Login/Register
SPNEGO with Tomcat error: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
Asked Answered
tomcatsingle-sign-onspnego
C

2

6

I am trying to implement a browser based single sign on using SPNEGO with Tomcat.

I have followed all the instructions on these two pages:

When I accessed hello_spnego.jsp from Firefox or Chrome, I was asked for username and password, and then it showed me my username perfectly; worked like a charm. However, when I tried to access it with IE, I am getting this error:

HTTP Status 500 - GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)

type Exception report

message GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)

While trying to look for a solution, I came across this page: http://www.oracle.com/technetwork/articles/idm/weblogic-sso-kerberos-1619890.html

I followed the Client Configuration instructions in the second half of the page. After that, all the three browsers (Chrome, Firefox and IE) show this same error, but none of them ask for username and password anymore.

I have verified that the account used to talk to the KDC is working correctly. Also, I have the username and password specified in the web.xml file, so I don't have a separate KeyTab file.

For diagnosis purposes, here are the contents of my krb5.conf and login.conf files:

krb5.conf

[libdefaults]
    default_realm = DEVID.LOCAL
    default_tkt_enctypes = aes256-cts aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc arcfour-hmac arcfour-hmac-md5
    default_tgs_enctypes = aes256-cts aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc arcfour-hmac arcfour-hmac-md5
    permitted_enctypes   = aes256-cts aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc arcfour-hmac arcfour-hmac-md5

[realms]
    DEVID.LOCAL  = {
        kdc =  cdi-prod.devid.local 
        default_domain = DEVID.LOCAL 
}

[domain_realm]
    .DEVID.LOCAL = DEVID.LOCAL

login.conf

spnego-client {
    com.sun.security.auth.module.Krb5LoginModule required;
};

spnego-server {
    com.sun.security.auth.module.Krb5LoginModule required
    storeKey=true
    isInitiator=false;
};

Since I don't have a keytab file, it's not mentioned in the login.conf file.

Also, since I'm using aes256-cts encryption, I have added the requisite JCE Policy files (http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html) in the jre/lib/security folder of the jdk.

FYI, I'm using Tomcat 8 and JDK 1.8.

I would really appreciate some insight on what's happening here. If you need more information, please let me know. Thanks in advance!

Chimb answered 6/11, 2014 at 16:24 Comment(1)
I have posted an answer to a similar question here. My case is not GSSAPI+HTTP, but I suppose that SPNEGO uses the same mechanisms behind the scenes.Gintz
S
3

Kerberos SPNEGO Checksum failed problem

source click

I made SPNEGO authentication for my web apps. During development I met a problem authenticating users using keytab file for HTTP services:

Caused by: org.ietf.jgss.GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)

I've found solution how to resolve a problem. I've used RHEL 7 on servers and clients, and FreeIPA as a KDC/LDAP server:

  1. Open /etc/krb5.conf on web app server and add into section [libdefaults] one line

    [libdefaults]

    default_tkt_​enctypes = arcfour-hmac-md5

This is most important thing. This line resolves "Checksum failed" problem

  1. On a client: kinit username Password for [email protected]:

after successful authentication in Kerberos domain we can access Kerberized web apps using curl:

curl -v -k --negotiate -u : --cacert /etc/ipa/ca.crt https://myservice.com:8090/krb

  1. In FireFox, print about:config in address bar -> I promise -> then find

network.negotiate-auth.delegation-uris​ value http://,https://

network.negotiate-auth.trusted-uris value .myservice.com​

Soviet answered 25/10, 2016 at 21:57 Comment(0)
A
0

I was having the same issue, and found an answer in this post:

...go to the Advanced settings of IE (Internet Options > Advanced tab) and disable the "Enable Integrated Windows Authentication" checkbox, this error goes away, and I am able to see the logged in user's handle on IE as well...

revert any changes you made after following the oracle article before trying this.

Allard answered 20/4, 2015 at 8:56 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.