Loading...

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: 7.1.0.ER3
Affects Version/s: 7.1.0.DR16
Component/s: Security
Labels:
- eap71_priority
- kerberos

CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Target Release:

7.1.0.GA
Steps to Reproduce:
Hide

Follow steps for securing management interface with kerberos https://doc-stage.usersys.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1.alpha/html-single/how_to_set_up_sso_with_kerberos/#secure_mgmt_interface_krb_elytron

Replace creation of kerberos-security-factory to use wrong principal

/subsystem=elytron/kerberos-security-factory=krbSF:add( \ principal="HTTP/wrong_host@REALM", \ path="/path/to/http.keytab", \ )

Replace creation of http-authentication-factory with this command specifying protocol HTTP

/subsystem=elytron/http-authentication-factory=example-krb-http-auth:add( \ http-server-mechanism-factory=global, \ security-domain=exampleFsSD, \ mechanism-configurations=[ \ { \ mechanism-name=SPNEGO,\ mechanism-realm-configurations= \ [ \ { \ realm-name=exampleFsSD \ } \ ], \ credential-security-factory=krbSF \ }, { \ mechanism-name=BASIC,\ mechanism-realm-configurations= \ [ \ { \ realm-name=exampleFsSD \ } \ ] } ] \ )

Negotiate header is send, although it won't be possible to authenticate using SPNEGO
Show
Follow steps for securing management interface with kerberos https://doc-stage.usersys.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1.alpha/html-single/how_to_set_up_sso_with_kerberos/#secure_mgmt_interface_krb_elytron Replace creation of kerberos-security-factory to use wrong principal /subsystem=elytron/kerberos-security-factory=krbSF:add( \ principal= "HTTP/wrong_host@REALM" , \ path= "/path/to/http.keytab" , \ ) Replace creation of http-authentication-factory with this command specifying protocol HTTP /subsystem=elytron/http-authentication-factory=example-krb-http-auth:add( \ http-server-mechanism-factory=global, \ security-domain=exampleFsSD, \ mechanism-configurations=[ \ { \ mechanism-name=SPNEGO,\ mechanism-realm-configurations= \ [ \ { \ realm-name=exampleFsSD \ } \ ], \ credential-security-factory=krbSF \ }, { \ mechanism-name=BASIC,\ mechanism-realm-configurations= \ [ \ { \ realm-name=exampleFsSD \ } \ ] } ] \ ) Negotiate header is send, although it won't be possible to authenticate using SPNEGO

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

If SPNEGO is misconfigured or KDC is down Negotiate header is still send back to client, although SPNEGO can't be used.

13:19:20,861 TRACE [org.wildfly.security] (management task-6) Handling MechanismInformationCallback type='HTTP' name='BASIC' host-name='localhost.localdomain' protocol='http'
13:19:20,862 TRACE [org.wildfly.security] (management task-6) Handling AvailableRealmsCallback: realms = [fileSystemFallbackRealm]
13:19:20,862 TRACE [org.wildfly.security] (management task-6) Handling MechanismInformationCallback type='HTTP' name='CLIENT_CERT' host-name='localhost.localdomain' protocol='http'
13:19:20,862 TRACE [org.wildfly.security] (management task-6) java.lang.IllegalStateException: ELY01119: Unable to resolve MechanismConfiguration for mechanismType='HTTP', mechanismName='CLIENT_CERT', hostName='localhost.localdomain', protocol='http'.
13:19:20,862 TRACE [org.wildfly.security] (management task-6) Handling MechanismInformationCallback type='HTTP' name='DIGEST' host-name='localhost.localdomain' protocol='http'
13:19:20,862 TRACE [org.wildfly.security] (management task-6) java.lang.IllegalStateException: ELY01119: Unable to resolve MechanismConfiguration for mechanismType='HTTP', mechanismName='DIGEST', hostName='localhost.localdomain', protocol='http'.
13:19:20,862 TRACE [org.wildfly.security] (management task-6) Handling MechanismInformationCallback type='HTTP' name='FORM' host-name='localhost.localdomain' protocol='http'
13:19:20,862 TRACE [org.wildfly.security] (management task-6) java.lang.IllegalStateException: ELY01119: Unable to resolve MechanismConfiguration for mechanismType='HTTP', mechanismName='FORM', hostName='localhost.localdomain', protocol='http'.
13:19:20,862 TRACE [org.wildfly.security] (management task-6) Handling MechanismInformationCallback type='HTTP' name='SPNEGO' host-name='localhost.localdomain' protocol='http'
13:19:20,863 TRACE [org.wildfly.security] (management task-6) Evaluating SPNEGO request: cached GSSContext = null
13:19:20,863 TRACE [org.wildfly.security] (management task-6) Obtaining GSSCredential for the service from callback handler...
13:19:20,863 TRACE [org.wildfly.security] (management task-6) No valid cached credential, obtaining new one...
13:19:20,863 TRACE [org.wildfly.security] (management task-6) Logging in using LoginContext and subject [Subject:
]
13:19:20,863 INFO  [stdout] (management task-6) Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator false KeyTab is /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb.4985635734744374940.keytab refreshKrb5Config is false principal is HTTP/wronghost@JBOSS.ORG tryFirstPass is false useFirstPass is false storePass is false clearPass is false
13:19:20,863 INFO  [stdout] (management task-6) principal is HTTP/wronghost@JBOSS.ORG
13:19:20,863 INFO  [stdout] (management task-6) Will use keytab
13:19:20,863 INFO  [stdout] (management task-6) Commit Succeeded 
13:19:20,863 INFO  [stdout] (management task-6) 
13:19:20,863 TRACE [org.wildfly.security] (management task-6) Logging in using LoginContext and subject [Subject:
	Principal: HTTP/wronghost@JBOSS.ORG
	Private Credential: /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb.4985635734744374940.keytab for HTTP/wronghost@JBOSS.ORG
] succeed
13:19:20,864 TRACE [org.wildfly.security] (management task-6) Creating GSSName for Principal 'HTTP/wronghost@JBOSS.ORG'
13:19:20,864 TRACE [org.wildfly.security] (management task-6) Obtained GSSCredentialCredential [org.wildfly.security.credential.GSSKerberosCredential@1f]
13:19:20,864 TRACE [org.wildfly.security] (management task-6) Handling ServerCredentialCallback: successfully obtained credential type type=class org.wildfly.security.credential.GSSKerberosCredential, algorithm=null, params=null
13:19:20,864 TRACE [org.wildfly.security] (management task-6) Using SpnegoAuthenticationMechanism to authenticate HTTP/wronghost@JBOSS.ORG using the following mechanisms: [[Lorg.ietf.jgss.Oid;@4133c756]
13:19:20,864 TRACE [org.wildfly.security] (management task-6) Caching GSSContext sun.security.jgss.GSSContextImpl@3adbbdae
13:19:20,864 TRACE [org.wildfly.security] (management task-6) Caching KerberosTicket null
13:19:20,864 TRACE [org.wildfly.security] (management task-6) Sent HTTP authorizations: [null]
13:19:20,864 TRACE [org.wildfly.security] (management task-6) Request lacks valid authentication credentials
13:19:20,864 TRACE [org.wildfly.security] (management task-6) Handling MechanismInformationCallback type='HTTP' name='BEARER_TOKEN' host-name='localhost.localdomain' protocol='http'
13:19:20,864 TRACE [org.wildfly.security] (management task-6) java.lang.IllegalStateException: ELY01119: Unable to resolve MechanismConfiguration for mechanismType='HTTP', mechanismName='BEARER_TOKEN', hostName='localhost.localdomain', protocol='http'.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

kerberos_http_interface.pcap
1 kB
2017/04/10 7:34 AM

is cloned by

ELY-1070 Elytron, WWW-Authenticate Negotiate header is send although SPNEGO is misconfigured

Resolved

is incorporated by

JBEAP-10243 Upgrade WildFly Elytron to 1.1.0.Beta36

Closed

Details

Description

Attachments

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates