Which handler LDAP SSO
Douglas E Engert
deengert at gmail.com
Wed Nov 12 16:36:26 EST 2014
On 11/12/2014 9:58 AM, Morris, Andi wrote:
> Looking a little better now. Still not quite there though, Shibboleth isn't authenticating me with my currently logged on credentials. I've tested those credentials directly on the shib idp server using kinit and there's no issue there.
>
Another tool to use is wireshark on the client. It can show all the Kerberos traffic, between client and KDC (DC) including principal names,
and enctypes and key version numbers.
> Here's the output from the process log:
> 15:52:17.207 - INFO [Shibboleth-Access:73] - 20141112T155217Z|192.168.42.42|idp.dev.cardiffmet.ac.uk:443|/profile/SAML2/Redirect/SSO|
> 15:52:17.368 - DEBUG [ch.SWITCH.aai.idp.kerberos.KrbLoginHandler:297] - AutoLogin not active: redirecting to login page
> 15:52:17.368 - DEBUG [ch.SWITCH.aai.idp.kerberos.KrbLoginHandler:262] - Redirecting to login page
> 15:52:17.387 - INFO [ch.SWITCH.aai.idp.kerberos.KrbLoginHandler:249] - 'auto login' cookie sent.
> 15:52:27.810 - INFO [ch.SWITCH.aai.idp.kerberos.KrbLoginServlet:125] - kerberos idp servlet started
> 15:52:27.811 - DEBUG [ch.SWITCH.aai.idp.kerberos.HttpNegotiator:72] - HTTP: Returning response code '401'. Authorization header not found.
Not clear if this is error or OK, may be client does not like the realm.
What browser?
The krb login handler has some test pages, that you can run too:
See the kerberos-report.jsp
> 15:52:27.820 - INFO [ch.SWITCH.aai.idp.kerberos.KrbLoginServlet:125] - kerberos idp servlet started
> 15:52:27.821 - DEBUG [ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor:87] - Validating GSS token. Realm: INTERNAL.UWIC.AC.UK
> 15:52:27.822 - ERROR [ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor:98] - Error validating security context
Sounds like there is no GSS token, message below: "There is no gssapi data to continue the process."
> java.lang.IllegalArgumentException: Invalid password
> at ch.SWITCH.aai.idp.kerberos.UsernamePasswordCallbackHandler.handle(KrbLoginModul.java:63) ~[kerberos-login-handler-1.0.jar:na]
> at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:874) ~[na:1.7.0_71]
> at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:719) ~[na:1.7.0_71]
> at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:584) ~[na:1.7.0_71]
> at ch.SWITCH.aai.idp.kerberos.KrbLoginModul.login(KrbLoginModul.java:117) ~[kerberos-login-handler-1.0.jar:na]
> at ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor.acceptRealmSecContext(KrbContextAcceptor.java:122) ~[kerberos-login-handler-1.0.jar:na]
> at ch.SWITCH.aai.idp.kerberos.KrbContextAcceptor.acceptSecContext(KrbContextAcceptor.java:89) ~[kerberos-login-handler-1.0.jar:na]
> at ch.SWITCH.aai.idp.kerberos.HttpNegotiator.authenticate(HttpNegotiator.java:86) [kerberos-login-handler-1.0.jar:na]
> at ch.SWITCH.aai.idp.kerberos.KrbLoginServlet.service(KrbLoginServlet.java:144) [kerberos-login-handler-1.0.jar:na]
> at ch.SWITCH.aai.idp.kerberos.KrbLoginServlet.service(KrbLoginServlet.java:115) [kerberos-login-handler-1.0.jar:na]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) [tomcat6-servlet-2.5-api-6.0.24.jar:na]
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) [catalina-6.0.24.jar:na]
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina-6.0.24.jar:na]
> at edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter.doFilter(NoCacheFilter.java:50) [shibboleth-identityprovider-2.4.3.jar:na]
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina-6.0.24.jar:na]
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina-6.0.24.jar:na]
> at edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:87) [shibboleth-identityprovider-2.4.3.jar:na]
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina-6.0.24.jar:na]
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina-6.0.24.jar:na]
> at edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter.doFilter(SLF4JMDCCleanupFilter.java:52) [shibboleth-common-1.4.3.jar:na]
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina-6.0.24.jar:na]
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina-6.0.24.jar:na]
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219) [catalina-6.0.24.jar:na]
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) [catalina-6.0.24.jar:na]
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) [catalina-6.0.24.jar:na]
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [catalina-6.0.24.jar:na]
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [catalina-6.0.24.jar:na]
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) [catalina-6.0.24.jar:na]
> at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190) [tomcat-coyote-6.0.24.jar:na]
> at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291) [tomcat-coyote-6.0.24.jar:na]
> at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:769) [tomcat-coyote-6.0.24.jar:na]
> at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:698) [tomcat-coyote-6.0.24.jar:na]
> at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:891) [tomcat-coyote-6.0.24.jar:na]
> at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690) [tomcat-coyote-6.0.24.jar:na]
> at java.lang.Thread.run(Thread.java:745) [na:1.7.0_71]
> 15:52:27.823 - ERROR [ch.SWITCH.aai.idp.kerberos.KrbLoginServlet:158] - Authentication process error.
> javax.servlet.ServletException: It was not possible to established context. There is no gssapi data to continue the process.
> at ch.SWITCH.aai.idp.kerberos.HttpNegotiator.authenticate(HttpNegotiator.java:142) ~[kerberos-login-handler-1.0.jar:na]
> at ch.SWITCH.aai.idp.kerberos.KrbLoginServlet.service(KrbLoginServlet.java:144) [kerberos-login-handler-1.0.jar:na]
> at ch.SWITCH.aai.idp.kerberos.KrbLoginServlet.service(KrbLoginServlet.java:115) [kerberos-login-handler-1.0.jar:na]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) [tomcat6-servlet-2.5-api-6.0.24.jar:na]
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) [catalina-6.0.24.jar:na]
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina-6.0.24.jar:na]
> at edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter.doFilter(NoCacheFilter.java:50) [shibboleth-identityprovider-2.4.3.jar:na]
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina-6.0.24.jar:na]
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina-6.0.24.jar:na]
> at edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:87) [shibboleth-identityprovider-2.4.3.jar:na]
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina-6.0.24.jar:na]
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina-6.0.24.jar:na]
> at edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter.doFilter(SLF4JMDCCleanupFilter.java:52) [shibboleth-common-1.4.3.jar:na]
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina-6.0.24.jar:na]
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina-6.0.24.jar:na]
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219) [catalina-6.0.24.jar:na]
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) [catalina-6.0.24.jar:na]
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) [catalina-6.0.24.jar:na]
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [catalina-6.0.24.jar:na]
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [catalina-6.0.24.jar:na]
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) [catalina-6.0.24.jar:na]
> at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190) [tomcat-coyote-6.0.24.jar:na]
> at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291) [tomcat-coyote-6.0.24.jar:na]
> at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:769) [tomcat-coyote-6.0.24.jar:na]
> at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:698) [tomcat-coyote-6.0.24.jar:na]
> at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:891) [tomcat-coyote-6.0.24.jar:na]
> at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690) [tomcat-coyote-6.0.24.jar:na]
> at java.lang.Thread.run(Thread.java:745) [na:1.7.0_71]
> 15:52:27.823 - DEBUG [ch.SWITCH.aai.idp.kerberos.KrbLoginServlet:185] - Authentication failed.
> 15:52:27.823 - DEBUG [ch.SWITCH.aai.idp.kerberos.KrbLoginHandler:262] - Redirecting to login page
> 15:52:27.825 - INFO [ch.SWITCH.aai.idp.kerberos.KrbLoginHandler:249] - 'auto login' cookie sent.
>
> As always, I appreciate anybody's help.
>
> Cheers,
> Andi
>
> -----Original Message-----
> From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Morris, Andi
> Sent: 12 November 2014 15:06
> To: 'Shib Users'
> Subject: RE: Which handler LDAP SSO
>
> Aha, yes I can see that now, thanks. I hadn't configured the attribute resolver with all the examples given. I think I couldn't see the wood for the trees.
>
> Cheers,
> Andi
>
> -----Original Message-----
> From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Peter Schober
> Sent: 12 November 2014 14:34
> To: users at shibboleth.net
> Subject: Re: Which handler LDAP SSO
>
> Andi,
>
> I have not done such an integration myself so far so can't comment on further details.
>
> * Morris, Andi <amorris at cardiffmet.ac.uk> [2014-11-12 15:08]:
>> 13:56:17.790 - ERROR
>> [edu.internet2.middleware.shibboleth.common.config.BaseService:188]
>> - Configuration was not loaded for shibboleth.AttributeResolver
>> service, error creating components. The root cause of this error
>> was: org.xml.sax.SAXParseException: Key
>> 'DataConnectorAttributeDefinitionDependencyRef' with value
>> 'HTTP/servername.cardiffmet.ac.uk' not found for identity constraint
>> of element 'AttributeResolver'.
> [...]
>> <resolver:Dependency ref="HTTP/servername.cardiffmet.ac.uk" />
>> <resolver:Dependency ref="INTERNAL.DOMAIN.AC.UK" />
>
> The resolver:Dependency elements reference the internal ids of data connectors defined in the attribute resolver, they know nothing about kerberos. The root cause for this seems to be a confusion about this part in the Kerberos Login Handler docs:
> <resolver:Dependency ref="krb_principalname" />
> <resolver:Dependency ref="krb_domain" /> Those strings are meant to be used literally, they reference by name data connectors defined elsewhere on that page.
> -peter
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>
--
Douglas E. Engert <DEEngert at gmail.com>
More information about the users
mailing list