Jboss JAAS Kerberos LDAP security

I encountered some issue while moving one old Jboss web application, from win 2000 to windows 2008 machine.

the first exception encountered is: field is too long

javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Field is too long for this implementation (61))]]

this was due to the krb5.conf, the transport is restricted to UDP, refer to
http://docs.oracle.com/cd/E19253-01/816-4557/trouble-1/index.html

 Field is too long for this implementation
Cause:

The message size that was being sent by a Kerberized application was too long. This error could be generated if the transport protocol is UDP. which has a default maximum message size 65535 bytes. In addition, there are limits on individual fields within a protocol message that is sent by the Kerberos service.
Solution:

Verify that you have not restricted the transport to UDP in the KDC server's /etc/krb5/kdc.conf file.

krb5.conf

 

udp_preference_limit = 1 should be added to krb5.conf

[libdefaults]
        default_realm = NA.BLKINT.COM
 udp_preference_limit = 1

the 2nd exception is:Mechanism level: The ticket isn’t for us

17:25:05,531 INFO  [LDAPRealm] No entry in cache for IP, will go fetch DCs w/ subj: AUPMVAPP025/45.145.68.150
17:25:10,048 INFO  [LDAPRealm] Using site: Melbourne
17:25:10,048 INFO  [LDAPRealm] Using Domain Controller: [aupmscdc001.na.blkint.com.]
17:25:10,688 WARN  [JAASRealm] Login exception authenticating username "shenmuk"
javax.security.auth.login.LoginException: Could not establish a connection with AD: java.lang.RuntimeException: Couldn't talk to LDAP: java.lang.RuntimeException: javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: The ticket isn't for us (35))]]
	at com.bglobal.commons.security.ldap.NoAuthLDAPLoginModule.commit(NoAuthLDAPLoginModule.java:50)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:585)
	at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
	at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
	at javax.security.auth.login.LoginContext.login(LoginContext.java:580)
	at org.apache.catalina.realm.JAASRealm.authenticate(JAASRealm.java:373)
	at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:256)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:391)
	at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744)
	at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
	at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
	at java.lang.Thread.run(Thread.java:595)

the cause is, refer to https://forums.oracle.com/thread/1527734, http://docs.oracle.com/cd/E19253-01/816-4557/trouble-1/index.html

Possible Cause and Resolution

o The server has received a ticket that was meant for a different realm.

Resolution

Verify that DNS is set up correctly. Verify that packets are correctly routed across the network.

the krb5.conf needed to be updated, as there is a SPACE, after realms ”
[realms]
NA.BLKINT.COM = {
kdc = dc-na-ewd (SPACE_HERE)
}”

or change to another realm
[realms]
NA.BLKINT.COM = {
#### kdc = dc-na-ewd
kdc = dir-ad
}

Overall, how JBoss JASS Kerberos/LDAP security works:
1. jboss-web.xml: point to the domain

<jboss-web>
	<security-domain flushOnSessionInvalidation="true">java:/jaas/BAM</security-domain>

2. auth.conf: configure the domain, use which log in module

BAM {
  com.sun.security.auth.module.Krb5LoginModule required useTicketCache=false;
  com.bglobal.commons.security.ldap.NoAuthLDAPLoginModule required;
};

2. and context.xml


  <Context>
      <Realm className="org.apache.catalina.realm.JAASRealm"                 
                appName="BAM"         
               roleClassNames="com.bglobal.commons.security.ldap.LDAPGroup"
               userClassNames="com.bglobal.commons.security.identities.BGIUserId"
                      debug="99"/>
</Context>
      
    

3. web.xml: configure which roles for which access

<login-config>
<security-constraint>

refer to: https://github.com/zanata/zanata-server/wiki/JAAS-Authentication
http://www.kerberos.org/software/tutorial.html
https://community.jboss.org/wiki/DRAFTUsingJBossNegotiationOnAS7

Advertisements

Author: lwpro2

Java J2EE professional