org.junit.runners.ParentRunner.run(ParentRunner.java:309)
at
org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:50)
at
org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:467)
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:683)
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:390)
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:197)
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(Unknown Source)
at sun.security.krb5.internal.TGSRep.init(Unknown Source)
at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)
... 54 more
LSA: Found Ticket
LSA: Made NewWeakGlobalRef
LSA: Found PrincipalName
LSA: Made NewWeakGlobalRef
LSA: Found DerValue
LSA: Made NewWeakGlobalRef
LSA: Found EncryptionKey
LSA: Made NewWeakGlobalRef
LSA: Found TicketFlags
LSA: Made NewWeakGlobalRef
LSA: Found KerberosTime
LSA: Made NewWeakGlobalRef
LSA: Found String
LSA: Made NewWeakGlobalRef
LSA: Found DerValue constructor
LSA: Found Ticket constructor
LSA: Found PrincipalName constructor
LSA: Found EncryptionKey constructor
LSA: Found TicketFlags constructor
LSA: Found KerberosTime constructor
LSA: Finished OnLoad processing
LSA: Found KrbCreds constructor
LSA: Got handle to Kerberos package
LSA: Response size is 1514
LSA: Principal domain is addomain.com
LSA: Name type is 1
LSA: Name count is 1
LSA: Principal domain is addomain.com
LSA: Name type is 2
LSA: Name count is 2
LSA: 20141103191609Z
LSA: 20141104051609Z
LSA: 20141110191609Z

I followed the instructions on
http://hc.apache.org/httpcomponents-client-ga/tutorial/html/authentication.html
to set the proper registry values.  Any help here would be greatly
appreciated.

Thanks
Marc

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message