Crypto with the Kerberos Login Handler
Douglas E. Engert
deengert at anl.gov
Fri Jan 6 15:55:27 GMT 2012
On 1/6/2012 8:56 AM, MOTTE Frederic wrote:
> Hi Rodrigo,
>
> Thank you for your help.
>
> I have change my active directory (2008 to 2003) and follow your guide line.
>
> The result is better. It’s solve my crypto problem. Why, I don’t know but it’s OK.
2003 can using ArcFour also called RC4 and DES.
W2008 introduces AES-128 and AES-256. And also turn off DES by default.
Java Kerberos has always been slow to support newer enctypes, and with the Sun Java,
you may also need the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction
Policy Files 6 to use AES-256.
http://www.oracle.com/technetwork/java/javase/downloads/index.html
Even with this we had problems with the Java and gssapi, so fell back to using ArcFour
and added to the /etc/krb5.conf file used by the IDP:
default_tkt_enctypes = arcfour-hmac-md5
With W2008 DCs, we also use msktutil rather then ktpass, and use the --enctype 28
--no-pac --disable-delegation flags.
These set attributes in the AD account of the server principal:
--enctype 28 sets then msDS-supportedEncryptionTypes attribute AES-256, AES-128
and RC4(ArcFour) as valid enctypes. (This is a W2008 only attribute)
http://msdn.microsoft.com/en-us/library/cc223853(v=prot.10).aspx
--no-pac sets the NO_AUTH_DATA_REQUIRED bit in the userAccountControl attribute.
http://support.microsoft.com/kb/832572
The PAC is not used by the IDP today, and there have been Java issues with AES
and checksums on the PAC.
--disable-delegation turns off the TRUSTED_FOR_DELEGATION bit in the userAccountControl
attribute (Its off by default.)
If you use ktpass, consider setting the msDS-supportedEncryptionTypes
and the NO_AUTH_DATA_REQUIRED bit in the userAccountControl using Windows tools.
>
> But I have another problem. When I try to use the keytab into the LoginHandler configuration file, the result is
>
> Specified version of key is not available (44)
Either you did not destroy the test user's ticket cache when you updated
the keytabs thus using an older cached ticket with the wrong KVNO
or the KVNO in the DC does not match the KVNO in the keytab.
klist -k -e
should show the KVNO and enctypes in the keytab.
The KVNO in AD is in the attribute msDS-keyVersionNumber on the service principal account.
>
> I re generated the keytab, reinitialized the user password without success. So I try to replace the keytab by the password. The result is better but the following exception is throw “: Checksum failed”
>
From what you say, you may have gotten AD and the keytab out of sync.
(AD stores a single password for each account, and uses it to generate
a key when need for any of the principals on the account. (userPrincipalName or
servicePrincipalName.) If you have more then one service principal on the account
they use the same key, and all have to be update at the same time.
So if you change the password on the account, you need to change the keytab.
ktpass and msktutil both can generate random passwords and keep the AD account
and keytabs in sync.
> The traces for each test are after
>
> Thanks
>
> Frederic
>
> ***************************************************
>
> The following trace for the keytab
>
> The localhost.log file into tomcat :
>
> Jan 06, 2012 2:33:04 PM org.apache.catalina.core.ApplicationContext log
> INFO: ContextListener: contextInitialized()
> Jan 06, 2012 2:33:04 PM org.apache.catalina.core.ApplicationContext log
> INFO: SessionListener: contextInitialized()
> Jan 06, 2012 2:33:26 PM org.apache.catalina.core.StandardWrapperValve invoke
> INFO: Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is /home/stcia/Desktop/idpc.http.keytab refreshKrb5Config is true
> principal is HTTP/idpc.cersso.com at CERSSO.COM <mailto:idpc.cersso.com at CERSSO.COM>tryFirstPass is false useFirstPass is false storePass is false clearPass is false
> Refreshing Kerberos configuration
> Config name: /etc/krb5.conf
>> >> KdcAccessibility: reset
>> >> KdcAccessibility: reset
>> >> KeyTabInputStream, readName(): CERSSO.COM <http://CERSSO.COM>
>> >> KeyTabInputStream, readName(): HTTP
>> >> KeyTabInputStream, readName(): idpc.cersso.com <http://idpc.cersso.com>
>> >> KeyTab: load() entry length: 66; type: 23
> Added key: 23version: 9
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 23 1 3.
> Added key: 23version: 9
> ……….
>
> SpNegoContext.acceptSecContext: received token of type = SPNEGO NegTokenInit
> SpNegoContext: negotiated mechanism = 1.2.840.113554.1.2.2
> Entered Krb5Context.acceptSecContext with state=STATE_NEW
> Added key: 23version: 9
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 23 1 3.
> [Krb5LoginModule]: Entering logout
> [Krb5LoginModule]: logged out Subject
>
> ****************************************
> The idp-process.log file into shbboleth
>
>
> 14:33:26.600 - DEBUG [ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor:87] - Validating GSS token. Realm: CERSSO.COM <http://CERSSO.COM>
> 14:33:26.600 - TRACE [ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor:118] - Logging KDC 'CERSSO.COM <http://CERSSO.COM>'.
> 14:33:26.646 - TRACE [ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor:127] - KDC Logging successful.
> 14:33:26.646 - TRACE [ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor:133] - Creating GSS context.
> 14:33:26.656 - DEBUG [ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor:145] - GSS context created.
> 14:33:26.657 - TRACE [ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor:150] - Validating the GSS Token.
> 14:33:26.669 - ERROR [ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor:98] - Error validating security context
> org.ietf.jgss.GSSException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))
> at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:778) ~[na:1.7.0_02]
> at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342) ~[na:1.7.0_02]
> at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) ~[na:1.7.0_02]
> at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:871) ~[na:1.7.0_02]
> at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:544) ~[na:1.7.0_02]
> at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342) ~[na:1.7.0_02]
> at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) ~[na:1.7.0_02]
> at ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor.acceptRealmSecContext(KrbContextAcceptor.java:151) ~[kerberos-login-handler-1.0.jar:na]
> at ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor.acceptSecContext(KrbContextAcceptor.java:89) ~[kerberos-login-handler-1.0.jar:na]
> at ch.SWITCH.aai.idp.kerberos.HttpNegotiator.authenticate(HttpNegotiator.java:86) [kerberos-login-handler-1.0.jar:na]
> at ch.SWITCH.aai.idp.kerberos.KrbLoginServlet.service(KrbLoginServlet.java:144) [kerberos-login-handler-1.0.jar:na]
> at ch.SWITCH.aai.idp.kerberos.KrbLoginServlet.service(KrbLoginServlet.java:115) [kerberos-login-handler-1.0.jar:na]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) [servlet-api.jar:na]
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) [catalina.jar:6.0.33]
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.33]
> at edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter.doFilter(NoCacheFilter.java:50) [shibboleth-identityprovider-2.3.5.jar:na]
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.33]
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.33]
> at edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:81) [shibboleth-identityprovider-2.3.5.jar:na]
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.33]
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.33]
> at edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter.doFilter(SLF4JMDCCleanupFilter.java:52) [shibboleth-common-1.3.4.jar:na]
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.33]
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.33]
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219) [catalina.jar:6.0.33]
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) [catalina.jar:6.0.33]
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) [catalina.jar:6.0.33]
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [catalina.jar:6.0.33]
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [catalina.jar:6.0.33]
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:291) [catalina.jar:6.0.33]
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859) [tomcat-coyote.jar:6.0.33]
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602) [tomcat-coyote.jar:6.0.33]
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) [tomcat-coyote.jar:6.0.33]
> at java.lang.Thread.run(Thread.java:722) [na:1.7.0_02]
> Caused by: sun.security.krb5.KrbException: Specified version of key is not available (44)
> at sun.security.krb5.EncryptionKey.findKey(EncryptionKey.java:588) ~[na:1.7.0_02]
> at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:270) ~[na:1.7.0_02]
> at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:144) ~[na:1.7.0_02]
> at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108) ~[na:1.7.0_02]
> at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:761) ~[na:1.7.0_02]
> ... 33 common frames omitted
> 14:33:26.670 - ERROR [ch.SWITCH.aai.idp.kerberos.KrbLoginServlet:158] - Authentication process error.
> javax.servlet.ServletException: It was not possible to established context. There is no gssapi data to continue the process.
> at ch.SWITCH.aai.idp.kerberos.HttpNegotiator.authenticate(HttpNegotiator.java:142) ~[kerberos-login-handler-1.0.jar:na]
> at ch.SWITCH.aai.idp.kerberos.KrbLoginServlet.service(KrbLoginServlet.java:144) [kerberos-login-handler-1.0.jar:na]
> at ch.SWITCH.aai.idp.kerberos.KrbLoginServlet.service(KrbLoginServlet.java:115) [kerberos-login-handler-1.0.jar:na]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) [servlet-api.jar:na]
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) [catalina.jar:6.0.33]
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.33]
> at edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter.doFilter(NoCacheFilter.java:50) [shibboleth-identityprovider-2.3.5.jar:na]
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.33]
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.33]
> at edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:81) [shibboleth-identityprovider-2.3.5.jar:na]
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.33]
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.33]
> at edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter.doFilter(SLF4JMDCCleanupFilter.java:52) [shibboleth-common-1.3.4.jar:na]
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.33]
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.33]
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219) [catalina.jar:6.0.33]
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) [catalina.jar:6.0.33]
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) [catalina.jar:6.0.33]
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [catalina.jar:6.0.33]
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [catalina.jar:6.0.33]
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:291) [catalina.jar:6.0.33]
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859) [tomcat-coyote.jar:6.0.33]
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602) [tomcat-coyote.jar:6.0.33]
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) [tomcat-coyote.jar:6.0.33]
> at java.lang.Thread.run(Thread.java:722) [na:1.7.0_02]
> 14:33:26.670 - DEBUG [ch.SWITCH.aai.idp.kerberos.KrbLoginServlet:185] - Authentication failed.
> 14:33:26.671 - DEBUG [ch.SWITCH.aai.idp.kerberos.KrbLoginHandler:262] - Redirecting to login page
> 14:33:26.671 - TRACE [ch.SWITCH.aai.idp.kerberos.KrbLoginHandler:218] - Redirecting to /login.jsp
> 14:33:26.679 - TRACE [ch.SWITCH.aai.idp.kerberos.KrbLoginHandler:105] - cookie '_idp_krb_autologin' created [value=false, maxage=31536000, path=/idp, secure=true, domain=null]
> 14:33:26.679 - INFO [ch.SWITCH.aai.idp.kerberos.KrbLoginHandler:249] - 'auto login' cookie sent.
>
> ========================================================
>
> The trace for the password
>
> The localhost.log file into tomcat :
>
> Jan 06, 2012 2:49:47 PM org.apache.catalina.core.StandardWrapperValve invoke
> INFO: Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is refreshKrb5Config is true principal is
> HTTP/idpc.cersso.com at CERSSO.COM <mailto:idpc.cersso.com at CERSSO.COM>tryFirstPass is false useFirstPass is false storePass is false clearPass is false
> Refreshing Kerberos configuration
> Config name: /etc/krb5.conf
>> >> KdcAccessibility: reset
>> >> KdcAccessibility: reset
> Ordering keys wrt default_tkt_enctypes list
> default etypes for default_tkt_enctypes: 23 23 1 3.
> Key for the principal HTTP/idpc.cersso.com at CERSSO.COM <mailto:idpc.cersso.com at CERSSO.COM>not available in
> [Krb5LoginModule] user entered username: HTTP/idpc.cersso.com at CERSSO.COM <mailto:idpc.cersso.com at CERSSO.COM>
>
> default etypes for default_tkt_enctypes: 23 23 1 3.
>> >> KrbAsReq creating message
>> >> KrbKdcReq send: kdc=AD2003.CERSSO.COM <http://AD2003.CERSSO.COM>UDP:88, timeout=30000, number of retries =3, #bytes=157
>> >> KDCCommunication: kdc=AD2003.CERSSO.COM <http://AD2003.CERSSO.COM>UDP:88, timeout=30000,Attempt =1, #bytes=157
>> >> KrbKdcReq send: #bytes read=228
>> >>Pre-Authentication Data:
> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
> PA-ETYPE-INFO etype = 3, salt = CERSSO.COMHTTPidpc.cersso.com <http://CERSSO.COMHTTPidpc.cersso.com>
> PA-ETYPE-INFO etype = 1, salt = CERSSO.COMHTTPidpc.cersso.com <http://CERSSO.COMHTTPidpc.cersso.com>
>
>> >>Pre-Authentication Data:
> PA-DATA type = 2
> PA-ENC-TIMESTAMP
>> >>Pre-Authentication Data:
> PA-DATA type = 15
> ………..
>
> Entered Krb5Context.acceptSecContext with state=STATE_NEW
>> >> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
> [Krb5LoginModule]: Entering logout
> [Krb5LoginModule]: logged out Subject
>
> ****************************************
> The idp-process.log file into shibboleth
>
>
> 14:49:47.904 - DEBUG [ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor:87] - Validating GSS token. Realm: CERSSO.COM <http://CERSSO.COM>
> 14:49:47.904 - TRACE [ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor:118] - Logging KDC 'CERSSO.COM <http://CERSSO.COM>'.
> 14:49:47.968 - TRACE [ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor:127] - KDC Logging successful.
> 14:49:47.968 - TRACE [ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor:133] - Creating GSS context.
> 14:49:47.975 - DEBUG [ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor:145] - GSS context created.
> 14:49:47.975 - TRACE [ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor:150] - Validating the GSS Token.
> 14:49:47.988 - ERROR [ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor:98] - Error validating security context
> org.ietf.jgss.GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
> at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:778) ~[na:1.7.0_02]
> at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342) ~[na:1.7.0_02]
> at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) ~[na:1.7.0_02]
> at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:871) ~[na:1.7.0_02]
> at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:544) ~[na:1.7.0_02]
> at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342) ~[na:1.7.0_02]
> at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) ~[na:1.7.0_02]
> at ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor.acceptRealmSecContext(KrbContextAcceptor.java:151) ~[kerberos-login-handler-1.0.jar:na]
> at ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor.acceptSecContext(KrbContextAcceptor.java:89) ~[kerberos-login-handler-1.0.jar:na]
> at ch.SWITCH.aai.idp.kerberos.HttpNegotiator.authenticate(HttpNegotiator.java:86) [kerberos-login-handler-1.0.jar:na]
> at ch.SWITCH.aai.idp.kerberos.KrbLoginServlet.service(KrbLoginServlet.java:144) [kerberos-login-handler-1.0.jar:na]
> at ch.SWITCH.aai.idp.kerberos.KrbLoginServlet.service(KrbLoginServlet.java:115) [kerberos-login-handler-1.0.jar:na]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) [servlet-api.jar:na]
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) [catalina.jar:6.0.33]
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.33]
> at edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter.doFilter(NoCacheFilter.java:50) [shibboleth-identityprovider-2.3.5.jar:na]
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.33]
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.33]
> at edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:81) [shibboleth-identityprovider-2.3.5.jar:na]
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.33]
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.33]
> at edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter.doFilter(SLF4JMDCCleanupFilter.java:52) [shibboleth-common-1.3.4.jar:na]
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.33]
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.33]
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219) [catalina.jar:6.0.33]
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) [catalina.jar:6.0.33]
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) [catalina.jar:6.0.33]
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [catalina.jar:6.0.33]
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [catalina.jar:6.0.33]
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:291) [catalina.jar:6.0.33]
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859) [tomcat-coyote.jar:6.0.33]
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602) [tomcat-coyote.jar:6.0.33]
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) [tomcat-coyote.jar:6.0.33]
> at java.lang.Thread.run(Thread.java:722) [na:1.7.0_02]
> Caused by: sun.security.krb5.KrbCryptoException: Checksum failed
> at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:102) ~[na:1.7.0_02]
> at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:94) ~[na:1.7.0_02]
> at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:177) ~[na:1.7.0_02]
> at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:278) ~[na:1.7.0_02]
> at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:144) ~[na:1.7.0_02]
> at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108) ~[na:1.7.0_02]
> at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:761) ~[na:1.7.0_02]
> ... 33 common frames omitted
> Caused by: java.security.GeneralSecurityException: Checksum failed
> at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCrypto.java:408) ~[na:1.7.0_02]
> at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(ArcFourHmac.java:91) ~[na:1.7.0_02]
> at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:100) ~[na:1.7.0_02]
> ... 39 common frames omitted
> 14:49:47.989 - ERROR [ch.SWITCH.aai.idp.kerberos.KrbLoginServlet:158] - Authentication process error.
> javax.servlet.ServletException: It was not possible to established context. There is no gssapi data to continue the process.
> at ch.SWITCH.aai.idp.kerberos.HttpNegotiator.authenticate(HttpNegotiator.java:142) ~[kerberos-login-handler-1.0.jar:na]
> at ch.SWITCH.aai.idp.kerberos.KrbLoginServlet.service(KrbLoginServlet.java:144) [kerberos-login-handler-1.0.jar:na]
> at ch.SWITCH.aai.idp.kerberos.KrbLoginServlet.service(KrbLoginServlet.java:115) [kerberos-login-handler-1.0.jar:na]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) [servlet-api.jar:na]
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) [catalina.jar:6.0.33]
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.33]
> at edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter.doFilter(NoCacheFilter.java:50) [shibboleth-identityprovider-2.3.5.jar:na]
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.33]
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.33]
> at edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:81) [shibboleth-identityprovider-2.3.5.jar:na]
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.33]
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.33]
> at edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter.doFilter(SLF4JMDCCleanupFilter.java:52) [shibboleth-common-1.3.4.jar:na]
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.33]
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.33]
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219) [catalina.jar:6.0.33]
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) [catalina.jar:6.0.33]
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) [catalina.jar:6.0.33]
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [catalina.jar:6.0.33]
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [catalina.jar:6.0.33]
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:291) [catalina.jar:6.0.33]
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859) [tomcat-coyote.jar:6.0.33]
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602) [tomcat-coyote.jar:6.0.33]
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) [tomcat-coyote.jar:6.0.33]
> at java.lang.Thread.run(Thread.java:722) [na:1.7.0_02]
> 14:49:47.996 - DEBUG [ch.SWITCH.aai.idp.kerberos.KrbLoginServlet:185] - Authentication failed.
> 14:49:47.997 - DEBUG [ch.SWITCH.aai.idp.kerberos.KrbLoginHandler:262] - Redirecting to login page
> 14:49:47.997 - TRACE [ch.SWITCH.aai.idp.kerberos.KrbLoginHandler:218] - Redirecting to /login.jsp
> 14:49:47.999 - TRACE [ch.SWITCH.aai.idp.kerberos.KrbLoginHandler:105] - cookie '_idp_krb_autologin' created [value=false, maxage=31536000, path=/idp, secure=true, domain=null]
> 14:49:47.999 - INFO [ch.SWITCH.aai.idp.kerberos.KrbLoginHandler:249] - 'auto login' cookie sent.
>
>
>
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the users
mailing list