You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Thomas Delaney <td...@gmail.com> on 2024/02/23 16:36:57 UTC
SSO SPNEGO GSS API CheckSum Failed Error
Hi all,
I have a redhat 9.2 server hosting a web application on 5 seperate
instances of Apache Tomcat. I have configured SPNEGO on instances 1,2,3 and
4. These instances are behind an apache proxy load balancer on version
2.4.57. Instance 1,2, and 3 are load balanced. While 4 and 5 are not. The
application is hosted on Tomcat 9.0.54.
Domain: domain.com
Site: devexample.domain.com
URL hit: https://devexample.domain.com/webclient_devex/exclient.jsp
*I keep getting this when accessing the application on instance 5:*
HTTP Status 500 – Internal Server Error
Type Exception Report
Message GSSException: Failure unspecified at GSS-API level (Mechanism
level: Checksum failed)
Description The server encountered an unexpected condition that prevented
it from fulfilling the request.
Exception
javax.servlet.ServletException: GSSException: Failure unspecified at
GSS-API level (Mechanism level: Checksum failed)
net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:287)
Root Cause
GSSException: Failure unspecified at GSS-API level (Mechanism level:
Checksum failed)
sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source)
sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:487)
net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:327)
net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:283)
Root Cause
KrbException: Checksum failed
sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Unknown
Source)
sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Unknown
Source)
sun.security.krb5.EncryptedData.decrypt(Unknown Source)
sun.security.krb5.KrbApReq.authenticate(Unknown Source)
sun.security.krb5.KrbApReq.<init>(Unknown Source)
sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source)
sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:487)
net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:327)
net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:283)
Root Cause
java.security.GeneralSecurityException: Checksum failed
sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(Unknown Source)
sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(Unknown Source)
sun.security.krb5.internal.crypto.Aes256.decrypt(Unknown Source)
sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Unknown
Source)
sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Unknown
Source)
sun.security.krb5.EncryptedData.decrypt(Unknown Source)
sun.security.krb5.KrbApReq.authenticate(Unknown Source)
sun.security.krb5.KrbApReq.<init>(Unknown Source)
sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source)
sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:487)
net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:327)
net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:283)
In the catalina logs:
Entered SpNegoContext.acceptSecContext with state=STATE_NEW
SpNegoContext.acceptSecContext: receiving token = a0 82 07 f1 30 82 07 ed
a0 30 30 2e 06 09 2a 86 48 82 f7 12 01 02 02 06 09 2a 86 48 86 f7 12 01 02
02 06 0a 2b 06 01 04 01 82 37 02 02 1e 06 0a 2b 06 01 04 01 82 37 02 02 0a
a2 82 07 b7 04 82 07 b3 60 82 07 af 06 09 2a 86 48 86 f7 12 01 02 02 01 00
6e 82 07 9e 30 82 07 9a a0 03 02 01 05 a1 03 02 01 0e a2 07 03 05 00 20 00
00 00 a3 82 05 a4 61 82 05 a0 30 82 05 9c a0 03 02 01 05 a1 15 1b 13 52 45
41 4c 4c 59 47 4f 4f 44 53 54 55 46 46 2e 43 4f 4d a2 30 30 2e a0 03 02 01
02 a1 27 30 25 1b 04 48 54 54 50 1b 1d 72 67 73 64 65 76 62 6f 78 2e 72 65
61 6c 6c 79 67 6f 6f 64 73 74 75 66 66 2e 63 6f 6d a3 82 05 4a 30 82 05 46
a0 03 02 01 12 a1 03 02 01 06 a2 82 05 38 04 82 05 34 03 22 5c aa 4a 2b f8
2a 56 5b 7b 2b 02 90 d4 25 17 b7 34 83 0c 5a 31 4a b0 87 68 6d 37 c6 24 69
ee 2e cb 65 d9 89 8e bf 0f 35 8c c2 01 7f d0 70 51 a9 19 b1 e6 51 a9 0d a5
c0 6f c1 94 99 52 8f dd 5a 39 ff 77 f0 ee 82 35 2e de b6 a1 f4 76 b5 db d7
96 01 d7 c8 a1 1f d4 55 1e 25 bd 09 aa 10 0b c8 a6 e3 1a b1 d7 62 ff 33 00
ad 3d 65 7b 48 95 03 d5 54 df c3 3e 43 95 ab bb 62 f1 84 85 b2 e6 d0 2a d7
24 63 a9 ed 77 13 1c 90 bc 88 ac f1 e2 26 4f ea ea 6b b2 a8 ab 8c 39 f5 4b
d2 97 79 6e d0 79 6e d3 6b 13 50 71 9e 31 de 73 e6 a6 e7 86 7e c1 16 2e 4e
ca 3e 73 f4 99 ed de c7 01 48 75 b2 6a e2 a4 1a c9 cd 72 c1 cb 1e d2 c0 39
9d a3 f6 10 77 7f c7 f8 de fc 75 16 49 1f aa 45 e6 2d da 8b 68 30 7f eb ee
a1 33 8b 2d 74 3d 33 b8 6c a8 13 fa 54 58 6c 53 8a 57 ce 0d 4c 06 63 35 cd
23 d1 29 43 d7 23 ea 73 d9 89 08 21 25 88 06 22 94 69 34 39 12 45 31 7f 4c
b2 69 9f d8 ef 4f 0b 2f 9c 88 11 21 fc 50 62 8f 1b 6e 00 06 a0 0e 1f e2 0f
9b 63 73 63 2a a7 62 d9 5c 7d d9 93 f8 be 34 2c b4 18 a0 60 af b5 96 c4 75
6d 89 46 d1 16 33 66 37 bf 83 30 50 3a fa de 07 97 50 4d a4 3e 2f c4 21 bf
76 69 cd e2 6b a3 30 91 04 a0 6c dd c5 60 eb 1d cc 7d 9e 51 4d 97 02 2a c6
30 1c 4c 4f 17 65 69 10 66 ad 3b b7 1b e5 c4 c0 3d 58 cc 1a f6 70 8d 89 5e
0a 8a da 73 d9 e9 da ea 1a 7c 76 97 9f 27 0e 5b c5 c2 45 0e 0c 87 5b e3 ef
13 26 34 04 84 70 75 85 43 77 68 51 2e a3 20 83 44 5f 39 cf 87 6b 88 4a f1
d5 42 eb d5 45 c2 07 ea e7 77 93 4a 09 0d 0d 81 e3 50 df c2 42 72 e7 92 6c
99 99 10 42 87 86 27 7e 82 23 c6 8c b4 0b 33 88 fd b3 26 a1 89 bc 37 de e5
a7 8c 1b f4 c6 ab 9a d1 e1 ce ee 9e 9e 72 ec 7a 36 4a 93 61 6e 41 40 69 61
aa 6f 49 03 25 23 f6 89 c1 27 63 1f c5 31 75 34 2a 90 a7 45 34 44 64 a7 59
fc c1 7e e3 dc b9 cd 13 54 f9 e8 fe 20 66 13 37 27 fc 91 f6 75 5c 12 c6 ee
e8 70 55 2b 21 ac 66 ee 16 e7 df 20 e5 fd 3d 79 5c c7 5c a8 b1 c6 5b 7b 3b
cd 2a 53 4c 3c 73 7e 14 5b c2 15 cb 35 33 85 8b 2b c4 a4 62 e6 32 23 14 eb
70 87 20 76 af e2 f8 9a c1 d2 3f dd fd c2 bf ad 15 fd 97 ef 8e b1 ac 8f 91
39 18 94 2b b6 9a a6 be 5e bb a5 c6 25 d4 80 d3 df ff 86 10 58 f3 23 b0 79
f2 33 f3 5d f4 64 cd c2 00 52 54 81 72 5b bb 17 b5 00 50 1b b4 37 13 ce 22
91 5f 72 0c 92 bf f8 24 15 3b 46 70 bd df 9c ce 3d d4 6d 87 53 6d a4 74 15
8b d3 79 7b 7f e8 2e 5d c3 7a 5e 33 93 60 ff 4d e6 e9 a1 d9 46 2e 6b 36 74
d2 4d 2d 01 ff 42 f9 c8 e4 03 27 64 6e 2c 80 2c 2a f7 c0 31 2c f2 7b 5e c0
e5 97 e2 36 3e a0 57 d9 30 74 13 69 7d f9 e6 98 8e f9 86 7b 57 ab c2 d0 67
25 f7 2b 8a 8d b4 6f 4e 1a 11 ee df f3 bc 1f ea e6 c7 0e cd eb 64 3b f6 d8
24 9e 97 4d 77 3a 69 a0 9a 16 b9 40 c5 8f e9 9e 7c 2a 70 c0 f3 25 61 6f 1a
93 21 d3 2c 54 1d 94 1a 19 51 4b 3e 95 75 85 13 b1 f6 20 38 77 78 a4 35 2a
86 0b af f4 c6 08 f9 81 97 37 5b ee 7d ef c7 ed f4 2c b8 72 01 17 f1 dc b7
d1 a7 69 95 e1 11 38 b1 e7 3b 39 2f a8 e0 da 47 82 55 7b b5 ce d2 d4 d1 15
43 a9 05 3a 52 88 9b d9 83 49 03 32 e8 c6 34 02 bc 34 63 53 af 32 e1 29 64
99 ba ec 9b 41 03 5b 7d ea 0a 66 9a f1 7e 0e fd da 3d 51 9f 3b be 52 77 84
71 8c 7c b0 34 1d fc 25 4f 4a 46 ce e4 8b 9a 60 7d 20 20 3c 5c c7 46 fe af
21 2e 3b 23 d8 d3 30 79 14 4b e6 b8 54 90 f9 3e 06 4a 41 50 37 b7 e9 65 d7
e1 11 d3 7f 84 86 c7 bf ff 4f 3c 5b d4 dd 28 03 d3 c1 bb a9 6d 7f 64 c4 5a
5c e8 ce 9a fc 62 eb d0 6e bf 54 6d 89 f8 5f ab 9b 7d 3b 00 d2 db b8 01 ba
6f 30 b7 01 b1 d5 7a d2 54 8f 49 c0 58 68 c1 f6 ce c4 f2 79 c7 51 d1 ca 77
f0 6b 83 63 53 2a 85 e6 55 74 5b 15 4b 8d 0d ce 1f f9 d5 9f 28 0e a6 90 a4
03 c1 d4 da 28 91 fa 2e 60 85 e5 d8 73 7b 1d 57 11 dc 7f 10 88 4b 01 db 83
49 70 e6 5a 1d 9f 3a 13 1b ee ba 09 9f 8b 1d 74 e4 80 d7 d5 b0 f3 45 01 60
1a 51 f0 4e 66 93 16 34 39 fe 1c b7 6a 3f 19 63 5a cc 50 eb 47 8a 58 d3 62
3a 42 9b 8c 36 75 03 d7 1a 64 ad dc 4f 35 55 f3 03 be 7f 68 60 9f eb 8a 48
ca 5f cb fe bd 54 52 83 03 96 28 9c a1 3f ba 4f d1 14 5b aa 80 51 8e e5 00
6a 0c ab b0 0c e2 26 20 05 54 fa 2a 51 8b e1 bc 0d 94 54 37 cf 88 60 60 be
d1 9b da 7a ab 4c ed 4f 51 f9 4f cd a2 57 b3 74 ed cf 79 a0 a5 1a 66 49 18
b7 5e ce 0b 0e d0 5b b8 78 37 7e 2e 82 de c2 52 7e 74 fb 1d a9 0a b4 3c 20
a4 82 01 db 30 82 01 d7 a0 03 02 01 12 a2 82 01 ce 04 82 01 ca e7 e4 3d 5e
f1 ae 49 86 4f 9f 2f 49 cd 4d 16 cc da 33 90 02 0a ae fd ff 5f 90 3b 98 ce
89 cd a0 91 80 89 0d e1 2e 0d fd 2c 2b a9 b1 cb fd d0 55 f6 07 0c 10 bb ff
b1 19 4b a4 4c ef f5 8c 21 ad d8 eb 50 3b fc e9 f4 b6 8d 31 e6 11 f7 03 60
99 7a 1b e4 2a aa 21 ea e5 cc e0 ff 2a d9 7b 5f e6 8f 83 26 45 f1 a0 a7 ad
93 b3 3e 3e 19 f7 cb a0 55 84 df ae 4d e5 61 fb d5 ae 02 1f 7b e0 47 bc 96
d7 7c 3c 65 7d ce c1 34 cd c6 02 05 4e 9f 78 af 70 86 8c 3f 8d c5 ff fe 0e
4e d7 87 b7 c3 16 8f 0f 1f 1e 37 ac b3 9d f2 37 a9 52 fc 6e b4 49 6a 33 73
d4 e1 61 fc 78 d1 ff 9a 42 0b 37 cd 3e 1c 83 e7 6d 9c cb 20 63 94 fe bd 9d
a6 74 72 a2 2b c3 b5 52 a3 51 d6 8d 28 f4 9f 46 15 e1 02 49 95 c0 e5 59 14
61 a7 f9 9f 67 9f 78 c3 b0 f7 dd 08 82 dd e6 fc 34 1e 69 53 6b 08 38 f7 fe
e8 50 20 4a 25 c3 62 7c 0a d2 56 0c 25 6d 42 e1 12 31 be b0 15 17 f9 01 67
f6 ee e4 c0 92 44 07 37 0b 9d aa a2 49 6d aa 43 a4 42 b0 39 13 e3 2b f6 52
25 2f db 82 e7 7a cd 94 47 a2 d2 40 aa 4e 39 3c 27 30 df fe 5a 4c b5 e8 dd
60 cc 6e e1 18 a1 1f 79 32 df 51 ff 18 0e de f6 5f 99 3b 78 47 33 4e 80 80
3e 1c 17 6f 19 78 15 4a 7b e0 35 05 b3 bc f3 43 f1 cc 89 2f 3f 91 b1 3b cd
03 17 aa c6 a1 f5 9c b0 2c 4d 3e 69 68 c6 7d 97 21 6f 76 ed 74 e9 94 6f 44
57 4e fe 45 36 52 57 01 ff d3 b0 d8 65 51 4f ee 4c 70 3c b0 c0 12 20 d1 5c
74 14 7c 91 ca 9b d8 8a 4b 8d dc c1 6d 6e b4 20 b6 f7 40 63 d6 59 a9 1c 47
d1 33 c4 3b
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.48018.1.2.2
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.113554.1.2.2
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.30
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.10
SpNegoToken NegTokenInit: reading Mech Token
SpNegoContext.acceptSecContext: received token of type = SPNEGO NegTokenInit
SpNegoContext: negotiated mechanism = 1.2.840.113554.1.2.2
SpNegoContext.acceptSecContext: negotiated mech adjusted to
1.2.840.48018.1.2.2
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Looking for keys for: HTTP/devexample.domain.com@DOMAIN.COM
Added key: 18version: 4
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
==> /usr/local/tomcat.base5/logs/catalina.2024-02-23.log <==
23-Feb-2024 11:13:14.539 SEVERE [ajp-nio-127.0.0.1-8509-exec-8]
net.sourceforge.spnego.SpnegoHttpFilter.doFilter HTTP Authorization
Header=Negotiate
YIIH/QYGKwYBBQUCoIIH8TCCB+2gMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCB7cEggezYIIHrwYJKoZIhvcSAQICAQBuggeeMIIHmqADAgEFoQMCAQ6iBwMFACAAAACjggWkYYIFoDCCBZygAwIBBaEVGxNSRUFMTFlHT09EU1RVRkYuQ09NojAwLqADAgECoScwJRsESFRUUBsdcmdzZGV2Ym94LnJlYWxseWdvb2RzdHVmZi5jb22jggVKMIIFRqADAgESoQMCAQaiggU4BIIFNAMiXKpKK/gqVlt7KwKQ1CUXtzSDDFoxSrCHaG03xiRp7i7LZdmJjr8PNYzCAX/QcFGpGbHmUakNpcBvwZSZUo/dWjn/d/DugjUu3rah9Ha129eWAdfIoR/UVR4lvQmqEAvIpuMasddi/zMArT1le0iVA9VU38M+Q5Wru2LxhIWy5tAq1yRjqe13ExyQvIis8eImT+rqa7Koq4w59UvSl3lu0Hlu02sTUHGeMd5z5qbnhn7BFi5Oyj5z9Jnt3scBSHWyauKkGsnNcsHLHtLAOZ2j9hB3f8f43vx1FkkfqkXmLdqLaDB/6+6hM4stdD0zuGyoE/pUWGxTilfODUwGYzXNI9EpQ9cj6nPZiQghJYgGIpRpNDkSRTF/TLJpn9jvTwsvnIgRIfxQYo8bbgAGoA4f4g+bY3NjKqdi2Vx92ZP4vjQstBigYK+1lsR1bYlG0RYzZje/gzBQOvreB5dQTaQ+L8Qhv3ZpzeJrozCRBKBs3cVg6x3MfZ5RTZcCKsYwHExPF2VpEGatO7cb5cTAPVjMGvZwjYleCorac9np2uoafHaXnycOW8XCRQ4Mh1vj7xMmNASEcHWFQ3doUS6jIINEXznPh2uISvHVQuvVRcIH6ud3k0oJDQ2B41DfwkJy55JsmZkQQoeGJ36CI8aMtAsziP2zJqGJvDfe5aeMG/TGq5rR4c7unp5y7Ho2SpNhbkFAaWGqb0kDJSP2icEnYx/FMXU0KpCnRTREZKdZ/MF+49y5zRNU+ej+IGYTNyf8kfZ1XBLG7uhwVSshrGbuFuffIOX9PXlcx1yoscZbezvNKlNMPHN+FFvCFcs1M4WLK8SkYuYyIxTrcIcgdq/i+JrB0j/d/cK/rRX9l++OsayPkTkYlCu2mqa+XrulxiXUgNPf/4YQWPMjsHnyM/Nd9GTNwgBSVIFyW7sXtQBQG7Q3E84ikV9yDJK/+CQVO0Zwvd+czj3UbYdTbaR0FYvTeXt/6C5dw3peM5Ng/03m6aHZRi5rNnTSTS0B/0L5yOQDJ2RuLIAsKvfAMSzye17A5ZfiNj6gV9kwdBNpffnmmI75hntXq8LQZyX3K4qNtG9OGhHu3/O8H+rmxw7N62Q79tgknpdNdzppoJoWuUDFj+mefCpwwPMlYW8akyHTLFQdlBoZUUs+lXWFE7H2IDh3eKQ1KoYLr/TGCPmBlzdb7n3vx+30LLhyARfx3LfRp2mV4RE4sec7OS+o4NpHglV7tc7S1NEVQ6kFOlKIm9mDSQMy6MY0Arw0Y1OvMuEpZJm67JtBA1t96gpmmvF+Dv3aPVGfO75Sd4RxjHywNB38JU9KRs7ki5pgfSAgPFzHRv6vIS47I9jTMHkUS+a4VJD5PgZKQVA3t+ll1+ER03+Ehse//088W9TdKAPTwbupbX9kxFpc6M6a/GLr0G6/VG2J+F+rm307ANLbuAG6bzC3AbHVetJUj0nAWGjB9s7E8nnHUdHKd/Brg2NTKoXmVXRbFUuNDc4f+dWfKA6mkKQDwdTaKJH6LmCF5dhzex1XEdx/EIhLAduDSXDmWh2fOhMb7roJn4sddOSA19Ww80UBYBpR8E5mkxY0Of4ct2o/GWNazFDrR4pY02I6QpuMNnUD1xpkrdxPNVXzA75/aGCf64pIyl/L/r1UUoMDliicoT+6T9EUW6qAUY7lAGoMq7AM4iYgBVT6KlGL4bwNlFQ3z4hgYL7Rm9p6q0ztT1H5T82iV7N07c95oKUaZkkYt17OCw7QW7h4N34ugt7CUn50+x2pCrQ8IKSCAdswggHXoAMCARKiggHOBIIByufkPV7xrkmGT58vSc1NFszaM5ACCq79/1+QO5jOic2gkYCJDeEuDf0sK6mxy/3QVfYHDBC7/7EZS6RM7/WMIa3Y61A7/On0to0x5hH3A2CZehvkKqoh6uXM4P8q2Xtf5o+DJkXxoKetk7M+Phn3y6BVhN+uTeVh+9WuAh974Ee8ltd8PGV9zsE0zcYCBU6feK9whow/jcX//g5O14e3wxaPDx8eN6yznfI3qVL8brRJajNz1OFh/HjR/5pCCzfNPhyD522cyyBjlP69naZ0cqIrw7VSo1HWjSj0n0YV4QJJlcDlWRRhp/mfZ594w7D33QiC3eb8NB5pU2sIOPf+6FAgSiXDYnwK0lYMJW1C4RIxvrAVF/kBZ/bu5MCSRAc3C52qokltqkOkQrA5E+Mr9lIlL9uC53rNlEei0kCqTjk8JzDf/lpMtejdYMxu4RihH3ky31H/GA7e9l+ZO3hHM06AgD4cF28ZeBVKe+A1BbO880PxzIkvP5GxO80DF6rGofWcsCxNPmloxn2XIW927XTplG9EV07+RTZSVwH/07DYZVFP7kxwPLDAEiDRXHQUfJHKm9iKS43cwW1utCC290Bj1lmpHEfRM8Q7
*Here is my setup:*
Tomcat bin/lib directory exist in /usr/local/tomcat/
Each instance lives in /usr/local/
/usr/local/tomcat.base1/
/usr/local/tomcat.base2/
/usr/local/tomcat.base3/
/usr/local/tomcat.base4/
/usr/local/tomcat.base5/ --> Where there is an issue
*SPNEGO Filter =====*
/usr/local/tomcat.base5/conf/web.xml
<filter>
<filter-name>SpnegoHttpFilter_devexample</filter-name>
<filter-class>net.sourceforge.spnego.SpnegoHttpFilter</filter-class>
<init-param>
<param-name>spnego.allow.delegation</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>spnego.allow.basic</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>spnego.allow.localhost</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>spnego.allow.unsecure.basic</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>spnego.login.client.module</param-name>
<param-value>spnego-client_devexample</param-value>
</init-param>
<init-param>
<param-name>spnego.krb5.conf</param-name>
<param-value>/usr/local/tomcat/spnego.krb5.conf</param-value>
</init-param>
<init-param>
<param-name>spnego.login.conf</param-name>
<param-value>/usr/local/tomcat/login_devexample.conf</param-value>
</init-param>
<init-param>
<param-name>spnego.login.server.module</param-name>
<param-value>spnego-server_devexample</param-value>
</init-param>
<init-param>
<param-name>spnego.prompt.ntlm</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>spnego.logger.level</param-name>
<param-value>1</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>SpnegoHttpFilter_devexample</filter-name>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>
<Connector port="8585" protocol="HTTP/1.1" connectionTimeout="2000"
redirectPort="8443" maxHttpHeaderSize="1048576"/>
*Server XML =====*
/usr/local/tomcat.base5/conf/server.xml
<Connector port="8085" protocol="HTTP/1.1" relaxedQueryChars="^{}[]|""
connectionTimeout="20000"
redirectPort="8443" />
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8509" protocol="AJP/1.3" redirectPort="8509"
address="127.0.0.1" secretRequired="" tomcatAuthentication="false"/>
*Login Configuration =====*
login_devexample.conf
spnego-client_devexample {
com.sun.security.auth.module.Krb5LoginModule required;
};
spnego-server_devexample {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/usr/local/tomcat/krb5.keytab"
storeKey=true
principal="HTTP/devexample.domain.com@DOMAIN.COM"
isInitiator=false
forwardable=true
debug=true;
};
*KRB5.conf File =====*
spnego.krb.conf
[libdefaults]
default_realm = DOMAIN.COM
default_tkt_enctypes = aes128-cts arcfour-hmac-md5 des-cbc-crc
des-cbc-md5 des-hmac-sha1 aes256-cts aes256-cts-hmac-sha1-96
default_tgs_enctypes = aes128-cts arcfour-hmac-md5 des-cbc-crc
des-cbc-md5 des-hmac-sha1 aes256-cts aes256-cts-hmac-sha1-96
permitted_enctypes = aes128-cts arcfour-hmac-md5 des-cbc-crc
des-cbc-md5 des-hmac-sha1 aes256-cts aes256-cts-hmac-sha1-96
forwardable=true
[realms]
DOMAIN.COM = {
kdc = example01.domain.com:88
default_domain = .domain.com
}
[domain_realm]
.domain.com = DOMAIN.COM
*Keytab was generated on AD domain Controller*
DSADD user "cn=SA_EXDEV_SSO",cn=users,dc=DOMAIN,dc=COM" -pwd password
-display SA_EXDEV_SSO -pwdneverexpires yes "SSO-EXAMPLE EXDEV SSO"
Went into AD manager and assigned AES256 Bit Encryption on user and checked
"Do not require pre-authentication" applied changes
SETSPN -A HTTP/devexample.domain.com@DOMAIN.COM -ptype KRB5_NT_PRINCIPAL
-mapuser SA_EXDEV_SSO -mapOp set -pass password -out C:\SSO\krb5.keytab
-crypto AES256-SHA1 +DumpSalt
Went into AD manager and selected "Trust this user for delegation
(Kerberos)"
I've looked all over the web for this error but It's not very clear as to
how to resolve it. I've checked over the configuration too many times to
count. Is there a solution to this or a tool to help me further figure out
why this is occuring for my setup/configuration? The only comparison I've
been able to make between this instance and the other instances is the log
message "Added key: 18version: 4" but the other instances are using a
different SPN and keytab file. Any help is greatly appreciated.
Thanks,
Tom
Re: SSO SPNEGO GSS API CheckSum Failed Error
Posted by Tom Delaney <td...@gmail.com>.
Please don't respond to this email. I was able to figure out the issue. The
server hosting devexample.domain.com was using a canonicalized hostname.
This was throwing tomcat off when reading over the token and keytab file. I
only wish there was a better way for this error to pick up on that.
On Fri, Feb 23, 2024 at 11:36 AM Thomas Delaney <td...@gmail.com>
wrote:
>
>
> Hi all,
>
> I have a redhat 9.2 server hosting a web application on 5 seperate
> instances of Apache Tomcat. I have configured SPNEGO on instances 1,2,3 and
> 4. These instances are behind an apache proxy load balancer on version
> 2.4.57. Instance 1,2, and 3 are load balanced. While 4 and 5 are not. The
> application is hosted on Tomcat 9.0.54.
>
> Domain: domain.com
> Site: devexample.domain.com
>
> URL hit: https://devexample.domain.com/webclient_devex/exclient.jsp
>
> *I keep getting this when accessing the application on instance 5:*
> HTTP Status 500 – Internal Server Error
> Type Exception Report
>
> Message GSSException: Failure unspecified at GSS-API level (Mechanism
> level: Checksum failed)
> Description The server encountered an unexpected condition that prevented
> it from fulfilling the request.
> Exception
> javax.servlet.ServletException: GSSException: Failure unspecified at
> GSS-API level (Mechanism level: Checksum failed)
> net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:287)
> Root Cause
> GSSException: Failure unspecified at GSS-API level (Mechanism level:
> Checksum failed)
> sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
> sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
> sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
> sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source)
> sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source)
> sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
> sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
>
> net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:487)
>
> net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:327)
> net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:283)
> Root Cause
> KrbException: Checksum failed
> sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Unknown
> Source)
> sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Unknown
> Source)
> sun.security.krb5.EncryptedData.decrypt(Unknown Source)
> sun.security.krb5.KrbApReq.authenticate(Unknown Source)
> sun.security.krb5.KrbApReq.<init>(Unknown Source)
> sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
> sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
> sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
> sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
> sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source)
> sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source)
> sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
> sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
>
> net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:487)
>
> net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:327)
> net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:283)
> Root Cause
> java.security.GeneralSecurityException: Checksum failed
> sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(Unknown Source)
> sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(Unknown Source)
> sun.security.krb5.internal.crypto.Aes256.decrypt(Unknown Source)
> sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Unknown
> Source)
> sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Unknown
> Source)
> sun.security.krb5.EncryptedData.decrypt(Unknown Source)
> sun.security.krb5.KrbApReq.authenticate(Unknown Source)
> sun.security.krb5.KrbApReq.<init>(Unknown Source)
> sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
> sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
> sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
> sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
> sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source)
> sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source)
> sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
> sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
>
> net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:487)
>
> net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:327)
> net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:283)
>
>
> In the catalina logs:
> Entered SpNegoContext.acceptSecContext with state=STATE_NEW
> SpNegoContext.acceptSecContext: receiving token = a0 82 07 f1 30 82 07 ed
> a0 30 30 2e 06 09 2a 86 48 82 f7 12 01 02 02 06 09 2a 86 48 86 f7 12 01 02
> 02 06 0a 2b 06 01 04 01 82 37 02 02 1e 06 0a 2b 06 01 04 01 82 37 02 02 0a
> a2 82 07 b7 04 82 07 b3 60 82 07 af 06 09 2a 86 48 86 f7 12 01 02 02 01 00
> 6e 82 07 9e 30 82 07 9a a0 03 02 01 05 a1 03 02 01 0e a2 07 03 05 00 20 00
> 00 00 a3 82 05 a4 61 82 05 a0 30 82 05 9c a0 03 02 01 05 a1 15 1b 13 52 45
> 41 4c 4c 59 47 4f 4f 44 53 54 55 46 46 2e 43 4f 4d a2 30 30 2e a0 03 02 01
> 02 a1 27 30 25 1b 04 48 54 54 50 1b 1d 72 67 73 64 65 76 62 6f 78 2e 72 65
> 61 6c 6c 79 67 6f 6f 64 73 74 75 66 66 2e 63 6f 6d a3 82 05 4a 30 82 05 46
> a0 03 02 01 12 a1 03 02 01 06 a2 82 05 38 04 82 05 34 03 22 5c aa 4a 2b f8
> 2a 56 5b 7b 2b 02 90 d4 25 17 b7 34 83 0c 5a 31 4a b0 87 68 6d 37 c6 24 69
> ee 2e cb 65 d9 89 8e bf 0f 35 8c c2 01 7f d0 70 51 a9 19 b1 e6 51 a9 0d a5
> c0 6f c1 94 99 52 8f dd 5a 39 ff 77 f0 ee 82 35 2e de b6 a1 f4 76 b5 db d7
> 96 01 d7 c8 a1 1f d4 55 1e 25 bd 09 aa 10 0b c8 a6 e3 1a b1 d7 62 ff 33 00
> ad 3d 65 7b 48 95 03 d5 54 df c3 3e 43 95 ab bb 62 f1 84 85 b2 e6 d0 2a d7
> 24 63 a9 ed 77 13 1c 90 bc 88 ac f1 e2 26 4f ea ea 6b b2 a8 ab 8c 39 f5 4b
> d2 97 79 6e d0 79 6e d3 6b 13 50 71 9e 31 de 73 e6 a6 e7 86 7e c1 16 2e 4e
> ca 3e 73 f4 99 ed de c7 01 48 75 b2 6a e2 a4 1a c9 cd 72 c1 cb 1e d2 c0 39
> 9d a3 f6 10 77 7f c7 f8 de fc 75 16 49 1f aa 45 e6 2d da 8b 68 30 7f eb ee
> a1 33 8b 2d 74 3d 33 b8 6c a8 13 fa 54 58 6c 53 8a 57 ce 0d 4c 06 63 35 cd
> 23 d1 29 43 d7 23 ea 73 d9 89 08 21 25 88 06 22 94 69 34 39 12 45 31 7f 4c
> b2 69 9f d8 ef 4f 0b 2f 9c 88 11 21 fc 50 62 8f 1b 6e 00 06 a0 0e 1f e2 0f
> 9b 63 73 63 2a a7 62 d9 5c 7d d9 93 f8 be 34 2c b4 18 a0 60 af b5 96 c4 75
> 6d 89 46 d1 16 33 66 37 bf 83 30 50 3a fa de 07 97 50 4d a4 3e 2f c4 21 bf
> 76 69 cd e2 6b a3 30 91 04 a0 6c dd c5 60 eb 1d cc 7d 9e 51 4d 97 02 2a c6
> 30 1c 4c 4f 17 65 69 10 66 ad 3b b7 1b e5 c4 c0 3d 58 cc 1a f6 70 8d 89 5e
> 0a 8a da 73 d9 e9 da ea 1a 7c 76 97 9f 27 0e 5b c5 c2 45 0e 0c 87 5b e3 ef
> 13 26 34 04 84 70 75 85 43 77 68 51 2e a3 20 83 44 5f 39 cf 87 6b 88 4a f1
> d5 42 eb d5 45 c2 07 ea e7 77 93 4a 09 0d 0d 81 e3 50 df c2 42 72 e7 92 6c
> 99 99 10 42 87 86 27 7e 82 23 c6 8c b4 0b 33 88 fd b3 26 a1 89 bc 37 de e5
> a7 8c 1b f4 c6 ab 9a d1 e1 ce ee 9e 9e 72 ec 7a 36 4a 93 61 6e 41 40 69 61
> aa 6f 49 03 25 23 f6 89 c1 27 63 1f c5 31 75 34 2a 90 a7 45 34 44 64 a7 59
> fc c1 7e e3 dc b9 cd 13 54 f9 e8 fe 20 66 13 37 27 fc 91 f6 75 5c 12 c6 ee
> e8 70 55 2b 21 ac 66 ee 16 e7 df 20 e5 fd 3d 79 5c c7 5c a8 b1 c6 5b 7b 3b
> cd 2a 53 4c 3c 73 7e 14 5b c2 15 cb 35 33 85 8b 2b c4 a4 62 e6 32 23 14 eb
> 70 87 20 76 af e2 f8 9a c1 d2 3f dd fd c2 bf ad 15 fd 97 ef 8e b1 ac 8f 91
> 39 18 94 2b b6 9a a6 be 5e bb a5 c6 25 d4 80 d3 df ff 86 10 58 f3 23 b0 79
> f2 33 f3 5d f4 64 cd c2 00 52 54 81 72 5b bb 17 b5 00 50 1b b4 37 13 ce 22
> 91 5f 72 0c 92 bf f8 24 15 3b 46 70 bd df 9c ce 3d d4 6d 87 53 6d a4 74 15
> 8b d3 79 7b 7f e8 2e 5d c3 7a 5e 33 93 60 ff 4d e6 e9 a1 d9 46 2e 6b 36 74
> d2 4d 2d 01 ff 42 f9 c8 e4 03 27 64 6e 2c 80 2c 2a f7 c0 31 2c f2 7b 5e c0
> e5 97 e2 36 3e a0 57 d9 30 74 13 69 7d f9 e6 98 8e f9 86 7b 57 ab c2 d0 67
> 25 f7 2b 8a 8d b4 6f 4e 1a 11 ee df f3 bc 1f ea e6 c7 0e cd eb 64 3b f6 d8
> 24 9e 97 4d 77 3a 69 a0 9a 16 b9 40 c5 8f e9 9e 7c 2a 70 c0 f3 25 61 6f 1a
> 93 21 d3 2c 54 1d 94 1a 19 51 4b 3e 95 75 85 13 b1 f6 20 38 77 78 a4 35 2a
> 86 0b af f4 c6 08 f9 81 97 37 5b ee 7d ef c7 ed f4 2c b8 72 01 17 f1 dc b7
> d1 a7 69 95 e1 11 38 b1 e7 3b 39 2f a8 e0 da 47 82 55 7b b5 ce d2 d4 d1 15
> 43 a9 05 3a 52 88 9b d9 83 49 03 32 e8 c6 34 02 bc 34 63 53 af 32 e1 29 64
> 99 ba ec 9b 41 03 5b 7d ea 0a 66 9a f1 7e 0e fd da 3d 51 9f 3b be 52 77 84
> 71 8c 7c b0 34 1d fc 25 4f 4a 46 ce e4 8b 9a 60 7d 20 20 3c 5c c7 46 fe af
> 21 2e 3b 23 d8 d3 30 79 14 4b e6 b8 54 90 f9 3e 06 4a 41 50 37 b7 e9 65 d7
> e1 11 d3 7f 84 86 c7 bf ff 4f 3c 5b d4 dd 28 03 d3 c1 bb a9 6d 7f 64 c4 5a
> 5c e8 ce 9a fc 62 eb d0 6e bf 54 6d 89 f8 5f ab 9b 7d 3b 00 d2 db b8 01 ba
> 6f 30 b7 01 b1 d5 7a d2 54 8f 49 c0 58 68 c1 f6 ce c4 f2 79 c7 51 d1 ca 77
> f0 6b 83 63 53 2a 85 e6 55 74 5b 15 4b 8d 0d ce 1f f9 d5 9f 28 0e a6 90 a4
> 03 c1 d4 da 28 91 fa 2e 60 85 e5 d8 73 7b 1d 57 11 dc 7f 10 88 4b 01 db 83
> 49 70 e6 5a 1d 9f 3a 13 1b ee ba 09 9f 8b 1d 74 e4 80 d7 d5 b0 f3 45 01 60
> 1a 51 f0 4e 66 93 16 34 39 fe 1c b7 6a 3f 19 63 5a cc 50 eb 47 8a 58 d3 62
> 3a 42 9b 8c 36 75 03 d7 1a 64 ad dc 4f 35 55 f3 03 be 7f 68 60 9f eb 8a 48
> ca 5f cb fe bd 54 52 83 03 96 28 9c a1 3f ba 4f d1 14 5b aa 80 51 8e e5 00
> 6a 0c ab b0 0c e2 26 20 05 54 fa 2a 51 8b e1 bc 0d 94 54 37 cf 88 60 60 be
> d1 9b da 7a ab 4c ed 4f 51 f9 4f cd a2 57 b3 74 ed cf 79 a0 a5 1a 66 49 18
> b7 5e ce 0b 0e d0 5b b8 78 37 7e 2e 82 de c2 52 7e 74 fb 1d a9 0a b4 3c 20
> a4 82 01 db 30 82 01 d7 a0 03 02 01 12 a2 82 01 ce 04 82 01 ca e7 e4 3d 5e
> f1 ae 49 86 4f 9f 2f 49 cd 4d 16 cc da 33 90 02 0a ae fd ff 5f 90 3b 98 ce
> 89 cd a0 91 80 89 0d e1 2e 0d fd 2c 2b a9 b1 cb fd d0 55 f6 07 0c 10 bb ff
> b1 19 4b a4 4c ef f5 8c 21 ad d8 eb 50 3b fc e9 f4 b6 8d 31 e6 11 f7 03 60
> 99 7a 1b e4 2a aa 21 ea e5 cc e0 ff 2a d9 7b 5f e6 8f 83 26 45 f1 a0 a7 ad
> 93 b3 3e 3e 19 f7 cb a0 55 84 df ae 4d e5 61 fb d5 ae 02 1f 7b e0 47 bc 96
> d7 7c 3c 65 7d ce c1 34 cd c6 02 05 4e 9f 78 af 70 86 8c 3f 8d c5 ff fe 0e
> 4e d7 87 b7 c3 16 8f 0f 1f 1e 37 ac b3 9d f2 37 a9 52 fc 6e b4 49 6a 33 73
> d4 e1 61 fc 78 d1 ff 9a 42 0b 37 cd 3e 1c 83 e7 6d 9c cb 20 63 94 fe bd 9d
> a6 74 72 a2 2b c3 b5 52 a3 51 d6 8d 28 f4 9f 46 15 e1 02 49 95 c0 e5 59 14
> 61 a7 f9 9f 67 9f 78 c3 b0 f7 dd 08 82 dd e6 fc 34 1e 69 53 6b 08 38 f7 fe
> e8 50 20 4a 25 c3 62 7c 0a d2 56 0c 25 6d 42 e1 12 31 be b0 15 17 f9 01 67
> f6 ee e4 c0 92 44 07 37 0b 9d aa a2 49 6d aa 43 a4 42 b0 39 13 e3 2b f6 52
> 25 2f db 82 e7 7a cd 94 47 a2 d2 40 aa 4e 39 3c 27 30 df fe 5a 4c b5 e8 dd
> 60 cc 6e e1 18 a1 1f 79 32 df 51 ff 18 0e de f6 5f 99 3b 78 47 33 4e 80 80
> 3e 1c 17 6f 19 78 15 4a 7b e0 35 05 b3 bc f3 43 f1 cc 89 2f 3f 91 b1 3b cd
> 03 17 aa c6 a1 f5 9c b0 2c 4d 3e 69 68 c6 7d 97 21 6f 76 ed 74 e9 94 6f 44
> 57 4e fe 45 36 52 57 01 ff d3 b0 d8 65 51 4f ee 4c 70 3c b0 c0 12 20 d1 5c
> 74 14 7c 91 ca 9b d8 8a 4b 8d dc c1 6d 6e b4 20 b6 f7 40 63 d6 59 a9 1c 47
> d1 33 c4 3b
> SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.48018.1.2.2
> SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.113554.1.2.2
> SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.30
> SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.10
> SpNegoToken NegTokenInit: reading Mech Token
> SpNegoContext.acceptSecContext: received token of type = SPNEGO
> NegTokenInit
> SpNegoContext: negotiated mechanism = 1.2.840.113554.1.2.2
> SpNegoContext.acceptSecContext: negotiated mech adjusted to
> 1.2.840.48018.1.2.2
> Entered Krb5Context.acceptSecContext with state=STATE_NEW
> Looking for keys for: HTTP/devexample.domain.com@DOMAIN.COM
> Added key: 18version: 4
> >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>
> ==> /usr/local/tomcat.base5/logs/catalina.2024-02-23.log <==
> 23-Feb-2024 11:13:14.539 SEVERE [ajp-nio-127.0.0.1-8509-exec-8]
> net.sourceforge.spnego.SpnegoHttpFilter.doFilter HTTP Authorization
> Header=Negotiate
> YIIH/QYGKwYBBQUCoIIH8TCCB+2gMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCB7cEggezYIIHrwYJKoZIhvcSAQICAQBuggeeMIIHmqADAgEFoQMCAQ6iBwMFACAAAACjggWkYYIFoDCCBZygAwIBBaEVGxNSRUFMTFlHT09EU1RVRkYuQ09NojAwLqADAgECoScwJRsESFRUUBsdcmdzZGV2Ym94LnJlYWxseWdvb2RzdHVmZi5jb22jggVKMIIFRqADAgESoQMCAQaiggU4BIIFNAMiXKpKK/gqVlt7KwKQ1CUXtzSDDFoxSrCHaG03xiRp7i7LZdmJjr8PNYzCAX/QcFGpGbHmUakNpcBvwZSZUo/dWjn/d/DugjUu3rah9Ha129eWAdfIoR/UVR4lvQmqEAvIpuMasddi/zMArT1le0iVA9VU38M+Q5Wru2LxhIWy5tAq1yRjqe13ExyQvIis8eImT+rqa7Koq4w59UvSl3lu0Hlu02sTUHGeMd5z5qbnhn7BFi5Oyj5z9Jnt3scBSHWyauKkGsnNcsHLHtLAOZ2j9hB3f8f43vx1FkkfqkXmLdqLaDB/6+6hM4stdD0zuGyoE/pUWGxTilfODUwGYzXNI9EpQ9cj6nPZiQghJYgGIpRpNDkSRTF/TLJpn9jvTwsvnIgRIfxQYo8bbgAGoA4f4g+bY3NjKqdi2Vx92ZP4vjQstBigYK+1lsR1bYlG0RYzZje/gzBQOvreB5dQTaQ+L8Qhv3ZpzeJrozCRBKBs3cVg6x3MfZ5RTZcCKsYwHExPF2VpEGatO7cb5cTAPVjMGvZwjYleCorac9np2uoafHaXnycOW8XCRQ4Mh1vj7xMmNASEcHWFQ3doUS6jIINEXznPh2uISvHVQuvVRcIH6ud3k0oJDQ2B41DfwkJy55JsmZkQQoeGJ36CI8aMtAsziP2zJqGJvDfe5aeMG/TGq5rR4c7unp5y7Ho2SpNhbkFAaWGqb0kDJSP2icEnYx/FMXU0KpCnRTREZKdZ/MF+49y5zRNU+ej+IGYTNyf8kfZ1XBLG7uhwVSshrGbuFuffIOX9PXlcx1yoscZbezvNKlNMPHN+FFvCFcs1M4WLK8SkYuYyIxTrcIcgdq/i+JrB0j/d/cK/rRX9l++OsayPkTkYlCu2mqa+XrulxiXUgNPf/4YQWPMjsHnyM/Nd9GTNwgBSVIFyW7sXtQBQG7Q3E84ikV9yDJK/+CQVO0Zwvd+czj3UbYdTbaR0FYvTeXt/6C5dw3peM5Ng/03m6aHZRi5rNnTSTS0B/0L5yOQDJ2RuLIAsKvfAMSzye17A5ZfiNj6gV9kwdBNpffnmmI75hntXq8LQZyX3K4qNtG9OGhHu3/O8H+rmxw7N62Q79tgknpdNdzppoJoWuUDFj+mefCpwwPMlYW8akyHTLFQdlBoZUUs+lXWFE7H2IDh3eKQ1KoYLr/TGCPmBlzdb7n3vx+30LLhyARfx3LfRp2mV4RE4sec7OS+o4NpHglV7tc7S1NEVQ6kFOlKIm9mDSQMy6MY0Arw0Y1OvMuEpZJm67JtBA1t96gpmmvF+Dv3aPVGfO75Sd4RxjHywNB38JU9KRs7ki5pgfSAgPFzHRv6vIS47I9jTMHkUS+a4VJD5PgZKQVA3t+ll1+ER03+Ehse//088W9TdKAPTwbupbX9kxFpc6M6a/GLr0G6/VG2J+F+rm307ANLbuAG6bzC3AbHVetJUj0nAWGjB9s7E8nnHUdHKd/Brg2NTKoXmVXRbFUuNDc4f+dWfKA6mkKQDwdTaKJH6LmCF5dhzex1XEdx/EIhLAduDSXDmWh2fOhMb7roJn4sddOSA19Ww80UBYBpR8E5mkxY0Of4ct2o/GWNazFDrR4pY02I6QpuMNnUD1xpkrdxPNVXzA75/aGCf64pIyl/L/r1UUoMDliicoT+6T9EUW6qAUY7lAGoMq7AM4iYgBVT6KlGL4bwNlFQ3z4hgYL7Rm9p6q0ztT1H5T82iV7N07c95oKUaZkkYt17OCw7QW7h4N34ugt7CUn50+x2pCrQ8IKSCAdswggHXoAMCARKiggHOBIIByufkPV7xrkmGT58vSc1NFszaM5ACCq79/1+QO5jOic2gkYCJDeEuDf0sK6mxy/3QVfYHDBC7/7EZS6RM7/WMIa3Y61A7/On0to0x5hH3A2CZehvkKqoh6uXM4P8q2Xtf5o+DJkXxoKetk7M+Phn3y6BVhN+uTeVh+9WuAh974Ee8ltd8PGV9zsE0zcYCBU6feK9whow/jcX//g5O14e3wxaPDx8eN6yznfI3qVL8brRJajNz1OFh/HjR/5pCCzfNPhyD522cyyBjlP69naZ0cqIrw7VSo1HWjSj0n0YV4QJJlcDlWRRhp/mfZ594w7D33QiC3eb8NB5pU2sIOPf+6FAgSiXDYnwK0lYMJW1C4RIxvrAVF/kBZ/bu5MCSRAc3C52qokltqkOkQrA5E+Mr9lIlL9uC53rNlEei0kCqTjk8JzDf/lpMtejdYMxu4RihH3ky31H/GA7e9l+ZO3hHM06AgD4cF28ZeBVKe+A1BbO880PxzIkvP5GxO80DF6rGofWcsCxNPmloxn2XIW927XTplG9EV07+RTZSVwH/07DYZVFP7kxwPLDAEiDRXHQUfJHKm9iKS43cwW1utCC290Bj1lmpHEfRM8Q7
>
> *Here is my setup:*
>
> Tomcat bin/lib directory exist in /usr/local/tomcat/
> Each instance lives in /usr/local/
> /usr/local/tomcat.base1/
> /usr/local/tomcat.base2/
> /usr/local/tomcat.base3/
> /usr/local/tomcat.base4/
> /usr/local/tomcat.base5/ --> Where there is an issue
>
>
> *SPNEGO Filter =====*
> /usr/local/tomcat.base5/conf/web.xml
>
> <filter>
> <filter-name>SpnegoHttpFilter_devexample</filter-name>
> <filter-class>net.sourceforge.spnego.SpnegoHttpFilter</filter-class>
> <init-param>
> <param-name>spnego.allow.delegation</param-name>
> <param-value>true</param-value>
> </init-param>
> <init-param>
> <param-name>spnego.allow.basic</param-name>
> <param-value>true</param-value>
> </init-param>
> <init-param>
> <param-name>spnego.allow.localhost</param-name>
> <param-value>true</param-value>
> </init-param>
> <init-param>
> <param-name>spnego.allow.unsecure.basic</param-name>
> <param-value>true</param-value>
> </init-param>
> <init-param>
> <param-name>spnego.login.client.module</param-name>
> <param-value>spnego-client_devexample</param-value>
> </init-param>
> <init-param>
> <param-name>spnego.krb5.conf</param-name>
> <param-value>/usr/local/tomcat/spnego.krb5.conf</param-value>
> </init-param>
> <init-param>
> <param-name>spnego.login.conf</param-name>
> <param-value>/usr/local/tomcat/login_devexample.conf</param-value>
> </init-param>
> <init-param>
> <param-name>spnego.login.server.module</param-name>
> <param-value>spnego-server_devexample</param-value>
> </init-param>
> <init-param>
> <param-name>spnego.prompt.ntlm</param-name>
> <param-value>true</param-value>
> </init-param>
> <init-param>
> <param-name>spnego.logger.level</param-name>
> <param-value>1</param-value>
> </init-param>
> </filter>
> <filter-mapping>
> <filter-name>SpnegoHttpFilter_devexample</filter-name>
> <url-pattern>*.jsp</url-pattern>
> </filter-mapping>
> <Connector port="8585" protocol="HTTP/1.1" connectionTimeout="2000"
> redirectPort="8443" maxHttpHeaderSize="1048576"/>
>
> *Server XML =====*
> /usr/local/tomcat.base5/conf/server.xml
> <Connector port="8085" protocol="HTTP/1.1"
> relaxedQueryChars="^{}[]|""
> connectionTimeout="20000"
> redirectPort="8443" />
>
>
> <!-- Define an AJP 1.3 Connector on port 8009 -->
> <Connector port="8509" protocol="AJP/1.3" redirectPort="8509"
> address="127.0.0.1" secretRequired="" tomcatAuthentication="false"/>
>
> *Login Configuration =====*
> login_devexample.conf
>
>
> spnego-client_devexample {
> com.sun.security.auth.module.Krb5LoginModule required;
> };
> spnego-server_devexample {
> com.sun.security.auth.module.Krb5LoginModule required
> useKeyTab=true
> keyTab="/usr/local/tomcat/krb5.keytab"
> storeKey=true
> principal="HTTP/devexample.domain.com@DOMAIN.COM"
> isInitiator=false
> forwardable=true
> debug=true;
> };
>
> *KRB5.conf File =====*
>
> spnego.krb.conf
> [libdefaults]
> default_realm = DOMAIN.COM
> default_tkt_enctypes = aes128-cts arcfour-hmac-md5 des-cbc-crc
> des-cbc-md5 des-hmac-sha1 aes256-cts aes256-cts-hmac-sha1-96
> default_tgs_enctypes = aes128-cts arcfour-hmac-md5 des-cbc-crc
> des-cbc-md5 des-hmac-sha1 aes256-cts aes256-cts-hmac-sha1-96
> permitted_enctypes = aes128-cts arcfour-hmac-md5 des-cbc-crc
> des-cbc-md5 des-hmac-sha1 aes256-cts aes256-cts-hmac-sha1-96
> forwardable=true
> [realms]
> DOMAIN.COM = {
> kdc = example01.domain.com:88
> default_domain = .domain.com
> }
> [domain_realm]
> .domain.com = DOMAIN.COM
>
> *Keytab was generated on AD domain Controller*
>
> DSADD user "cn=SA_EXDEV_SSO",cn=users,dc=DOMAIN,dc=COM" -pwd password
> -display SA_EXDEV_SSO -pwdneverexpires yes "SSO-EXAMPLE EXDEV SSO"
>
> Went into AD manager and assigned AES256 Bit Encryption on user and
> checked "Do not require pre-authentication" applied changes
>
> SETSPN -A HTTP/devexample.domain.com@DOMAIN.COM -ptype KRB5_NT_PRINCIPAL
> -mapuser SA_EXDEV_SSO -mapOp set -pass password -out C:\SSO\krb5.keytab
> -crypto AES256-SHA1 +DumpSalt
>
> Went into AD manager and selected "Trust this user for delegation
> (Kerberos)"
>
> I've looked all over the web for this error but It's not very clear as to
> how to resolve it. I've checked over the configuration too many times to
> count. Is there a solution to this or a tool to help me further figure out
> why this is occuring for my setup/configuration? The only comparison I've
> been able to make between this instance and the other instances is the log
> message "Added key: 18version: 4" but the other instances are using a
> different SPN and keytab file. Any help is greatly appreciated.
>
> Thanks,
>
> Tom
>