Reg: Kerberos Login handler

Douglas E. Engert deengert at anl.gov
Thu Jan 17 13:51:01 EST 2013



On 1/17/2013 10:16 AM, Prasanna wrote:
> Thanks guys for your reply....
>
> I got my Kerberos login page now working. But when I select login with
> Kerberos I do get this following error. I would appreciate if someone could
> help me in resolving the error

Do you create a service principal for  HTTP/fqdn at IMPEROIDMSTAGE.COM
where:
  fqdn is lowercase name of IDP.
  HTTP is HTTP in uppercase.

Is there a keytab with the service principal?

Is the keytab readable by tomcat?

What is in your handler.xml?

It sort of looks like the client browser may not have tried SPNEGO.

A wireshark trace of the the client would show if it tries
to get a ticket for the service principal.


>
> [15:49:34] Prasanna Balachandar: 15:48:07.979 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:209] -
> Processing incoming request
> 15:48:07.979 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:240] -
> Beginning user authentication process.
> 15:48:07.979 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:283] -
> Filtering configured LoginHandlers:
> {urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession=edu.internet2.middleware.shibboleth.idp.authn.provider.PreviousSessionLoginHandler at 90ea9c,
> urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified=edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginHandler at 1ab564,
> urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos=ch.SWITCH.aai.idp.kerberos.KrbLoginHandler at 17ac8b3,
> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport=edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginHandler at 1ab564}
> 15:48:07.979 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:332] -
> Filtering out previous session login handler because there is no existing
> IdP session
> 15:48:07.979 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:464] -
> Selecting appropriate login handler from filtered set
> {urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified=edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginHandler at 1ab564,
> urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos=ch.SWITCH.aai.idp.kerberos.KrbLoginHandler at 17ac8b3,
> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport=edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginHandler at 1ab564}
> 15:48:07.979 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:497] -
> Authenticating user with login handler of type
> edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginHandler
> 15:48:07.979 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginHandler:66]
> - Redirecting to
> https://impero1.imperoidmstage.com:443/idp/Authn/UserPassword
> 15:48:08.135 - INFO [ch.SWITCH.aai.idp.kerberos.KrbLoginHandler:249] - 'auto
> login' cookie sent.
> 15:48:08.166 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet:150]
> - Redirecting to login page /login.jsp
> 15:48:10.319 - INFO [ch.SWITCH.aai.idp.kerberos.KrbLoginServlet:72] -
> KrbLoginServlet initializated
> 15:48:10.319 - INFO [ch.SWITCH.aai.idp.kerberos.KrbLoginServlet:125] -
> kerberos idp servlet started
> 15:48:10.319 - DEBUG [ch.SWITCH.aai.idp.kerberos.HttpNegotiator:72] - HTTP:
> Returning response code '401'. Authorization header not found.
> 15:48:10.334 - INFO [ch.SWITCH.aai.idp.kerberos.KrbLoginServlet:125] -
> kerberos idp servlet started
> 15:48:10.334 - DEBUG [ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor:88] -
> Validating GSS token. Realm: IMPEROIDMSTAGE.COM
> 15:48:10.490 - ERROR [ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor:125] -
> KDC 'IMPEROIDMSTAGE.COM', logging error.
> 15:48:10.490 - ERROR [ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor:99] -
> Error validating security context
> javax.security.auth.login.LoginException: Client not found in Kerberos
> database (devil)
>   at
> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown
> Source) ~[na:1.7.0_09]
>   at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
> ~[na:1.7.0_09]
>   at ch.SWITCH.aai.idp.kerberos.KrbLoginModul.login(KrbLoginModul.java:117)
> ~[kerberos-login-handler-1.0.jar:na]
>   at
> ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor.acceptRealmSecContext(KrbContextAcceptor.java:123)
> ~[kerberos-login-handler-1.0.jar:na]
>   at
> ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor.acceptSecContext(KrbContextAcceptor.java:90)
> ~[kerberos-login-handler-1.0.jar:na]
>   at
> ch.SWITCH.aai.idp.kerberos.HttpNegotiator.authenticate(HttpNegotiator.java:86)
> [kerberos-login-handler-1.0.jar:na]
>   at
> ch.SWITCH.aai.idp.kerberos.KrbLoginServlet.service(KrbLoginServlet.java:144)
> [kerberos-login-handler-1.0.jar:na]
>   at
> ch.SWITCH.aai.idp.kerberos.KrbLoginServlet.service(KrbLoginServlet.java:115)
> [kerberos-login-handler-1.0.jar:na]
>   at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
> [servlet-api.jar:na]
>   at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
> [catalina.jar:6.0.32]
>   at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> [catalina.jar:6.0.32]
>   at
> edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter.doFilter(NoCacheFilter.java:50)
> [shibboleth-identityprovider-2.3.8.jar:na]
>   at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> [catalina.jar:6.0.32]
>   at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> [catalina.jar:6.0.32]
>   at
> edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:81)
> [shibboleth-identityprovider-2.3.8.jar:na]
>   at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> [catalina.jar:6.0.32]
>   at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> [catalina.jar:6.0.32]
>   at
> edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter.doFilter(SLF4JMDCCleanupFilter.java:52)
> [shibboleth-common-1.3.7.jar:na]
>   at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> [catalina.jar:6.0.32]
>   at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> [catalina.jar:6.0.32]
>   at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> [catalina.jar:6.0.32]
>   at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> [catalina.jar:6.0.32]
>   at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> [catalina.jar:6.0.32]
>   at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> [catalina.jar:6.0.32]
>   at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> [catalina.jar:6.0.32]
>   at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> [catalina.jar:6.0.32]
>   at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
> [tomcat-coyote.jar:6.0.32]
>   at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> [tomcat-coyote.jar:6.0.32]
>   at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> [tomcat-coyote.jar:6.0.32]
>   at java.lang.Thread.run(Unknown Source) [na:1.7.0_09]
> Caused by: sun.security.krb5.KrbException: Client not found in Kerberos
> database (devil)
>   at sun.security.krb5.KrbAsRep.<init>(Unknown Source) ~[na:1.7.0_09]
>   at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source) ~[na:1.7.0_09]
>   at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source) ~[na:1.7.0_09]
>   ... 30 common frames omitted
> Caused by: sun.security.krb5.Asn1Exception: Identifier doesn't match
> expected value (906)
>   at sun.security.krb5.internal.KDCRep.init(Unknown Source) ~[na:1.7.0_09]
>   at sun.security.krb5.internal.ASRep.init(Unknown Source) ~[na:1.7.0_09]
>   at sun.security.krb5.internal.ASRep.<init>(Unknown Source) ~[na:1.7.0_09]
>   ... 33 common frames omitted
> 15:48:10.490 - ERROR [ch.SWITCH.aai.idp.kerberos.KrbLoginServlet:158] -
> Authentication process error.
> javax.servlet.ServletException: It was not possible to established context.
> There is no gssapi data to continue the process.
>   at
> ch.SWITCH.aai.idp.kerberos.HttpNegotiator.authenticate(HttpNegotiator.java:142)
> ~[kerberos-login-handler-1.0.jar:na]
>   at
> ch.SWITCH.aai.idp.kerberos.KrbLoginServlet.service(KrbLoginServlet.java:144)
> [kerberos-login-handler-1.0.jar:na]
>   at
> ch.SWITCH.aai.idp.kerberos.KrbLoginServlet.service(KrbLoginServlet.java:115)
> [kerberos-login-handler-1.0.jar:na]
>   at javax.servlet.http..
> Prasanna V B
>
>
>
> -----
> Prasanna V B
> --
> View this message in context: http://shibboleth.1660669.n2.nabble.com/Reg-Kerberos-Login-handler-tp7584113p7584122.html
> Sent from the Shibboleth - Users mailing list archive at Nabble.com.
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>
>

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


More information about the users mailing list