-
Bug
-
Resolution: Done
-
Blocker
-
None
Accessing management interface secured by Kerberos + TLS causes EAP requests from KDC ticket HTTPS/localhost. Which was not necessary in EAP 7.0 and it worked fine with HTTP/localhost service name
server.log
14:20:19,321 TRACE [org.jboss.as.domain.management.security] (management task-7) No mapping for name 'https/localhost.localdomain' to KeytabService, attempting to use host only match. 14:20:19,322 TRACE [org.jboss.as.domain.management.security] (management task-7) Selected KeytabService with principal 'HTTP/localhost.localdomain@JBOSS.ORG' for host 'localhost.localdomain' 14:20:19,322 INFO [stdout] (management task-7) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.2269988831769483313.keytab for HTTP/localhost.localdomain@JBOSS.ORG 14:20:19,323 INFO [stdout] (management task-7) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.2269988831769483313.keytab for HTTP/localhost.localdomain@JBOSS.ORG 14:20:19,323 INFO [stdout] (management task-7) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.2269988831769483313.keytab for HTTP/localhost.localdomain@JBOSS.ORG 14:20:19,323 INFO [stdout] (management task-7) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.2269988831769483313.keytab for HTTP/localhost.localdomain@JBOSS.ORG 14:20:19,524 WARN [org.apache.directory.server.protocol.shared.kerberos.StoreUtils] (NioDatagramAcceptor-3) No server entry found for kerberos principal name HTTPS/localhost.localdomain@JBOSS.ORG 14:20:19,524 WARN [org.apache.directory.server.KERBEROS_LOG] (NioDatagramAcceptor-3) No server entry found for kerberos principal name HTTPS/localhost.localdomain@JBOSS.ORG 14:20:19,524 WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] (NioDatagramAcceptor-3) Server not found in Kerberos database (7) 14:20:19,525 WARN [org.apache.directory.server.KERBEROS_LOG] (NioDatagramAcceptor-3) Server not found in Kerberos database (7) 14:20:19,528 WARN [org.apache.http.impl.auth.HttpAuthenticator] (main) NEGOTIATE authentication error: No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - Server not found in Kerberos database)) 14:20:19,532 TRACE [org.jboss.as.domain.management.security] (management task-9) No mapping for name 'https/localhost.localdomain' to KeytabService, attempting to use host only match. 14:20:19,532 TRACE [org.jboss.as.domain.management.security] (management task-9) Selected KeytabService with principal 'HTTP/localhost.localdomain@JBOSS.ORG' for host 'localhost.localdomain' 14:20:19,533 INFO [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.2269988831769483313.keytab for HTTP/localhost.localdomain@JBOSS.ORG 14:20:19,533 INFO [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.2269988831769483313.keytab for HTTP/localhost.localdomain@JBOSS.ORG 14:20:19,533 INFO [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.2269988831769483313.keytab for HTTP/localhost.localdomain@JBOSS.ORG 14:20:19,533 INFO [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.2269988831769483313.keytab for HTTP/localhost.localdomain@JBOSS.ORG [Krb5LoginModule]: Entering logout [Krb5LoginModule]: logged out Subject
Also see network dump krb_https_management.pcap in attachement, where TGS-REQ for HTTPS/localhost is captured.
- clones
-
JBEAP-8572 Legacy Kerberos in management, EAP search for HTTPS/localhost ticket
- Closed
- is duplicated by
-
WFCORE-2477 Legacy Kerberos in management, regression in choosing keytab strategy
- Resolved