tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chawla, Rachit" <RachitCha...@fico.com>
Subject SpnegoAuthenticator gives GSSException (Desired initLifetime) wih IBM JDK
Date Tue, 08 Oct 2013 08:39:55 GMT
Hi All,

I am struggling on SSO configuration using SPENGO mechanism on Tomcat 7.0.42 but not able
to get it working. We tried on 7.0.29 version too.  Since I get Login Successful in logs,
I assume Kerberos login was successful. Its SpnegoAuthentication that is failing.

Exception:

java.security.PrivilegedActionException: org.ietf.jgss.GSSException, major code: 11, minor
code: 0
    major string: General failure, unspecified at GSSAPI level
    minor string: Desired initLifetime zero or less


Used http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html as reference. On decompiling
SpnegoAuthenticator code, we saw that we are using GSSCredential.DEFAULT_LIFETIME in createCredential
method, which might be the reason for the exception.

final PrivilegedExceptionAction<GSSCredential> action =
                new PrivilegedExceptionAction<GSSCredential>() {
                    @Override
                    public GSSCredential run() throws GSSException {
                        return manager.createCredential(null,
                                GSSCredential.DEFAULT_LIFETIME,
                                new Oid("1.3.6.1.5.5.2"),
                                GSSCredential.ACCEPT_ONLY);
                    }
                };



Environment detail are:

OS: AIX

Java: java version "1.6.0"

Java(TM) SE Runtime Environment (build pap3260sr11-20120806_01(SR11))
IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 AIX ppc-32 jvmap3260sr11-20120801_118201 (JIT enabled,
AOT enabled)
J9VM - 20120801_118201
JIT  - r9_20120608_24176ifx1
GC   - 20120516_AA)
JCL  - 20120713_01

Tomcat Version : 7.0.42

I tried with Java 6 (SR9), 7 (SR1,SR5), but I always get stuck on below error.

java.security.PrivilegedActionException: org.ietf.jgss.GSSException, major code: 11, minor
code: 0
    major string: General failure, unspecified at GSSAPI level
    minor string: Desired initLifetime zero or less




We get following output from catalina/log.


[JGSS_DBG_CRED] JAAS config: debug=true
[JGSS_DBG_CRED] JAAS config: credsType=accept only
[JGSS_DBG_CRED] config: useDefaultCcache=false (default)
[JGSS_DBG_CRED] config: useCcache=null
[JGSS_DBG_CRED] config: useDefaultKeytab=false
[JGSS_DBG_CRED] config: useKeytab=file:/home/qauser1/racTemp/apache-tomcat-7.0.29/conf/qafalcon.keytab
[JGSS_DBG_CRED] JAAS config: forwardable=false (default)
[JGSS_DBG_CRED] JAAS config: renewable=false (default)
[JGSS_DBG_CRED] JAAS config: proxiable=false (default)
[JGSS_DBG_CRED] JAAS config: noAddress=false (default)
[JGSS_DBG_CRED] JAAS config: tryFirstPass=false (default)
[JGSS_DBG_CRED] JAAS config: useFirstPass=false (default)
[JGSS_DBG_CRED] JAAS config: moduleBanner=false (default)
[JGSS_DBG_CRED] JAAS config: interactive login? no
[JGSS_DBG_CRED] Retrieving Kerberos creds from keytab for principal=null
[JGSS_DBG_CRED] No Kerberos creds in keytab : java.io.BufferedInputStream@28502850
[JGSS_DBG_CRED] Done retrieving Kerberos creds from keytab


[JGSS_DBG_CRED] Login successful


[JGSS_DBG_CRED] HTTP/abc@zzz.NET added to Subject
[JGSS_DBG_CRED] Attempting to add 1 Kerberos key(s) to Subject for HTTP/abc@zzz.NET
[JGSS_DBG_CRED] added key of type rc4-hmac
[JGSS_DBG_CRED] Successfully added 1 keys to Subject.
[JGSS_DBG_PROV] Number of system providers=9
[JGSS_DBG_PROV] getMechOidFromProperty: mech oid string = 1.3.6.1.5.5.2
[JGSS_DBG_PROV] getMechOidFromProperty: mech oid string = 1.2.840.113554.1.2.2
[JGSS_DBG_PROV] getMechOidFromProperty: mech oid string = 1.3.6.1.5.5.2
[JGSS_DBG_PROV] 3 system providers found/added
[JGSS_DBG_PROV] getMechOidFromProperty: mech oid string = 1.3.6.1.5.5.2
[JGSS_DBG_PROV] getMechOidFromProperty: mech oid string = 1.2.840.113554.1.2.2
[JGSS_DBG_PROV] getMechs: Mechanism(s) supported by provider IBMJGSSProvider
[JGSS_DBG_PROV]         1.3.6.1.5.5.2
[JGSS_DBG_PROV] getMechOidFromProperty: mech oid string = 1.3.6.1.5.5.2
[JGSS_DBG_PROV] getMechOidFromProperty: mech oid string = 1.2.840.113554.1.2.2
[JGSS_DBG_PROV] getMechs: Mechanism(s) supported by provider IBMJGSSProvider
[JGSS_DBG_PROV]         1.2.840.113554.1.2.2
[JGSS_DBG_PROV] getMechOidFromProperty: mech oid string = 1.3.6.1.5.5.2
[JGSS_DBG_PROV] getMechs: Mechanism(s) supported by provider IBMSPNEGO
[JGSS_DBG_PROV]         1.3.6.1.5.5.2
[JGSS_DBG_PROV] getMechs: 2 unique mechanism(s) found
[JGSS_DBG_PROV]         [0]: 1.3.6.1.5.5.2
[JGSS_DBG_PROV]         [1]: 1.2.840.113554.1.2.2
[JGSS_DBG_CRED] Creating mech cred for null, mech 1.3.6.1.5.5.2, usage accept only
[JGSS_DBG_PROV] Provider Entry: provider: IBMJGSSProvider, mechanism: 1.3.6.1.5.5.2 get Factory
for mech: 1.3.6.1.5.5.2 caller:-1
[JGSS_DBG_PROV] Created new (empty) factory list (size=1) for provider IBMJGSSProvider version
1.6
[JGSS_DBG_PROV] Loading factory
[JGSS_DBG_PROV] Factory class name for provider IBMJGSSProvider version 1.6 is com.ibm.security.jgss.mech.spnego.SPNEGOMechFactory
[JGSS_DBG_PROV] Prior to load
[JGSS_DBG_PROV] Done to load
[JGSS_DBG_PROV] Loaded factory for provider IBMJGSSProvider version 1.6
[JGSS_DBG_PROV] Loaded factory ok
[JGSS_DBG_PROV] getFactory: index = 0 found factory caller = -1
Oct 7, 2013 9:58:41 AM org.apache.catalina.authenticator.SpnegoAuthenticator authenticate

SEVERE: Unable to login as the service principal   (This is due to org.ietf.jgss.GSSException,
major code: 11, minor code: 0
    major string: General failure, unspecified at GSSAPI level
    minor string: Desired initLifetime zero or less)

[JGSS_DBG_CRED] HTTP/ux462p1.fairisaac.com@FIASPDEV.NET removed from Subject
[JGSS_DBG_CRED] Removing kerberos keys for principal HTTP/ux462p1.fairisaac.com@FIASPDEV.NET
[JGSS_DBG_CRED] Removed key of type rc4-hmac




Rachit Chawla



This email and any files transmitted with it are confidential, proprietary and intended solely
for the individual or entity to whom they are addressed. If you have received this email in
error please delete it immediately.
Mime
View raw message