SPNEGO in IdP 3.2
Chris Franks
chris.franks at newcastle.ac.uk
Fri Nov 27 10:58:04 EST 2015
Thanks Simon - I'd kinda thought that was the case (the keytab I got working was setup for our dev IdP).
Odd that it worked on the command line but thanks for clarifying.
Chris
-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Simon Lundström
Sent: 27 November 2015 15:16
To: Shib Users <users at shibboleth.net>
Subject: Re: SPNEGO in IdP 3.2
Hi Chris!
Let me guess; you put `10.8.233.130 gateway.ncl.ac.uk` in /etc/hosts on your laptop and then tried to use gateway.ncl.ac.uk as usual?
Kerberos isn't very helpful with it's error messages IMO but I ran into the exact same thing and I fixed it by adding `10.8.233.130 gateway.ncl.ac.uk` (or rather, our equivalent) to our dev IDP's /etc/hosts too it worked. Kerberos is very strict that DNS is working, both forward and reverse.
Hope this helped you (and future people)!
BR,
- Simon
On Fri, 2015-11-20 at 09:24:35 +0000, Chris Franks wrote:
> Hi,
>
> I've just setup a test IdP installation to see how we can replicate our current SPNEGO setup in IdP 3.2 (Centos 6.7/apache-tomcat-8.0.26).
>
> I'm getting a checksum error in the IdP logs:
>
> 2015-11-20 09:12:10,557 - DEBUG
> [net.shibboleth.idp.authn.spnego.impl.GSSContextAcceptor:175] -
> Validating the first GSS input token against service principal:
> HTTP/gateway.ncl.ac.uk at CAMPUS.NCL.AC.UK
> 2015-11-20 09:12:10,567 - DEBUG
> [net.shibboleth.idp.authn.spnego.impl.GSSContextAcceptor:188] - Error
> establishing security context
> org.ietf.jgss.GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
> at
> sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:8
> 56) Caused by: sun.security.krb5.KrbCryptoException: Checksum failed
> at
> sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmac
> EType.java:102) Caused by: java.security.GeneralSecurityException:
> Checksum failed
> at
> sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCryp
> to.java:408)
> 2015-11-20 09:12:10,572 - DEBUG
> [net.shibboleth.idp.authn.spnego.impl.SPNEGOAuthnController:165] -
> Exception processing GSS token
> org.ietf.jgss.GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
> at
> sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:8
> 56) Caused by: sun.security.krb5.KrbCryptoException: Checksum failed
> at
> sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmac
> EType.java:102) Caused by: java.security.GeneralSecurityException:
> Checksum failed
> at
> sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCryp
> to.java:408)
> 2015-11-20 09:12:10,595 - WARN
> [net.shibboleth.idp.authn.impl.ValidateExternalAuthentication:94] -
> Profile Action ValidateExternalAuthentication: External authentication
> produced exception
> net.shibboleth.idp.authn.ExternalAuthenticationException: SPNEGONotAvailable
> at
> net.shibboleth.idp.authn.spnego.impl.SPNEGOAuthnController.continueSPN
> EGO(SPNEGOAuthnController.java:167)
> Caused by: org.ietf.jgss.GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
> at
> sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:8
> 56) Caused by: sun.security.krb5.KrbCryptoException: Checksum failed
> at
> sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmac
> EType.java:102) Caused by: java.security.GeneralSecurityException:
> Checksum failed
> at
> sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCryp
> to.java:408)
> 2015-11-20 09:12:10,596 - INFO
> [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:130] - Profile
> Action SelectAuthenticationFlow: Moving incomplete flow authn/SPNEGO
> to intermediate set
>
> But the keytab itself works fine on the command line:
>
> [root at devidp authn]# kinit ncf17
> Password for ncf17 at CAMPUS.NCL.AC.UK:
> [root at devidp authn]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: ncf17 at CAMPUS.NCL.AC.UK
>
> Valid starting Expires Service principal
> 11/20/15 09:10:32 11/20/15 17:10:32
> krbtgt/CAMPUS.NCL.AC.UK at CAMPUS.NCL.AC.UK<mailto:krbtgt/CAMPUS.NCL.AC.U
> K at CAMPUS.NCL.AC.UK>
>
> Our krb5.conf has:
>
> default_tgt_enctypes = arcfour-hmac
> default_tgs_enctypes= arcfour-hmac
>
> so it looks like the right decryption method is being used... could this be to do with the Java version (1.8.0_65)?
>
> I remember keytabs/encryption types being a pain the last time we set
> this up but it's been a while so any pointers would be greatly
> received :)
>
> Thanks,
>
> Chris
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list