Which handler LDAP SSO

Morris, Andi amorris at cardiffmet.ac.uk
Wed Nov 12 10:58:53 EST 2014 

Looking a little better now. Still not quite there though, Shibboleth isn't authenticating me with my currently logged on credentials. I've tested those credentials directly on the shib idp server using kinit and there's no issue there.

Here's the output from the process log:
15:52:17.207 - INFO [Shibboleth-Access:73] - 20141112T155217Z|192.168.42.42|idp.dev.cardiffmet.ac.uk:443|/profile/SAML2/Redirect/SSO|
15:52:17.368 - DEBUG [ch.SWITCH.aai.idp.kerberos.KrbLoginHandler:297] - AutoLogin not active: redirecting to login page
15:52:17.368 - DEBUG [ch.SWITCH.aai.idp.kerberos.KrbLoginHandler:262] - Redirecting to login page
15:52:17.387 - INFO [ch.SWITCH.aai.idp.kerberos.KrbLoginHandler:249] - 'auto login' cookie sent.
15:52:27.810 - INFO [ch.SWITCH.aai.idp.kerberos.KrbLoginServlet:125] - kerberos idp servlet started
15:52:27.811 - DEBUG [ch.SWITCH.aai.idp.kerberos.HttpNegotiator:72] - HTTP: Returning response code '401'. Authorization header not found.
15:52:27.820 - INFO [ch.SWITCH.aai.idp.kerberos.KrbLoginServlet:125] - kerberos idp servlet started
15:52:27.821 - DEBUG [ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor:87] - Validating GSS token. Realm: INTERNAL.UWIC.AC.UK
15:52:27.822 - ERROR [ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor:98] - Error validating security context
java.lang.IllegalArgumentException: Invalid password
        at ch.SWITCH.aai.idp.kerberos.UsernamePasswordCallbackHandler.handle(KrbLoginModul.java:63) ~[kerberos-login-handler-1.0.jar:na]
        at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:874) ~[na:1.7.0_71]
        at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:719) ~[na:1.7.0_71]
        at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:584) ~[na:1.7.0_71]
        at ch.SWITCH.aai.idp.kerberos.KrbLoginModul.login(KrbLoginModul.java:117) ~[kerberos-login-handler-1.0.jar:na]
        at ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor.acceptRealmSecContext(KrbContextAcceptor.java:122) ~[kerberos-login-handler-1.0.jar:na]
        at ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor.acceptSecContext(KrbContextAcceptor.java:89) ~[kerberos-login-handler-1.0.jar:na]
        at ch.SWITCH.aai.idp.kerberos.HttpNegotiator.authenticate(HttpNegotiator.java:86) [kerberos-login-handler-1.0.jar:na]
        at ch.SWITCH.aai.idp.kerberos.KrbLoginServlet.service(KrbLoginServlet.java:144) [kerberos-login-handler-1.0.jar:na]
        at ch.SWITCH.aai.idp.kerberos.KrbLoginServlet.service(KrbLoginServlet.java:115) [kerberos-login-handler-1.0.jar:na]
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) [tomcat6-servlet-2.5-api-6.0.24.jar:na]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) [catalina-6.0.24.jar:na]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina-6.0.24.jar:na]
        at edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter.doFilter(NoCacheFilter.java:50) [shibboleth-identityprovider-2.4.3.jar:na]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina-6.0.24.jar:na]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina-6.0.24.jar:na]
        at edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:87) [shibboleth-identityprovider-2.4.3.jar:na]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina-6.0.24.jar:na]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina-6.0.24.jar:na]
        at edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter.doFilter(SLF4JMDCCleanupFilter.java:52) [shibboleth-common-1.4.3.jar:na]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina-6.0.24.jar:na]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina-6.0.24.jar:na]
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219) [catalina-6.0.24.jar:na]
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) [catalina-6.0.24.jar:na]
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) [catalina-6.0.24.jar:na]
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [catalina-6.0.24.jar:na]
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [catalina-6.0.24.jar:na]
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) [catalina-6.0.24.jar:na]
        at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190) [tomcat-coyote-6.0.24.jar:na]
        at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291) [tomcat-coyote-6.0.24.jar:na]
        at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:769) [tomcat-coyote-6.0.24.jar:na]
        at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:698) [tomcat-coyote-6.0.24.jar:na]
        at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:891) [tomcat-coyote-6.0.24.jar:na]
        at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690) [tomcat-coyote-6.0.24.jar:na]
        at java.lang.Thread.run(Thread.java:745) [na:1.7.0_71]
15:52:27.823 - ERROR [ch.SWITCH.aai.idp.kerberos.KrbLoginServlet:158] - Authentication process error.
javax.servlet.ServletException: It was not possible to established context. There is no gssapi data to continue the process.
        at ch.SWITCH.aai.idp.kerberos.HttpNegotiator.authenticate(HttpNegotiator.java:142) ~[kerberos-login-handler-1.0.jar:na]
        at ch.SWITCH.aai.idp.kerberos.KrbLoginServlet.service(KrbLoginServlet.java:144) [kerberos-login-handler-1.0.jar:na]
        at ch.SWITCH.aai.idp.kerberos.KrbLoginServlet.service(KrbLoginServlet.java:115) [kerberos-login-handler-1.0.jar:na]
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) [tomcat6-servlet-2.5-api-6.0.24.jar:na]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) [catalina-6.0.24.jar:na]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina-6.0.24.jar:na]
        at edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter.doFilter(NoCacheFilter.java:50) [shibboleth-identityprovider-2.4.3.jar:na]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina-6.0.24.jar:na]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina-6.0.24.jar:na]
        at edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:87) [shibboleth-identityprovider-2.4.3.jar:na]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina-6.0.24.jar:na]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina-6.0.24.jar:na]
        at edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter.doFilter(SLF4JMDCCleanupFilter.java:52) [shibboleth-common-1.4.3.jar:na]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina-6.0.24.jar:na]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina-6.0.24.jar:na]
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219) [catalina-6.0.24.jar:na]
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) [catalina-6.0.24.jar:na]
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) [catalina-6.0.24.jar:na]
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [catalina-6.0.24.jar:na]
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [catalina-6.0.24.jar:na]
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) [catalina-6.0.24.jar:na]
        at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190) [tomcat-coyote-6.0.24.jar:na]
        at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291) [tomcat-coyote-6.0.24.jar:na]
        at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:769) [tomcat-coyote-6.0.24.jar:na]
        at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:698) [tomcat-coyote-6.0.24.jar:na]
        at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:891) [tomcat-coyote-6.0.24.jar:na]
        at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690) [tomcat-coyote-6.0.24.jar:na]
        at java.lang.Thread.run(Thread.java:745) [na:1.7.0_71]
15:52:27.823 - DEBUG [ch.SWITCH.aai.idp.kerberos.KrbLoginServlet:185] - Authentication failed.
15:52:27.823 - DEBUG [ch.SWITCH.aai.idp.kerberos.KrbLoginHandler:262] - Redirecting to login page
15:52:27.825 - INFO [ch.SWITCH.aai.idp.kerberos.KrbLoginHandler:249] - 'auto login' cookie sent.

As always, I appreciate anybody's help.

Cheers,
Andi

-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Morris, Andi
Sent: 12 November 2014 15:06
To: 'Shib Users'
Subject: RE: Which handler LDAP SSO

Aha, yes I can see that now, thanks. I hadn't configured the attribute resolver with all the examples given. I think I couldn't see the wood for the trees.

Cheers,
Andi

-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Peter Schober
Sent: 12 November 2014 14:34
To: users at shibboleth.net
Subject: Re: Which handler LDAP SSO

Andi,

I have not done such an integration myself so far so can't comment on further details.

* Morris, Andi <amorris at cardiffmet.ac.uk> [2014-11-12 15:08]:
> 13:56:17.790 - ERROR
> [edu.internet2.middleware.shibboleth.common.config.BaseService:188]
> - Configuration was not loaded for shibboleth.AttributeResolver 
> service, error creating components.  The root cause of this error
> was: org.xml.sax.SAXParseException: Key 
> 'DataConnectorAttributeDefinitionDependencyRef' with value 
> 'HTTP/servername.cardiffmet.ac.uk' not found for identity constraint 
> of element 'AttributeResolver'.
[...]
>       <resolver:Dependency ref="HTTP/servername.cardiffmet.ac.uk" />
>       <resolver:Dependency ref="INTERNAL.DOMAIN.AC.UK" />

The resolver:Dependency elements reference the internal ids of data connectors defined in the attribute resolver, they know nothing about kerberos. The root cause for this seems to be a confusion about this part in the Kerberos Login Handler docs:
  <resolver:Dependency ref="krb_principalname" />
  <resolver:Dependency ref="krb_domain" /> Those strings are meant to be used literally, they reference by name data connectors defined elsewhere on that page.
-peter
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list