Crypto with the Kerberos Login Handler
MOTTE Frederic
frederic.motte at thalesgroup.com
Fri Jan 6 14:56:02 GMT 2012
Hi Rodrigo,
Thank you for your help.
I have change my active directory (2008 to 2003) and follow your guide line.
The result is better. It's solve my crypto problem. Why, I don't know but it's OK.
But I have another problem. When I try to use the keytab into the LoginHandler configuration file, the result is
Specified version of key is not available (44)
I re generated the keytab, reinitialized the user password without success. So I try to replace the keytab by the password. The result is better but the following exception is throw ": Checksum failed"
The traces for each test are after
Thanks
Frederic
***************************************************
The following trace for the keytab
The localhost.log file into tomcat :
Jan 06, 2012 2:33:04 PM org.apache.catalina.core.ApplicationContext log
INFO: ContextListener: contextInitialized()
Jan 06, 2012 2:33:04 PM org.apache.catalina.core.ApplicationContext log
INFO: SessionListener: contextInitialized()
Jan 06, 2012 2:33:26 PM org.apache.catalina.core.StandardWrapperValve invoke
INFO: Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is /home/stcia/Desktop/idpc.http.keytab refreshKrb5Config is true principal is HTTP/idpc.cersso.com at CERSSO.COM<mailto:idpc.cersso.com at CERSSO.COM> tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Refreshing Kerberos configuration
Config name: /etc/krb5.conf
>>> KdcAccessibility: reset
>>> KdcAccessibility: reset
>>> KeyTabInputStream, readName(): CERSSO.COM<http://CERSSO.COM>
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): idpc.cersso.com<http://idpc.cersso.com>
>>> KeyTab: load() entry length: 66; type: 23
Added key: 23version: 9
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 23 1 3.
Added key: 23version: 9
..........
SpNegoContext.acceptSecContext: received token of type = SPNEGO NegTokenInit
SpNegoContext: negotiated mechanism = 1.2.840.113554.1.2.2
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Added key: 23version: 9
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 23 1 3.
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
****************************************
The idp-process.log file into shbboleth
14:33:26.600 - DEBUG [ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor:87] - Validating GSS token. Realm: CERSSO.COM<http://CERSSO.COM>
14:33:26.600 - TRACE [ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor:118] - Logging KDC 'CERSSO.COM<http://CERSSO.COM>'.
14:33:26.646 - TRACE [ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor:127] - KDC Logging successful.
14:33:26.646 - TRACE [ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor:133] - Creating GSS context.
14:33:26.656 - DEBUG [ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor:145] - GSS context created.
14:33:26.657 - TRACE [ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor:150] - Validating the GSS Token.
14:33:26.669 - ERROR [ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor:98] - Error validating security context
org.ietf.jgss.GSSException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:778) ~[na:1.7.0_02]
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342) ~[na:1.7.0_02]
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) ~[na:1.7.0_02]
at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:871) ~[na:1.7.0_02]
at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:544) ~[na:1.7.0_02]
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342) ~[na:1.7.0_02]
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) ~[na:1.7.0_02]
at ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor.acceptRealmSecContext(KrbContextAcceptor.java:151) ~[kerberos-login-handler-1.0.jar:na]
at ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor.acceptSecContext(KrbContextAcceptor.java:89) ~[kerberos-login-handler-1.0.jar:na]
at ch.SWITCH.aai.idp.kerberos.HttpNegotiator.authenticate(HttpNegotiator.java:86) [kerberos-login-handler-1.0.jar:na]
at ch.SWITCH.aai.idp.kerberos.KrbLoginServlet.service(KrbLoginServlet.java:144) [kerberos-login-handler-1.0.jar:na]
at ch.SWITCH.aai.idp.kerberos.KrbLoginServlet.service(KrbLoginServlet.java:115) [kerberos-login-handler-1.0.jar:na]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) [servlet-api.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) [catalina.jar:6.0.33]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.33]
at edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter.doFilter(NoCacheFilter.java:50) [shibboleth-identityprovider-2.3.5.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.33]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.33]
at edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:81) [shibboleth-identityprovider-2.3.5.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.33]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.33]
at edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter.doFilter(SLF4JMDCCleanupFilter.java:52) [shibboleth-common-1.3.4.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.33]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.33]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219) [catalina.jar:6.0.33]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) [catalina.jar:6.0.33]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) [catalina.jar:6.0.33]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [catalina.jar:6.0.33]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [catalina.jar:6.0.33]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:291) [catalina.jar:6.0.33]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859) [tomcat-coyote.jar:6.0.33]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602) [tomcat-coyote.jar:6.0.33]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) [tomcat-coyote.jar:6.0.33]
at java.lang.Thread.run(Thread.java:722) [na:1.7.0_02]
Caused by: sun.security.krb5.KrbException: Specified version of key is not available (44)
at sun.security.krb5.EncryptionKey.findKey(EncryptionKey.java:588) ~[na:1.7.0_02]
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:270) ~[na:1.7.0_02]
at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:144) ~[na:1.7.0_02]
at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108) ~[na:1.7.0_02]
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:761) ~[na:1.7.0_02]
... 33 common frames omitted
14:33:26.670 - ERROR [ch.SWITCH.aai.idp.kerberos.KrbLoginServlet:158] - Authentication process error.
javax.servlet.ServletException: It was not possible to established context. There is no gssapi data to continue the process.
at ch.SWITCH.aai.idp.kerberos.HttpNegotiator.authenticate(HttpNegotiator.java:142) ~[kerberos-login-handler-1.0.jar:na]
at ch.SWITCH.aai.idp.kerberos.KrbLoginServlet.service(KrbLoginServlet.java:144) [kerberos-login-handler-1.0.jar:na]
at ch.SWITCH.aai.idp.kerberos.KrbLoginServlet.service(KrbLoginServlet.java:115) [kerberos-login-handler-1.0.jar:na]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) [servlet-api.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) [catalina.jar:6.0.33]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.33]
at edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter.doFilter(NoCacheFilter.java:50) [shibboleth-identityprovider-2.3.5.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.33]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.33]
at edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:81) [shibboleth-identityprovider-2.3.5.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.33]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.33]
at edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter.doFilter(SLF4JMDCCleanupFilter.java:52) [shibboleth-common-1.3.4.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.33]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.33]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219) [catalina.jar:6.0.33]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) [catalina.jar:6.0.33]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) [catalina.jar:6.0.33]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [catalina.jar:6.0.33]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [catalina.jar:6.0.33]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:291) [catalina.jar:6.0.33]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859) [tomcat-coyote.jar:6.0.33]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602) [tomcat-coyote.jar:6.0.33]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) [tomcat-coyote.jar:6.0.33]
at java.lang.Thread.run(Thread.java:722) [na:1.7.0_02]
14:33:26.670 - DEBUG [ch.SWITCH.aai.idp.kerberos.KrbLoginServlet:185] - Authentication failed.
14:33:26.671 - DEBUG [ch.SWITCH.aai.idp.kerberos.KrbLoginHandler:262] - Redirecting to login page
14:33:26.671 - TRACE [ch.SWITCH.aai.idp.kerberos.KrbLoginHandler:218] - Redirecting to /login.jsp
14:33:26.679 - TRACE [ch.SWITCH.aai.idp.kerberos.KrbLoginHandler:105] - cookie '_idp_krb_autologin' created [value=false, maxage=31536000, path=/idp, secure=true, domain=null]
14:33:26.679 - INFO [ch.SWITCH.aai.idp.kerberos.KrbLoginHandler:249] - 'auto login' cookie sent.
========================================================
The trace for the password
The localhost.log file into tomcat :
Jan 06, 2012 2:49:47 PM org.apache.catalina.core.StandardWrapperValve invoke
INFO: Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is refreshKrb5Config is true principal is HTTP/idpc.cersso.com at CERSSO.COM<mailto:idpc.cersso.com at CERSSO.COM> tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Refreshing Kerberos configuration
Config name: /etc/krb5.conf
>>> KdcAccessibility: reset
>>> KdcAccessibility: reset
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 23 1 3.
Key for the principal HTTP/idpc.cersso.com at CERSSO.COM<mailto:idpc.cersso.com at CERSSO.COM> not available in
[Krb5LoginModule] user entered username: HTTP/idpc.cersso.com at CERSSO.COM<mailto:idpc.cersso.com at CERSSO.COM>
default etypes for default_tkt_enctypes: 23 23 1 3.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=AD2003.CERSSO.COM<http://AD2003.CERSSO.COM> UDP:88, timeout=30000, number of retries =3, #bytes=157
>>> KDCCommunication: kdc=AD2003.CERSSO.COM<http://AD2003.CERSSO.COM> UDP:88, timeout=30000,Attempt =1, #bytes=157
>>> KrbKdcReq send: #bytes read=228
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
PA-ETYPE-INFO etype = 3, salt = CERSSO.COMHTTPidpc.cersso.com<http://CERSSO.COMHTTPidpc.cersso.com>
PA-ETYPE-INFO etype = 1, salt = CERSSO.COMHTTPidpc.cersso.com<http://CERSSO.COMHTTPidpc.cersso.com>
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 15
...........
Entered Krb5Context.acceptSecContext with state=STATE_NEW
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
****************************************
The idp-process.log file into shibboleth
14:49:47.904 - DEBUG [ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor:87] - Validating GSS token. Realm: CERSSO.COM<http://CERSSO.COM>
14:49:47.904 - TRACE [ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor:118] - Logging KDC 'CERSSO.COM<http://CERSSO.COM>'.
14:49:47.968 - TRACE [ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor:127] - KDC Logging successful.
14:49:47.968 - TRACE [ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor:133] - Creating GSS context.
14:49:47.975 - DEBUG [ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor:145] - GSS context created.
14:49:47.975 - TRACE [ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor:150] - Validating the GSS Token.
14:49:47.988 - ERROR [ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor:98] - Error validating security context
org.ietf.jgss.GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:778) ~[na:1.7.0_02]
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342) ~[na:1.7.0_02]
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) ~[na:1.7.0_02]
at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:871) ~[na:1.7.0_02]
at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:544) ~[na:1.7.0_02]
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342) ~[na:1.7.0_02]
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) ~[na:1.7.0_02]
at ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor.acceptRealmSecContext(KrbContextAcceptor.java:151) ~[kerberos-login-handler-1.0.jar:na]
at ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor.acceptSecContext(KrbContextAcceptor.java:89) ~[kerberos-login-handler-1.0.jar:na]
at ch.SWITCH.aai.idp.kerberos.HttpNegotiator.authenticate(HttpNegotiator.java:86) [kerberos-login-handler-1.0.jar:na]
at ch.SWITCH.aai.idp.kerberos.KrbLoginServlet.service(KrbLoginServlet.java:144) [kerberos-login-handler-1.0.jar:na]
at ch.SWITCH.aai.idp.kerberos.KrbLoginServlet.service(KrbLoginServlet.java:115) [kerberos-login-handler-1.0.jar:na]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) [servlet-api.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) [catalina.jar:6.0.33]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.33]
at edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter.doFilter(NoCacheFilter.java:50) [shibboleth-identityprovider-2.3.5.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.33]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.33]
at edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:81) [shibboleth-identityprovider-2.3.5.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.33]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.33]
at edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter.doFilter(SLF4JMDCCleanupFilter.java:52) [shibboleth-common-1.3.4.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.33]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.33]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219) [catalina.jar:6.0.33]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) [catalina.jar:6.0.33]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) [catalina.jar:6.0.33]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [catalina.jar:6.0.33]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [catalina.jar:6.0.33]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:291) [catalina.jar:6.0.33]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859) [tomcat-coyote.jar:6.0.33]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602) [tomcat-coyote.jar:6.0.33]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) [tomcat-coyote.jar:6.0.33]
at java.lang.Thread.run(Thread.java:722) [na:1.7.0_02]
Caused by: sun.security.krb5.KrbCryptoException: Checksum failed
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:102) ~[na:1.7.0_02]
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:94) ~[na:1.7.0_02]
at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:177) ~[na:1.7.0_02]
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:278) ~[na:1.7.0_02]
at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:144) ~[na:1.7.0_02]
at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108) ~[na:1.7.0_02]
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:761) ~[na:1.7.0_02]
... 33 common frames omitted
Caused by: java.security.GeneralSecurityException: Checksum failed
at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCrypto.java:408) ~[na:1.7.0_02]
at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(ArcFourHmac.java:91) ~[na:1.7.0_02]
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:100) ~[na:1.7.0_02]
... 39 common frames omitted
14:49:47.989 - ERROR [ch.SWITCH.aai.idp.kerberos.KrbLoginServlet:158] - Authentication process error.
javax.servlet.ServletException: It was not possible to established context. There is no gssapi data to continue the process.
at ch.SWITCH.aai.idp.kerberos.HttpNegotiator.authenticate(HttpNegotiator.java:142) ~[kerberos-login-handler-1.0.jar:na]
at ch.SWITCH.aai.idp.kerberos.KrbLoginServlet.service(KrbLoginServlet.java:144) [kerberos-login-handler-1.0.jar:na]
at ch.SWITCH.aai.idp.kerberos.KrbLoginServlet.service(KrbLoginServlet.java:115) [kerberos-login-handler-1.0.jar:na]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) [servlet-api.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) [catalina.jar:6.0.33]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.33]
at edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter.doFilter(NoCacheFilter.java:50) [shibboleth-identityprovider-2.3.5.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.33]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.33]
at edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:81) [shibboleth-identityprovider-2.3.5.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.33]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.33]
at edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter.doFilter(SLF4JMDCCleanupFilter.java:52) [shibboleth-common-1.3.4.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.33]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.33]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219) [catalina.jar:6.0.33]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) [catalina.jar:6.0.33]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) [catalina.jar:6.0.33]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [catalina.jar:6.0.33]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [catalina.jar:6.0.33]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:291) [catalina.jar:6.0.33]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859) [tomcat-coyote.jar:6.0.33]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602) [tomcat-coyote.jar:6.0.33]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) [tomcat-coyote.jar:6.0.33]
at java.lang.Thread.run(Thread.java:722) [na:1.7.0_02]
14:49:47.996 - DEBUG [ch.SWITCH.aai.idp.kerberos.KrbLoginServlet:185] - Authentication failed.
14:49:47.997 - DEBUG [ch.SWITCH.aai.idp.kerberos.KrbLoginHandler:262] - Redirecting to login page
14:49:47.997 - TRACE [ch.SWITCH.aai.idp.kerberos.KrbLoginHandler:218] - Redirecting to /login.jsp
14:49:47.999 - TRACE [ch.SWITCH.aai.idp.kerberos.KrbLoginHandler:105] - cookie '_idp_krb_autologin' created [value=false, maxage=31536000, path=/idp, secure=true, domain=null]
14:49:47.999 - INFO [ch.SWITCH.aai.idp.kerberos.KrbLoginHandler:249] - 'auto login' cookie sent.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20120106/4372251a/attachment-0001.html
More information about the users
mailing list