Java Security

Hi All,

Any suggestions would be appreciated; I am attempting to write a SSO Servlet that will validate an IE client SpNego token against AD server with Verberos.

The Servlet is throwing an GSSException(see below). I am able to login within the servlet(see output below). I am also able to createCredential in a stand alone applications, so I am puzzled and making little progress. Any ideas?

What I am attempting to do I believe would be a very common use case but I'm not having any luck finding documentation for this specific implementation. Any reference would also be appreciated.

Thanks,
-Peter

GSSCredential serverCreds
= manager.createCredential(null,GSSCredential.DEFAULT_LIFETIME,
spnegoOid,GSSCredential.ACCEPT_ONLY);
---
GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)


CODE:
public byte[] getSpNegoToken(HttpServletRequest req, HttpServletResponse rsp)
throws IOException{
byte[] spNegoToken = null;
String authorization = req.getHeader("Authorization");
int index = -1;
if (authorization == null || (index = authorization.indexOf(' ')) == -1
|| !authorization.substring(0, index).equals("Negotiate")){
rsp.reset();
rsp.setHeader("WWW-Authenticate", "Negotiate");
rsp.setContentLength(0);
rsp.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
rsp.flushBuffer();
return null;
}
spNegoToken = Base64.decode(authorization.substring(index +1));
System.out.println("SnNego token negotiated:"+spNegoToken.toString());
return spNegoToken;
}

private void login(){
System.setProperty("java.security.auth.login.config",this.myKrb5ConfigFile);
System.setProperty("java.security.krb5.realm",this.myRealm);
System.setProperty("java.security.krb5.kdc",this.myKdcServer);
System.setProperty("sun.security.jgss.native","true");
System.setProperty("sun.security.spnego.msinterop","true");
System.setProperty("sun.security.spnego.debug","true");
CallbackHandler callbackHandler = new LoginHandler();
LoginContext context = null;
try {
// Create a LoginContext with a callback handler
context = new LoginContext("server", callbackHandler);
// Perform authentication
context.login();
} catch (LoginException e) {
System.err.println("Login failed");
e.printStackTrace();
System.exit(-1);
}
Subject subject = context.getSubject();
System.out.println(subject.toString());
System.out.println("Authenticated principal: "+subject.getPrincipals());
}

public void service(HttpServletRequest req, HttpServletResponse rsp)
throws ServletException, IOException{
try{
byte[] spNegoToken = getSpNegoToken(req,rsp);
if(spNegoToken == null){
return;
}
login();
GSSManager manager = GSSManager.getInstance();
Oid spnegoOid = new Oid("1.3.6.1.5.5.2");
GSSCredential serverCreds = manager.createCredential(null,GSSCredential.DEFAULT_LIFETIME,
spnegoOid,GSSCredential.ACCEPT_ONLY);
GSSContext context = manager.createContext((GSSCredential)serverCreds);
while (!context.isEstablished()) {
byte[] atoken = context.acceptSecContext(spNegoToken, 0, spNegoToken.length);
}
}catch (Exception ex){
ex.printStackTrace();
throw new ServletException(ex);
}
}


OUTPUT:

JRE: C:\wrk\ServiceLink\R6.3\Server\Service-Link\JRE\jre1.6.0_01
java version "1.6.0_01"
Java(TM) SE Runtime Environment (build 1.6.0_01-b06)
Java HotSpot(TM) Server VM (build 1.6.0_01-b06, mixed mode)
SnNego token negotiated:[B@a0c486
Debug is true storeKey true useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is fal
se principal is pdunn tryFirstPass is false useFirstPass is false storePass is false clearPass is false
[Krb5LoginModule] user entered username: pdunn

Acquire TGT using AS Exchange
principal is pdunn@TEST.COM
EncryptionKey: keyType=3 keyBytes (hex dump)=0000: E5 F8 CB F8 9B 38 DA D5
EncryptionKey: keyType=1 keyBytes (hex dump)=0000: E5 F8 CB F8 9B 38 DA D5
EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 00 77 4E 4C 48 9E AC 7C A4 3F 1D 35 F5 92 C4 19 .wNLH....?.5....
EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 3E E5 0D E9 0B D6 49 8C FE A4 98 A8 52 92 3B 43 >.....I.....R.;C
0010: 86 DA A7 57 7C 38 4A 02
EncryptionKey: keyType=17 keyBytes (hex dump)=0000: C1 11 83 6D 1F DC 33 07 54 9E 0F 9F 79 38 6D 15 ...m..3.T...y8m.
Added server's keyKerberos Principal pdunn@TEST.COMKey Version 0key EncryptionKey: keyType=3 keyBytes (hex dump)=0000: E5 F8 CB F8 9B 38 DA D5
[Krb5LoginModule] added Krb5Principal pdunn@TEST.COM to Subject
Added server's keyKerberos Principal pdunn@TEST.COMKey Version 0key EncryptionKey: keyType=1 keyBytes (hex dump)=0000: E5 F8 CB F8 9B 38 DA D5
[Krb5LoginModule] added Krb5Principal pdunn@TEST.COM to Subject
Added server's keyKerberos Principal pdunn@TEST.COMKey Version 0key EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 00 77 4E 4C 48 9E AC 7C A4 3F 1D 35 F5 92 C4 19 .wNLH....?.5....
[Krb5LoginModule] added Krb5Principal pdunn@TEST.COM to Subject
Added server's keyKerberos Principal pdunn@TEST.COMKey Version 0key EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 3E E5 0D E9 0B D6 49 8C FE A4 98 A8 52 92 3B 43 >.....I.....R.;C0010: 86 DA A7 57 7C 38 4A 02
[Krb5LoginModule] added Krb5Principal pdunn@TEST.COM to Subject
Added server's keyKerberos Principal pdunn@TEST.COMKey Version 0key EncryptionKey: keyType=17 keyBytes (hex dump)=0000: C1 11 83 6D 1F DC 33 07 54 9E 0F 9F 79 38 6D 15 ...m..3.T...y8m.
[Krb5LoginModule] added Krb5Principal pdunn@TEST.COM to Subject
Commit Succeeded

Subject:
Principal: pdunn@TEST.COM
Private Credential: Ticket (hex) =
0000: 61 82 03 8F 30 82 03 8B A0 03 02 01 05 A1 0B 1B a...0...........
0010: 09 49 54 52 4F 4E 2E 43 4F 4D A2 1E 30 1C A0 03 .TEST.COM..0...
0020: 02 01 02 A1 15 30 13 1B 06 6B 72 62 74 67 74 1B .....0...krbtgt.
0030: 09 49 54 52 4F 4E 2E 43 4F 4D A3 82 03 55 30 82 .TEST.COM...U0.
0040: 03 51 A0 03 02 01 17 A2 82 03 48 04 82 03 44 A5 .Q........H...D.
0050: EA 40 7C 56 39 B4 6E C6 21 65 43 00 96 B7 30 23 .@.V9.n.!eC...0#
0060: 80 FE 64 E9 A4 B2 CB DA 9F 00 7B 6B 2B 18 63 44 ..d........k+.cD
0070: F7 89 58 50 C0 6F 3A 0C C3 B0 2E 55 FD E1 BE 10 ..XP.o:....U....
0080: 43 7F 04 6A 19 DD 7F C1 CD F8 27 2B BF FC DF 47 C..j......'+...G
0090: 87 C8 69 CD C8 CD C5 92 F4 89 84 94 48 86 5D C1 ..i.........H.].
00A0: 41 3E 30 58 6E 4E 66 F6 86 52 CE C5 D5 1E EB 23 A>0XnNf..R.....#
00B0: C2 64 4B 25 86 80 41 E0 D7 E7 E0 EC C6 55 F4 93 .dK%..A......U..
00C0: F6 24 1B 22 9C 92 6E B9 92 8D 3F 53 F9 B9 54 8B .$."..n...?S..T.
00D0: F6 44 49 6A 12 20 28 3E E6 EC 94 D9 BA 49 53 AB .DIj. (>.....IS.
00E0: 2C EF 86 3F 22 58 CA 49 8F B1 17 6C BA DC 68 D9 ,..?"X.I...l..h.
00F0: D0 EC 7F 54 CC 28 FA 0D 11 66 22 2B 5E 6C 4E 44 ...T.(...f"+^lND
0100: 86 E3 D1 9B 48 73 D2 FB 1D 31 E9 31 5C 1A 05 3E ....Hs...1.1\..>
0110: DA 2D 4F 44 A5 EC 12 A9 7D AD 77 31 E4 8B 94 A1 .-OD......w1....
0120: 58 A9 F7 AE DB 59 F1 2F 24 E7 8D 9D 15 86 B4 87 X....Y./$.......
0130: 2A 33 4F B4 ED 4E 4A 33 49 62 61 15 56 2D 01 E5 *3O..NJ3Iba.V-..
0140: 63 54 F7 F5 92 2B EA 8D 68 E8 A1 5B 91 9D 98 38 cT...+..h..[...8
0150: FD B1 C5 A0 71 B5 4B 34 8D 7E 96 39 67 94 03 05 ....q.K4...9g...
0160: 2A 9C D2 BF 81 67 A6 1F CF D0 A4 46 C6 B2 3A 9F *....g.....F..:.
0170: B2 43 20 D1 18 D8 C9 75 07 23 42 E7 F9 15 36 32 .C ....u.#B...62
0180: 1D 7F BF 62 3B 82 0E 54 49 4A E6 01 28 B0 71 FC ...b;..TIJ..(.q.
0190: DA AB F9 D8 8E 5C DE 70 F0 EB A7 DE EE AF 57 05 .....\.p......W.
01A0: 7E 1D CA 03 43 D9 85 F3 E8 E1 66 1C CA 25 BB C7 ....C.....f..%..
01B0: 2F 3E 8D 9C 5D 36 D8 B0 24 78 04 E3 68 A8 00 02 />..]6..$x..h...
01C0: 7E C9 05 62 97 38 A7 3D B1 01 AD 80 78 07 2E 5F ...b.8.=....x.._
01D0: B8 A7 67 BD 2E D7 75 34 33 6B 83 2B 02 EE 48 45 ..g...u43k.+..HE
01E0: 7A 99 C7 14 51 B3 9C D9 2A E3 91 A5 E7 01 95 2D z...Q...*......-
01F0: 4F DB A8 21 B4 AD 57 EA 97 0D 63 EB CD D4 3D BD O..!..W...c...=.
0200: 90 7D C9 A4 32 60 CA D8 05 B1 23 16 0B 1A DB 6B ....2`....#....k
0210: 37 02 8E 26 E9 15 65 3C F8 7A E3 5B E0 F8 13 74 7..&..e<.z.[...t
0220: BE 4F 8F 26 BE 23 AA B6 32 A6 CF 3B 94 66 19 EF .O.&.#..2..;.f..
0230: 6A F9 3C 37 AC 6F 70 FF 00 A6 ED 05 52 F1 D5 E3 j.<7.op.....R...
0240: 30 90 4B 87 07 5A 55 00 28 0B D6 8B 38 9A E8 CD 0.K..ZU.(...8...
0250: 03 F9 CD 9C 3C 67 E4 6B D6 C3 F3 12 B8 33 9C A8 ....<g.k.....3..
0260: 9C 6B 62 D1 A4 C4 2F EA 89 62 03 F8 A0 91 ED A8 .kb.../..b......
0270: 57 12 7F 4B 6C 84 51 C5 50 C9 80 88 7F 61 E8 95 W..Kl.Q.P....a..
0280: 79 94 50 33 9D 98 FC 49 3E 68 E2 7D FF 71 D0 04 y.P3...I>h...q..
0290: 05 B1 E5 D4 A2 C3 CB 5A A3 34 BE E0 08 B1 B0 AD .......Z.4......
02A0: A7 5C 71 80 D3 95 E5 B8 6A 19 00 C9 EE 3E 1A 03 .\q.....j....>..
02B0: 96 27 BD F9 4A 02 6E F8 14 F0 E7 DB 8E EB D0 7D .'..J.n.........
02C0: D2 63 95 78 84 A7 34 46 34 93 62 C5 F8 34 74 6D .c.x..4F4.b..4tm
02D0: 4F A7 4B C2 A4 94 3C 7A E0 D7 8E C2 3A 36 27 36 O.K...<z....:6'6
02E0: 1C 58 F6 EC 6B 98 2F AC 24 1C AA 86 3E 13 EE 86 .X..k./.$...>...
02F0: 7C 04 92 BE 31 39 89 05 55 BE E9 F1 81 47 62 05 ....19..U....Gb.
0300: F8 77 67 0D 3B E6 4C 89 43 78 E1 05 66 B4 C8 EC .wg.;.L.Cx..f...
0310: 8A 2C 8A D7 FC 0E 69 D7 4E 1C E3 23 A9 37 07 4E .,....i.N..#.7.N
0320: 67 E5 51 74 BC 46 93 42 D4 62 44 C4 76 37 9A 3B g.Qt.F.B.bD.v7.;
0330: 5B 7C 72 ED F0 FB 0A 72 3E BC A5 D8 59 6B 0A D6 [.r....r>...Yk..
0340: F3 CB 65 94 C4 BB 5F 20 00 69 69 F9 61 4B 26 1B ..e..._ .ii.aK&.
0350: 49 68 0F 90 43 9B 00 50 86 04 93 19 BD B7 FA A3 Ih..C..P........
0360: FB EB F1 E6 AF 75 51 A6 60 BE 68 DB 5A FA 87 4E .....uQ.`.h.Z..N
0370: 22 71 17 1E DE CC 26 AD 59 64 E2 FA 7C 4A 2B 00 "q....&.Yd...J+.
0380: 8F 59 58 D5 65 CB BB A5 D9 B0 BF 1A 57 C8 69 0E .YX.e.......W.i.
0390: 9E CA 1F ...
Client Principal = pdunn@TEST.COM
Server Principal = krbtgt/TEST.COM@TEST.COM
Session Key = EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: 69 68 12 D8 FB EF 09 81 FE B7 00 DF D2 02 E0 E7 ih..............
Forwardable Ticket false
Forwarded Ticket false
Proxiable Ticket false
Proxy Ticket false
Postdated Ticket false
Renewable Ticket false
Initial Ticket false
Auth Time = Tue Aug 14 14:01:11 PDT 2007
Start Time = Tue Aug 14 14:01:11 PDT 2007
End Time = Wed Aug 15 00:01:11 PDT 2007
Renew Till = null
Client Addresses Null
Private Credential: Kerberos Principal pdunn@TEST.COMKey Version 0key EncryptionKey: keyType=3 keyBytes (hex dump)=
0000: E5 F8 CB F8 9B 38 DA D5
Private Credential: Kerberos Principal pdunn@TEST.COMKey Version 0key EncryptionKey: keyType=1 keyBytes (hex dump)=
0000: E5 F8 CB F8 9B 38 DA D5
Private Credential: Kerberos Principal pdunn@TEST.COMKey Version 0key EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: 00 77 4E 4C 48 9E AC 7C A4 3F 1D 35 F5 92 C4 19 .wNLH....?.5....
Private Credential: Kerberos Principal pdunn@TEST.COMKey Version 0key EncryptionKey: keyType=16 keyBytes (hex dump)=
0000: 3E E5 0D E9 0B D6 49 8C FE A4 98 A8 52 92 3B 43 >.....I.....R.;C
0010: 86 DA A7 57 7C 38 4A 02

Private Credential: Kerberos Principal pdunn@TEST.COMKey Version 0key EncryptionKey: keyType=17 keyBytes (hex dump)=
0000: C1 11 83 6D 1F DC 33 07 54 9E 0F 9F 79 38 6D 15 ...m..3.T...y8m.
Authenticated principal: [pdunn@TEST.COM]
GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Key) at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Unknown Source)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(Unknown Source)
at sun.security.jgss.spnego.SpNegoMechFactory.getCredentialElement(Unknown Source)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(Unknown Source)
at sun.security.jgss.GSSCredentialImpl.add(Unknown Source)
at sun.security.jgss.GSSCredentialImpl.<init>(Unknown Source)
at sun.security.jgss.GSSManagerImpl.createCredential(Unknown Source)
at com.emdi.sl3.server.auth.web.SignOnFormServlet.service(SignOnFormServlet.java:65)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:333)
at com.evermind._csb._pvd(Unknown Source)
at com.evermind._csb._boc(Unknown Source)
at com.evermind._ax._lsc(Unknown Source)
at com.evermind._ax._uab(Unknown Source)
at com.evermind._bf.run(Unknown Source)