You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "Dennis Rieks (JIRA)" <ji...@apache.org> on 2010/05/05 20:08:03 UTC
[jira] Commented: (HTTPCLIENT-934) kerberos auth not working
[ https://issues.apache.org/jira/browse/HTTPCLIENT-934?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12864428#action_12864428 ]
Dennis Rieks commented on HTTPCLIENT-934:
-----------------------------------------
Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is hallo@KDCTEST.LOCAL tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
>>>KinitOptions cache name is /tmp/krb5cc_1000
>>>DEBUG <CCacheInputStream> client principal is hallo@KDCTEST.LOCAL
>>>DEBUG <CCacheInputStream> server principal is krbtgt/KDCTEST.LOCAL@KDCTEST.LOCAL
>>>DEBUG <CCacheInputStream> key type: 16
>>>DEBUG <CCacheInputStream> auth time: Wed May 05 19:22:19 CEST 2010
>>>DEBUG <CCacheInputStream> start time: Wed May 05 19:22:19 CEST 2010
>>>DEBUG <CCacheInputStream> end time: Thu May 06 19:22:19 CEST 2010
>>>DEBUG <CCacheInputStream> renew_till time: Wed May 05 19:22:19 CEST 2010
>>> CCacheInputStream: readFlags() RENEWABLE; INITIAL;
>>>DEBUG <CCacheInputStream>
>>>DEBUG <CCacheInputStream> client principal is hallo@KDCTEST.LOCAL
>>>DEBUG <CCacheInputStream> server principal is X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/KDCTEST.LOCAL@KDCTEST.LOCAL
>>>DEBUG <CCacheInputStream> key type: 0
>>>DEBUG <CCacheInputStream> auth time: Thu Jan 01 01:00:00 CET 1970
>>>DEBUG <CCacheInputStream> start time: Thu Jan 01 01:00:00 CET 1970
>>>DEBUG <CCacheInputStream> end time: Thu Jan 01 01:00:00 CET 1970
>>>DEBUG <CCacheInputStream> renew_till time: Thu Jan 01 01:00:00 CET 1970
>>> CCacheInputStream: readFlags()
java.io.IOException: extra data given to DerValue constructor
at sun.security.util.DerValue.init(Unknown Source)
at sun.security.util.DerValue.<init>(Unknown Source)
at sun.security.krb5.internal.Ticket.<init>(Unknown Source)
at sun.security.krb5.internal.ccache.CCacheInputStream.readData(Unknown Source)
at sun.security.krb5.internal.ccache.CCacheInputStream.readCred(Unknown Source)
at sun.security.krb5.internal.ccache.FileCredentialsCache.load(Unknown Source)
at sun.security.krb5.internal.ccache.FileCredentialsCache.acquireInstance(Unknown Source)
at sun.security.krb5.internal.ccache.CredentialsCache.getInstance(Unknown Source)
at sun.security.krb5.Credentials.acquireTGTFromCache(Unknown Source)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)
at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.access$000(Unknown Source)
at javax.security.auth.login.LoginContext$5.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeCreatorPriv(Unknown Source)
at javax.security.auth.login.LoginContext.login(Unknown Source)
at sun.security.jgss.GSSUtil.login(Unknown Source)
at sun.security.jgss.krb5.Krb5Util.getTicket(Unknown Source)
at sun.security.jgss.krb5.Krb5InitCredential$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Unknown Source)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Unknown Source)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)
at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Unknown Source)
at sun.security.jgss.GSSManagerImpl.getMechanismContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(Unknown Source)
at sun.security.jgss.spnego.SpNegoContext.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at org.apache.http.impl.auth.NegotiateScheme.authenticate(NegotiateScheme.java:233)
at org.apache.http.client.protocol.RequestTargetAuthentication.process(RequestTargetAuthentication.java:104)
at org.apache.http.protocol.ImmutableHttpProcessor.process(ImmutableHttpProcessor.java:108)
at org.apache.http.protocol.HttpRequestExecutor.preProcess(HttpRequestExecutor.java:167)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:453)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:693)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:624)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:602)
at eu.tradespark.krb5.ClientKerberosAuthentication.main(ClientKerberosAuthentication.java:157)
Principal is hallo@KDCTEST.LOCAL
null credentials from Ticket Cache
Kerberos-Passwort für hallo@KDCTEST.LOCAL: hallo
[Krb5LoginModule] user entered username: hallo@KDCTEST.LOCAL
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
Acquire TGT using AS Exchange
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=kdc.kdctest.local UDP:88, timeout=30000, number of retries =3, #bytes=150
>>> KDCCommunication: kdc=kdc.kdctest.local UDP:88, timeout=30000,Attempt =1, #bytes=150
>>> KrbKdcReq send: #bytes read=533
>>> KrbKdcReq send: #bytes read=533
>>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
>>> KrbAsRep cons in KrbAsReq.getReply hallo
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
principal is hallo@KDCTEST.LOCAL
EncryptionKey: keyType=3 keyBytes (hex dump)=0000: DF B6 38 1A F2 8C 0D 15
EncryptionKey: keyType=1 keyBytes (hex dump)=0000: DF B6 38 1A F2 8C 0D 15
EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 09 5B 16 F9 21 A7 DA 5E A1 29 69 56 EC 3A 90 6B .[..!..^.)iV.:.k
EncryptionKey: keyType=16 keyBytes (hex dump)=0000: FD 07 15 49 75 7C FB 43 97 26 5E 02 68 76 F7 89 ...Iu..C.&^.hv..
0010: FD 80 97 1C 49 DA 3E 49
EncryptionKey: keyType=17 keyBytes (hex dump)=0000: 35 B1 F8 D5 F7 46 97 83 81 1A 8E AD AE A0 CE 73 5....F.........s
Commit Succeeded
Found ticket for hallo@KDCTEST.LOCAL to go to krbtgt/KDCTEST.LOCAL@KDCTEST.LOCAL expiring on Thu May 06 19:43:24 CEST 2010
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 3 1 23 16 17.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
>>>crc32: e5fdb8f4
>>>crc32: 11100101111111011011100011110100
>>> KrbKdcReq send: kdc=kdc.kdctest.local UDP:88, timeout=30000, number of retries =3, #bytes=568
>>> KDCCommunication: kdc=kdc.kdctest.local UDP:88, timeout=30000,Attempt =1, #bytes=568
>>> KrbKdcReq send: #bytes read=507
>>> KrbKdcReq send: #bytes read=507
>>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
>>>crc32: a79e462b
>>>crc32: 10100111100111100100011000101011
>>> KrbApReq: APOptions are 00100000 00000000 00000000 00000000
>>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
>>>crc32: c30c2a72
>>>crc32: 11000011000011000010101001110010
Krb5Context setting mySeqNumber to: 40618110
Created InitSecContextToken:
0000: 01 00 6E 82 01 C3 30 82 01 BF A0 03 02 01 05 A1 ..n...0.........
0010: 03 02 01 0E A2 07 03 05 00 20 00 00 00 A3 81 F8 ......... ......
0020: 61 81 F5 30 81 F2 A0 03 02 01 05 A1 0F 1B 0D 4B a..0...........K
0030: 44 43 54 45 53 54 2E 4C 4F 43 41 4C A2 28 30 26 DCTEST.LOCAL.(0&
0040: A0 03 02 01 00 A1 1F 30 1D 1B 04 48 54 54 50 1B .......0...HTTP.
0050: 15 73 65 72 76 65 72 34 2E 6B 64 63 74 65 73 74 .server4.kdctest
0060: 2E 6C 6F 63 61 6C A3 81 AF 30 81 AC A0 03 02 01 .local...0......
0070: 10 A1 03 02 01 02 A2 81 9F 04 81 9C 34 A6 73 0E ............4.s.
0080: 6C 75 7D C6 69 62 DE 63 3D 09 C8 54 CE B4 36 3A lu..ib.c=..T..6:
0090: 6C 24 09 AD 47 73 2E 53 08 CD 06 9A 11 7F E6 61 l$..Gs.S.......a
00A0: DB 79 27 09 A2 E5 E2 CE 3C 6C 10 DA 1C 98 87 B7 .y'.....<l......
00B0: 41 C3 2E 08 EB D5 1B 8A D9 0C 9E C5 7D 21 2F 5A A............!/Z
00C0: 98 DE 96 EA 11 59 01 A4 30 DC B2 96 02 27 A2 D4 .....Y..0....'..
00D0: 17 BD 56 26 5C 47 68 B1 57 7A 94 E1 28 6E 45 E3 ..V&\Gh.Wz..(nE.
00E0: 06 1B 05 CB 41 1E EC 05 73 E7 8E 44 F7 0F 40 42 ....A...s..D..@B
00F0: 34 37 64 53 11 58 75 B2 6F 4B 2A 1B 99 5E 86 2D 47dS.Xu.oK*..^.-
0100: 9E D4 BF 3B 84 1E 30 E3 7C B7 0B FE 01 21 5F 37 ...;..0......!_7
0110: 83 09 AB 0D 2E B1 95 0B A4 81 AE 30 81 AB A0 03 ...........0....
0120: 02 01 01 A2 81 A3 04 81 A0 A9 F7 5C FB 7F 65 40 ...........\..e@
0130: C8 00 82 55 88 6D 75 73 72 59 41 6F 1A 4C 02 E1 ...U.musrYAo.L..
0140: 79 1B D6 5C 76 12 13 74 96 0E F3 40 FD 80 E9 D3 y..\v..t...@....
0150: 08 68 8E 0F 46 A5 6F B6 49 A7 40 56 6F A0 19 4A .h..F.o.I.@Vo..J
0160: 29 41 F2 9A 2A 33 8B E4 07 5A A9 92 D5 E2 27 7F )A..*3...Z....'.
0170: F9 69 E1 CF 88 F0 85 4E A9 4D 09 CB FA 1C F5 FF .i.....N.M......
0180: ED 5F EF AE EF 3E 03 0F 76 A0 40 8F EC 02 16 81 ._...>..v.@.....
0190: F1 A4 70 B1 F2 02 F6 7A 05 E2 D2 31 B4 EA D8 5D ..p....z...1...]
01A0: D7 54 3E DD 6F 0B DA 1C CA F6 11 57 44 BC AD 0D .T>.o......WD...
01B0: 73 06 2F 21 AE 0D 27 AB 4D E1 6C 13 52 58 46 54 s./!..'.M.l.RXFT
01C0: 0A 6F A3 C8 05 01 EE 3A 53 .o.....:S
05.05.2010 19:43:25 org.apache.http.impl.client.DefaultRequestDirector handleResponse
WARNUNG: Authentication error: Negotiate authorization challenge expected, but not found
----------------------------------------
HTTP/1.1 401 Authorization Required
----------------------------------------
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Authorization Required</title>
</head><body>
<h1>Authorization Required</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
<hr>
<address>Apache/2.2.9 (Debian) mod_auth_kerb/5.3 PHP/5.2.6-1+lenny8 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0 Server at server4.kdctest.local Port 80</address>
</body></html>
----------------------------------------
> kerberos auth not working
> -------------------------
>
> Key: HTTPCLIENT-934
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-934
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: Examples, HttpClient
> Affects Versions: 4.1 Alpha1
> Reporter: Dennis Rieks
> Priority: Minor
>
> Hi,
> i used org/apache/http/examples/client/ClientKerberosAuthentication.java to test kerberos authentication.
> My Setup:
> Apache2 on Debian (virtual machine "server4.kdctest.local") is setup to deliver kerberos authenticated content via http and https.
> The Kerberos kdc (virtual maschine "kdc.kdctest.local") also runs on debian.
> On my Desktop (ubuntu) i can use kinit/klist/kdestory to sign in on the kerberos domain and server4 only delivers content when signed on.
> I used firefox (with extra settings for http in about:config) and curl (curl -k --negotiate -u : http://server4.kdctest.local/test.php) to test my kerberos setup.
> The Problem:
> ClientKerberosAuthentication always asks the username/password and dont care about kinit. Also there is always an http 401 error and no content is deliverd.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org