SPNEGO in IdP 3.2

Chris Franks chris.franks at newcastle.ac.uk
Fri Nov 27 10:58:04 EST 2015


Thanks Simon - I'd kinda thought that was the case (the keytab I got working was setup for our dev IdP).

Odd that it worked on the command line but thanks for clarifying.

Chris

-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Simon Lundström
Sent: 27 November 2015 15:16
To: Shib Users <users at shibboleth.net>
Subject: Re: SPNEGO in IdP 3.2

Hi Chris!

Let me guess; you put `10.8.233.130 gateway.ncl.ac.uk` in /etc/hosts on your laptop and then tried to use gateway.ncl.ac.uk as usual?

Kerberos isn't very helpful with it's error messages IMO but I ran into the exact same thing and I fixed it by adding `10.8.233.130 gateway.ncl.ac.uk` (or rather, our equivalent) to our dev IDP's /etc/hosts too it worked. Kerberos is very strict that DNS is working, both forward and reverse.

Hope this helped you (and future people)!

BR,
- Simon

On Fri, 2015-11-20 at 09:24:35 +0000, Chris Franks wrote:
> Hi,
> 
> I've just setup a test IdP installation to see how we can replicate our current SPNEGO setup in IdP 3.2 (Centos 6.7/apache-tomcat-8.0.26).
> 
> I'm getting a checksum error in the IdP logs:
> 
> 2015-11-20 09:12:10,557 - DEBUG 
> [net.shibboleth.idp.authn.spnego.impl.GSSContextAcceptor:175] - 
> Validating the first GSS input token against service principal: 
> HTTP/gateway.ncl.ac.uk at CAMPUS.NCL.AC.UK
> 2015-11-20 09:12:10,567 - DEBUG 
> [net.shibboleth.idp.authn.spnego.impl.GSSContextAcceptor:188] - Error 
> establishing security context
> org.ietf.jgss.GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
>         at 
> sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:8
> 56) Caused by: sun.security.krb5.KrbCryptoException: Checksum failed
>         at 
> sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmac
> EType.java:102) Caused by: java.security.GeneralSecurityException: 
> Checksum failed
>         at 
> sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCryp
> to.java:408)
> 2015-11-20 09:12:10,572 - DEBUG 
> [net.shibboleth.idp.authn.spnego.impl.SPNEGOAuthnController:165] - 
> Exception processing GSS token
> org.ietf.jgss.GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
>         at 
> sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:8
> 56) Caused by: sun.security.krb5.KrbCryptoException: Checksum failed
>         at 
> sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmac
> EType.java:102) Caused by: java.security.GeneralSecurityException: 
> Checksum failed
>         at 
> sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCryp
> to.java:408)
> 2015-11-20 09:12:10,595 - WARN 
> [net.shibboleth.idp.authn.impl.ValidateExternalAuthentication:94] - 
> Profile Action ValidateExternalAuthentication: External authentication 
> produced exception
> net.shibboleth.idp.authn.ExternalAuthenticationException: SPNEGONotAvailable
>         at 
> net.shibboleth.idp.authn.spnego.impl.SPNEGOAuthnController.continueSPN
> EGO(SPNEGOAuthnController.java:167)
> Caused by: org.ietf.jgss.GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
>         at 
> sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:8
> 56) Caused by: sun.security.krb5.KrbCryptoException: Checksum failed
>         at 
> sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmac
> EType.java:102) Caused by: java.security.GeneralSecurityException: 
> Checksum failed
>         at 
> sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCryp
> to.java:408)
> 2015-11-20 09:12:10,596 - INFO 
> [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:130] - Profile 
> Action SelectAuthenticationFlow: Moving incomplete flow authn/SPNEGO 
> to intermediate set
> 
> But the keytab itself works fine on the command line:
> 
> [root at devidp authn]# kinit ncf17
> Password for ncf17 at CAMPUS.NCL.AC.UK:
> [root at devidp authn]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: ncf17 at CAMPUS.NCL.AC.UK
> 
> Valid starting     Expires            Service principal
> 11/20/15 09:10:32  11/20/15 17:10:32  
> krbtgt/CAMPUS.NCL.AC.UK at CAMPUS.NCL.AC.UK<mailto:krbtgt/CAMPUS.NCL.AC.U
> K at CAMPUS.NCL.AC.UK>
> 
> Our krb5.conf has:
> 
> default_tgt_enctypes = arcfour-hmac
> default_tgs_enctypes= arcfour-hmac
> 
> so it looks like the right decryption method is being used... could this be to do with the Java version (1.8.0_65)?
> 
> I remember keytabs/encryption types being a pain the last time we set 
> this up but it's been a while so any pointers would be greatly 
> received :)
> 
> Thanks,
> 
> Chris
> 

> --
> To unsubscribe from this list send an email to 
> users-unsubscribe at shibboleth.net

--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net


More information about the users mailing list