SPNEGO & IDP 3.2.1

Koch, Ken ken at wustl.edu
Thu May 26 15:24:07 EDT 2016 

Greetings. I'm working through the documentation for SPNEGO and Firefox. I believe the IDP is configured correctly, but all I see in the debug logs is:

2016-05-26 14:10:30,236 - DEBUG [net.shibboleth.idp.authn.spnego.impl.GSSContextAcceptor:175] - Validating the first GSS input token against service principal: HTTP/logindev.wustl.edu
2016-05-26 14:10:30,267 - DEBUG [net.shibboleth.idp.authn.spnego.impl.SPNEGOAuthnController:175] - GSS security context is complete
2016-05-26 14:10:30,267 - ERROR [net.shibboleth.idp.authn.spnego.impl.SPNEGOAuthnController:180] - Error extracting principal name from security context
2016-05-26 14:10:30,486 - WARN [net.shibboleth.idp.authn.impl.ValidateExternalAuthentication:94] - Profile Action ValidateExternalAuthentication: External authentication produced exception
net.shibboleth.idp.authn.ExternalAuthenticationException: SPNEGONotAvailable
                at net.shibboleth.idp.authn.spnego.impl.SPNEGOAuthnController.continueSPNEGO(SPNEGOAuthnController.java:182)
2016-05-26 14:10:30,501 - INFO [net.shibboleth.idp.authn.impl.SelectAuthenticationFlow:130] - Profile Action SelectAuthenticationFlow: Moving incomplete flow authn/SPNEGO to intermediate set


I can issue tickets using krb5 and the IDP authN but I don't know how to test consuming them with SPNEGO.

When I look in Fiddler or HTTPFox, I see my header as:
Negotiate YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAAKZrUKIsXm+rOIbBjmaIqmCLqSVQpEXVQ7DcXrup3i38OF6nVvZPjlu+Megh2Jq9RwAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAMNbiTClcBVAolAmCpGQrZA=

So I assume I'm sending a Kerberos ticket?

My jetty with debug logs simply say:
  Found KeyTab C:\Opt\Shibboleth-idp\credentials\logindev-idp-krb5.keytab for HTTP/logindev.wustl.edu at ACCOUNTSDEV.ADDEV.WUSTL.EDU<mailto:HTTP/logindev.wustl.edu at ACCOUNTSDEV.ADDEV.WUSTL.EDU>

The jetty krb5 debug shows good info when issuing tickets, just not for my SPNEGO consumption.

Of note, the IDP is on Windows running in a domain NOT associated with the keytab principal. Not sure if this is an issue or not, moving domains is the only way I know to rule it out.

Next steps? Is there additional debug info I can light up for SPNEGO and GSS in the Shibboleth stack?

-Ken
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160526/2f60fb1a/attachment-0001.html>

More information about the users mailing list