Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-2386

Legacy Kerberos in management, unable to configure fallback authentication.

XMLWordPrintable

    • Hide

      1. Setup kerberos for management interface (https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/how-to-set-up-sso-with-kerberos/#configure-krb-management-interfaces)
      2. Configure <jaas> authentication as fallback

      standalone.xml
                  <security-realm name="FallBackKerberosRealm">
                <server-identities>
                    <kerberos>
                        <keytab principal="HTTP/localhost.localdomain@JBOSS.ORG" path="krb.keytab"/>
                    </kerberos>
                </server-identities>
                <authentication>
                    <kerberos/>
                    <jaas name="JBossTestDomain"/>
                </authentication>
            </security-realm>

      3. BASIC authentication is not performed with client which does not support SPNEGO

      [mchoma@localhost ~]$ curl http://localhost.localdomain:9990/management?operation=attribute&name=server-state
[mchoma@localhost ~]$ <html><head><title>Error</title></head><body>401 - Unauthorized</body></html>
      Show
      1. Setup kerberos for management interface ( https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/how-to-set-up-sso-with-kerberos/#configure-krb-management-interfaces ) 2. Configure <jaas> authentication as fallback standalone.xml <security-realm name= "FallBackKerberosRealm" > <server-identities> <kerberos> <keytab principal= "HTTP/localhost.localdomain@JBOSS.ORG" path= "krb.keytab" /> </kerberos> </server-identities> <authentication> <kerberos/> <jaas name= "JBossTestDomain" /> </authentication> </security-realm> 3. BASIC authentication is not performed with client which does not support SPNEGO [mchoma@localhost ~]$ curl http: //localhost.localdomain:9990/management?operation=attribute&name=server-state [mchoma@localhost ~]$ <html><head><title>Error</title></head><body>401 - Unauthorized</body></html>

      In EAP 7.0 there was possible to configure fallback (e.g. BASIC) authentication, if client does not support SPNEGO authentication. In EAP 7.1 this feature does not work anymore.

      In EAP 7.0 server returns multiple chalanges (Negotiate/Basic) and client could choose which he will use.

      EAP 7.0
      HTTP/1.1 401 Unauthorized
Connection: keep-alive
WWW-Authenticate: Negotiate
WWW-Authenticate: Basic realm="FallBackKerberosRealm"
X-Frame-Options: SAMEORIGIN
Content-Length: 77
Content-Type: text/html
Date: Mon, 30 Jan 2017 11:02:45 GMT

<html><head><title>Error</title></head><body>401 - Unauthorized</body></html>

      In EAP 7.1 (with same configuration) server returns only one chalange - Negotiate so client not supporting SPNEGO, can't fallback to Basic.

      EAP 7.1
      HTTP/1.1 401 Unauthorized
Connection: keep-alive
WWW-Authenticate: Negotiate
X-Frame-Options: SAMEORIGIN
Content-Length: 77
Content-Type: text/html
Date: Mon, 30 Jan 2017 11:01:28 GMT

<html><head><title>Error</title></head><body>401 - Unauthorized</body></html>

              darran.lofthouse@redhat.com Darran Lofthouse
              mchoma@redhat.com Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: