You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "Dennis Rieks (JIRA)" <ji...@apache.org> on 2010/05/05 20:06:03 UTC
[jira] Created: (HTTPCLIENT-934) kerberos auth not working
kerberos auth not working
-------------------------
Key: HTTPCLIENT-934
URL: https://issues.apache.org/jira/browse/HTTPCLIENT-934
Project: HttpComponents HttpClient
Issue Type: Bug
Components: Examples, HttpClient
Affects Versions: 4.1 Alpha1
Reporter: Dennis Rieks
Priority: Minor
Hi,
i used org/apache/http/examples/client/ClientKerberosAuthentication.java to test kerberos authentication.
My Setup:
Apache2 on Debian (virtual machine "server4.kdctest.local") is setup to deliver kerberos authenticated content via http and https.
The Kerberos kdc (virtual maschine "kdc.kdctest.local") also runs on debian.
On my Desktop (ubuntu) i can use kinit/klist/kdestory to sign in on the kerberos domain and server4 only delivers content when signed on.
I used firefox (with extra settings for http in about:config) and curl (curl -k --negotiate -u : http://server4.kdctest.local/test.php) to test my kerberos setup.
The Problem:
ClientKerberosAuthentication always asks the username/password and dont care about kinit. Also there is always an http 401 error and no content is deliverd.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] Commented: (HTTPCLIENT-934) kerberos auth not working
Posted by "Dennis Rieks (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-934?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12864772#action_12864772 ]
Dennis Rieks commented on HTTPCLIENT-934:
-----------------------------------------
(1) Im using the latest svn code shnapshot (Revision 941720)
(2) See attached logfile
(3) Im using "Sun jre1.6.0_18"
Logfile:
2010/05/06 15:51:10:921 MESZ [DEBUG] SingleClientConnManager - Get connection for route HttpRoute[{}->http://blao.de]
2010/05/06 15:51:10:934 MESZ [DEBUG] DefaultClientConnectionOperator - Connecting to blao.de/78.46.201.57:80
2010/05/06 15:51:10:990 MESZ [DEBUG] RequestAddCookies - CookieSpec selected: best-match
2010/05/06 15:51:11:001 MESZ [DEBUG] DefaultHttpClient - Attempt 2 to execute request
2010/05/06 15:51:11:001 MESZ [DEBUG] DefaultClientConnection - Sending request: GET /krb5/user.php HTTP/1.1
2010/05/06 15:51:11:002 MESZ [DEBUG] wire - >> "GET /krb5/user.php HTTP/1.1[EOL]"
2010/05/06 15:51:11:003 MESZ [DEBUG] wire - >> "Host: blao.de[EOL]"
2010/05/06 15:51:11:003 MESZ [DEBUG] wire - >> "Connection: Keep-Alive[EOL]"
2010/05/06 15:51:11:004 MESZ [DEBUG] wire - >> "User-Agent: Apache-HttpClient/4.1-alpha2-SNAPSHOT (java 1.5)[EOL]"
2010/05/06 15:51:11:004 MESZ [DEBUG] wire - >> "[EOL]"
2010/05/06 15:51:11:005 MESZ [DEBUG] headers - >> GET /krb5/user.php HTTP/1.1
2010/05/06 15:51:11:005 MESZ [DEBUG] headers - >> Host: blao.de
2010/05/06 15:51:11:005 MESZ [DEBUG] headers - >> Connection: Keep-Alive
2010/05/06 15:51:11:005 MESZ [DEBUG] headers - >> User-Agent: Apache-HttpClient/4.1-alpha2-SNAPSHOT (java 1.5)
2010/05/06 15:51:11:043 MESZ [DEBUG] wire - << "HTTP/1.1 401 Authorization Required[EOL]"
2010/05/06 15:51:11:046 MESZ [DEBUG] wire - << "Date: Thu, 06 May 2010 13:51:11 GMT[EOL]"
2010/05/06 15:51:11:046 MESZ [DEBUG] wire - << "Server: Apache/2.2.9 (Debian) mod_auth_kerb/5.3 DAV/2 SVN/1.5.1 mod_fastcgi/2.4.6 mod_jk/1.2.26 PHP/5.2.6-1+lenny8 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g mod_wsgi/2.5[EOL]"
2010/05/06 15:51:11:046 MESZ [DEBUG] wire - << "WWW-Authenticate: Negotiate[EOL]"
2010/05/06 15:51:11:046 MESZ [DEBUG] wire - << "Vary: Accept-Encoding[EOL]"
2010/05/06 15:51:11:047 MESZ [DEBUG] wire - << "Content-Length: 649[EOL]"
2010/05/06 15:51:11:047 MESZ [DEBUG] wire - << "Keep-Alive: timeout=15, max=100[EOL]"
2010/05/06 15:51:11:047 MESZ [DEBUG] wire - << "Connection: Keep-Alive[EOL]"
2010/05/06 15:51:11:047 MESZ [DEBUG] wire - << "Content-Type: text/html; charset=iso-8859-1[EOL]"
2010/05/06 15:51:11:047 MESZ [DEBUG] wire - << "[EOL]"
2010/05/06 15:51:11:048 MESZ [DEBUG] DefaultClientConnection - Receiving response: HTTP/1.1 401 Authorization Required
2010/05/06 15:51:11:048 MESZ [DEBUG] headers - << HTTP/1.1 401 Authorization Required
2010/05/06 15:51:11:048 MESZ [DEBUG] headers - << Date: Thu, 06 May 2010 13:51:11 GMT
2010/05/06 15:51:11:048 MESZ [DEBUG] headers - << Server: Apache/2.2.9 (Debian) mod_auth_kerb/5.3 DAV/2 SVN/1.5.1 mod_fastcgi/2.4.6 mod_jk/1.2.26 PHP/5.2.6-1+lenny8 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g mod_wsgi/2.5
2010/05/06 15:51:11:048 MESZ [DEBUG] headers - << WWW-Authenticate: Negotiate
2010/05/06 15:51:11:048 MESZ [DEBUG] headers - << Vary: Accept-Encoding
2010/05/06 15:51:11:049 MESZ [DEBUG] headers - << Content-Length: 649
2010/05/06 15:51:11:049 MESZ [DEBUG] headers - << Keep-Alive: timeout=15, max=100
2010/05/06 15:51:11:049 MESZ [DEBUG] headers - << Connection: Keep-Alive
2010/05/06 15:51:11:049 MESZ [DEBUG] headers - << Content-Type: text/html; charset=iso-8859-1
2010/05/06 15:51:11:056 MESZ [DEBUG] DefaultHttpClient - Connection can be kept alive for 15000 ms
2010/05/06 15:51:11:056 MESZ [DEBUG] DefaultHttpClient - Target requested authentication
2010/05/06 15:51:11:056 MESZ [DEBUG] DefaultTargetAuthenticationHandler - Authentication schemes in the order of preference: [negotiate, NTLM, Digest, Basic]
2010/05/06 15:51:11:056 MESZ [DEBUG] DefaultTargetAuthenticationHandler - negotiate authentication scheme selected
2010/05/06 15:51:11:057 MESZ [DEBUG] NegotiateScheme - Challenge header: WWW-Authenticate: Negotiate
2010/05/06 15:51:11:058 MESZ [DEBUG] DefaultHttpClient - Authorization challenge processed
2010/05/06 15:51:11:058 MESZ [DEBUG] DefaultHttpClient - Authentication scope: NEGOTIATE <any realm>@blao.de:80
2010/05/06 15:51:11:058 MESZ [DEBUG] DefaultHttpClient - Found credentials
2010/05/06 15:51:11:058 MESZ [DEBUG] wire - << "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">[\n]"
2010/05/06 15:51:11:058 MESZ [DEBUG] wire - << "<html><head>[\n]"
2010/05/06 15:51:11:058 MESZ [DEBUG] wire - << "<title>401 Authorization Required</title>[\n]"
2010/05/06 15:51:11:058 MESZ [DEBUG] wire - << "</head><body>[\n]"
2010/05/06 15:51:11:058 MESZ [DEBUG] wire - << "<h1>Authorization Required</h1>[\n]"
2010/05/06 15:51:11:058 MESZ [DEBUG] wire - << "<p>This server could not verify that you[\n]"
2010/05/06 15:51:11:059 MESZ [DEBUG] wire - << "are authorized to access the document[\n]"
2010/05/06 15:51:11:059 MESZ [DEBUG] wire - << "requested. Either you supplied the wrong[\n]"
2010/05/06 15:51:11:059 MESZ [DEBUG] wire - << "credentials (e.g., bad password), or your[\n]"
2010/05/06 15:51:11:059 MESZ [DEBUG] wire - << "browser doesn't understand how to supply[\n]"
2010/05/06 15:51:11:059 MESZ [DEBUG] wire - << "the credentials required.</p>[\n]"
2010/05/06 15:51:11:059 MESZ [DEBUG] wire - << "<hr>[\n]"
2010/05/06 15:51:11:059 MESZ [DEBUG] wire - << "<address>Apache/2.2.9 (Debian) mod_auth_kerb/5.3 DAV/2 SVN/1.5.1 mod_fastcgi/2.4.6 mod_jk/1.2.26 PHP/5.2.6-1+lenny8 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g mod_wsgi/2.5 Server at blao.de Port 80</address>[\n]"
2010/05/06 15:51:11:059 MESZ [DEBUG] wire - << "</body></html>[\n]"
2010/05/06 15:51:11:059 MESZ [DEBUG] RequestAddCookies - CookieSpec selected: best-match
2010/05/06 15:51:11:059 MESZ [DEBUG] NegotiateScheme - init blao.de
>>>KinitOptions cache name is /tmp/krb5cc_1000
>>>DEBUG <CCacheInputStream> client principal is test3@BLAO.DE
>>>DEBUG <CCacheInputStream> server principal is krbtgt/BLAO.DE@BLAO.DE
>>>DEBUG <CCacheInputStream> key type: 16
>>>DEBUG <CCacheInputStream> auth time: Thu May 06 15:35:30 CEST 2010
>>>DEBUG <CCacheInputStream> start time: Thu May 06 15:35:30 CEST 2010
>>>DEBUG <CCacheInputStream> end time: Fri May 07 15:35:29 CEST 2010
>>>DEBUG <CCacheInputStream> renew_till time: Thu Jan 01 01:00:00 CET 1970
>>> CCacheInputStream: readFlags() INITIAL;
>>>DEBUG <CCacheInputStream>
>>>DEBUG <CCacheInputStream> client principal is test3@BLAO.DE
>>>DEBUG <CCacheInputStream> server principal is X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/BLAO.DE@BLAO.DE
>>>DEBUG <CCacheInputStream> key type: 0
>>>DEBUG <CCacheInputStream> auth time: Thu Jan 01 01:00:00 CET 1970
>>>DEBUG <CCacheInputStream> start time: Thu Jan 01 01:00:00 CET 1970
>>>DEBUG <CCacheInputStream> end time: Thu Jan 01 01:00:00 CET 1970
>>>DEBUG <CCacheInputStream> renew_till time: Thu Jan 01 01:00:00 CET 1970
>>> CCacheInputStream: readFlags()
java.io.IOException: extra data given to DerValue constructor
at sun.security.util.DerValue.init(Unknown Source)
at sun.security.util.DerValue.<init>(Unknown Source)
at sun.security.krb5.internal.Ticket.<init>(Unknown Source)
at sun.security.krb5.internal.ccache.CCacheInputStream.readData(Unknown Source)
at sun.security.krb5.internal.ccache.CCacheInputStream.readCred(Unknown Source)
at sun.security.krb5.internal.ccache.FileCredentialsCache.load(Unknown Source)
at sun.security.krb5.internal.ccache.FileCredentialsCache.acquireInstance(Unknown Source)
at sun.security.krb5.internal.ccache.CredentialsCache.getInstance(Unknown Source)
at sun.security.krb5.Credentials.acquireTGTFromCache(Unknown Source)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)
at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.access$000(Unknown Source)
at javax.security.auth.login.LoginContext$5.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeCreatorPriv(Unknown Source)
at javax.security.auth.login.LoginContext.login(Unknown Source)
at sun.security.jgss.GSSUtil.login(Unknown Source)
at sun.security.jgss.krb5.Krb5Util.getTicket(Unknown Source)
at sun.security.jgss.krb5.Krb5InitCredential$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Unknown Source)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Unknown Source)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)
at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Unknown Source)
at sun.security.jgss.GSSManagerImpl.getMechanismContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(Unknown Source)
at sun.security.jgss.spnego.SpNegoContext.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at org.apache.http.impl.auth.NegotiateScheme.authenticate(NegotiateScheme.java:233)
at org.apache.http.client.protocol.RequestTargetAuthentication.process(RequestTargetAuthentication.java:104)
at org.apache.http.protocol.ImmutableHttpProcessor.process(ImmutableHttpProcessor.java:108)
at org.apache.http.protocol.HttpRequestExecutor.preProcess(HttpRequestExecutor.java:167)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:453)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:693)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:624)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:602)
at org.apache.http.examples.client.ClientKerberosAuthentication.main(ClientKerberosAuthentication.java:185)
Kerberos-Benutzername [drieks]: test1@BLAO.DE
Kerberos-Passwort für test1@BLAO.DE: test1
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=blao.de UDP:88, timeout=30000, number of retries =3, #bytes=136
>>> KDCCommunication: kdc=blao.de UDP:88, timeout=30000,Attempt =1, #bytes=136
>>> KrbKdcReq send: #bytes read=499
>>> KrbKdcReq send: #bytes read=499
>>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
>>> KrbAsRep cons in KrbAsReq.getReply test1
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
Found ticket for test1@BLAO.DE to go to krbtgt/BLAO.DE@BLAO.DE expiring on Fri May 07 15:51:23 CEST 2010
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 3 1 23 16 17.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
>>>crc32: ab9bcd10
>>>crc32: 10101011100110111100110100010000
>>> KrbKdcReq send: kdc=blao.de UDP:88, timeout=30000, number of retries =3, #bytes=518
>>> KDCCommunication: kdc=blao.de UDP:88, timeout=30000,Attempt =1, #bytes=518
>>> KrbKdcReq send: #bytes read=497
>>> KrbKdcReq send: #bytes read=497
>>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
>>>crc32: d9682ecf
>>>crc32: 11011001011010000010111011001111
>>> KrbApReq: APOptions are 00100000 00000000 00000000 00000000
>>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
>>>crc32: e3208be9
>>>crc32: 11100011001000001000101111101001
Krb5Context setting mySeqNumber to: 252253754
Created InitSecContextToken:
0000: 01 00 6E 82 01 B7 30 82 01 B3 A0 03 02 01 05 A1 ..n...0.........
0010: 03 02 01 0E A2 07 03 05 00 20 00 00 00 A3 81 F4 ......... ......
0020: 61 81 F1 30 81 EE A0 03 02 01 05 A1 09 1B 07 42 a..0...........B
0030: 4C 41 4F 2E 44 45 A2 1A 30 18 A0 03 02 01 00 A1 LAO.DE..0.......
0040: 11 30 0F 1B 04 48 54 54 50 1B 07 62 6C 61 6F 2E .0...HTTP..blao.
0050: 64 65 A3 81 BF 30 81 BC A0 03 02 01 10 A1 03 02 de...0..........
0060: 01 03 A2 81 AF 04 81 AC FA C2 95 D9 6B 56 3D E9 ............kV=.
0070: D1 48 DF 80 2A BC DA 0A FB 10 BF A1 73 E7 35 E1 .H..*.......s.5.
0080: FA DB 2C 86 FF FA B5 16 CA B7 42 46 B7 FC 98 5C ..,.......BF...\
0090: 4F 3F EF B8 02 32 18 01 51 C1 7B AB C4 B5 07 84 O?...2..Q.......
00A0: 0B 1D C9 20 EF C0 04 1B 98 57 6C A0 C1 59 7E 56 ... .....Wl..Y.V
00B0: 53 D4 E3 7D DF 01 40 10 64 FC 7C C3 AF 54 B6 B5 S.....@.d....T..
00C0: E1 77 00 8F F4 7E 19 58 11 83 5F C6 88 87 76 C7 .w.....X.._...v.
00D0: 2F 7D 08 DB 47 12 75 73 A7 FB 6A 04 FB 53 B2 0F /...G.us..j..S..
00E0: 34 8E E6 59 46 1B 26 D5 01 9A A3 58 D4 15 00 62 4..YF.&....X...b
00F0: AD 96 BC 87 0B 04 D7 61 39 9C 3C 08 1E 77 2A 44 .......a9.<..w*D
0100: 50 B4 2A ED 81 92 73 A5 12 27 AC 45 BC 69 6B 37 P.*...s..'.E.ik7
0110: 05 26 AE 0F A4 81 A6 30 81 A3 A0 03 02 01 01 A2 .&.....0........
0120: 81 9B 04 81 98 2D 36 5B 3C A2 4D 95 51 63 F4 AE .....-6[<.M.Qc..
0130: 1E 31 86 59 D9 9E EF 22 FF 3B 71 4D BB 1B CF 1C .1.Y...".;qM....
0140: 7F 0C 38 9A 6F E0 4E 51 03 4D A3 24 5F D4 D1 E0 ..8.o.NQ.M.$_...
0150: 02 67 4C 0C F8 D0 BA 96 2D E1 16 CD 8D 37 FE 42 .gL.....-....7.B
0160: 0D 5E 68 86 87 39 2D A8 5B 11 56 05 90 A0 CC 10 .^h..9-.[.V.....
0170: D1 2B F6 7D 23 F8 C3 B7 6B 4A 93 24 A1 A1 59 9B .+..#...kJ.$..Y.
0180: C2 4D 3C 16 DA 75 6F E2 DA DD E5 37 78 98 A8 F4 .M<..uo....7x...
0190: 9D 81 CC C9 70 2B 6D B3 2F 33 2A B3 9C 39 FE F9 ....p+m./3*..9..
01A0: E8 7F 06 C6 9F 66 40 E1 6B 27 D8 CF FA 72 4A 7C .....f@.k'...rJ.
01B0: A8 A1 73 92 DE 6B C5 E2 22 CE 53 96 6C ..s..k..".S.l
2010/05/06 15:51:23:908 MESZ [DEBUG] NegotiateScheme - got token, sending 509 bytes to server
2010/05/06 15:51:23:911 MESZ [DEBUG] DefaultHttpClient - Attempt 4 to execute request
2010/05/06 15:51:23:911 MESZ [DEBUG] DefaultClientConnection - Sending request: GET /krb5/user.php HTTP/1.1
2010/05/06 15:51:23:911 MESZ [DEBUG] wire - >> "GET /krb5/user.php HTTP/1.1[EOL]"
2010/05/06 15:51:23:911 MESZ [DEBUG] wire - >> "Host: blao.de[EOL]"
2010/05/06 15:51:23:911 MESZ [DEBUG] wire - >> "Connection: Keep-Alive[EOL]"
2010/05/06 15:51:23:911 MESZ [DEBUG] wire - >> "User-Agent: Apache-HttpClient/4.1-alpha2-SNAPSHOT (java 1.5)[EOL]"
2010/05/06 15:51:23:911 MESZ [DEBUG] wire - >> "Authorization: Negotiate YIIB+QYGKwYBBQUCoIIB7TCCAemgDTALBgkqhkiG9xIBAgKhBAMCAD6iggHQBIIBzGCCAcgGCSqGSIb3EgECAgEAboIBtzCCAbOgAwIBBaEDAgEOogcDBQAgAAAAo4H0YYHxMIHuoAMCAQWhCRsHQkxBTy5ERaIaMBigAwIBAKERMA8bBEhUVFAbB2JsYW8uZGWjgb8wgbygAwIBEKEDAgEDooGvBIGs+sKV2WtWPenRSN+AKrzaCvsQv6Fz5zXh+tsshv/6tRbKt0JGt/yYXE8/77gCMhgBUcF7q8S1B4QLHckg78AEG5hXbKDBWX5WU9Tjfd8BQBBk/HzDr1S2teF3AI/0fhlYEYNfxoiHdscvfQjbRxJ1c6f7agT7U7IPNI7mWUYbJtUBmqNY1BUAYq2WvIcLBNdhOZw8CB53KkRQtCrtgZJzpRInrEW8aWs3BSauD6SBpjCBo6ADAgEBooGbBIGYLTZbPKJNlVFj9K4eMYZZ2Z7vIv87cU27G88cfww4mm/gTlEDTaMkX9TR4AJnTAz40LqWLeEWzY03/kINXmiGhzktqFsRVgWQoMwQ0Sv2fSP4w7drSpMkoaFZm8JNPBbadW/i2t3lN3iYqPSdgczJcCttsy8zKrOcOf756H8Gxp9mQOFrJ9jP+nJKfKihc5Lea8XiIs5Tlmw=[EOL]"
2010/05/06 15:51:23:911 MESZ [DEBUG] wire - >> "[EOL]"
2010/05/06 15:51:23:911 MESZ [DEBUG] headers - >> GET /krb5/user.php HTTP/1.1
2010/05/06 15:51:23:911 MESZ [DEBUG] headers - >> Host: blao.de
2010/05/06 15:51:23:911 MESZ [DEBUG] headers - >> Connection: Keep-Alive
2010/05/06 15:51:23:911 MESZ [DEBUG] headers - >> User-Agent: Apache-HttpClient/4.1-alpha2-SNAPSHOT (java 1.5)
2010/05/06 15:51:23:911 MESZ [DEBUG] headers - >> Authorization: Negotiate YIIB+QYGKwYBBQUCoIIB7TCCAemgDTALBgkqhkiG9xIBAgKhBAMCAD6iggHQBIIBzGCCAcgGCSqGSIb3EgECAgEAboIBtzCCAbOgAwIBBaEDAgEOogcDBQAgAAAAo4H0YYHxMIHuoAMCAQWhCRsHQkxBTy5ERaIaMBigAwIBAKERMA8bBEhUVFAbB2JsYW8uZGWjgb8wgbygAwIBEKEDAgEDooGvBIGs+sKV2WtWPenRSN+AKrzaCvsQv6Fz5zXh+tsshv/6tRbKt0JGt/yYXE8/77gCMhgBUcF7q8S1B4QLHckg78AEG5hXbKDBWX5WU9Tjfd8BQBBk/HzDr1S2teF3AI/0fhlYEYNfxoiHdscvfQjbRxJ1c6f7agT7U7IPNI7mWUYbJtUBmqNY1BUAYq2WvIcLBNdhOZw8CB53KkRQtCrtgZJzpRInrEW8aWs3BSauD6SBpjCBo6ADAgEBooGbBIGYLTZbPKJNlVFj9K4eMYZZ2Z7vIv87cU27G88cfww4mm/gTlEDTaMkX9TR4AJnTAz40LqWLeEWzY03/kINXmiGhzktqFsRVgWQoMwQ0Sv2fSP4w7drSpMkoaFZm8JNPBbadW/i2t3lN3iYqPSdgczJcCttsy8zKrOcOf756H8Gxp9mQOFrJ9jP+nJKfKihc5Lea8XiIs5Tlmw=
2010/05/06 15:51:23:965 MESZ [DEBUG] wire - << "HTTP/1.1 401 Authorization Required[EOL]"
2010/05/06 15:51:23:968 MESZ [DEBUG] wire - << "Date: Thu, 06 May 2010 13:51:24 GMT[EOL]"
2010/05/06 15:51:23:968 MESZ [DEBUG] wire - << "Server: Apache/2.2.9 (Debian) mod_auth_kerb/5.3 DAV/2 SVN/1.5.1 mod_fastcgi/2.4.6 mod_jk/1.2.26 PHP/5.2.6-1+lenny8 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g mod_wsgi/2.5[EOL]"
2010/05/06 15:51:23:968 MESZ [DEBUG] wire - << "Vary: Accept-Encoding[EOL]"
2010/05/06 15:51:23:968 MESZ [DEBUG] wire - << "Content-Length: 649[EOL]"
2010/05/06 15:51:23:969 MESZ [DEBUG] wire - << "Keep-Alive: timeout=15, max=99[EOL]"
2010/05/06 15:51:23:969 MESZ [DEBUG] wire - << "Connection: Keep-Alive[EOL]"
2010/05/06 15:51:23:969 MESZ [DEBUG] wire - << "Content-Type: text/html; charset=iso-8859-1[EOL]"
2010/05/06 15:51:23:969 MESZ [DEBUG] wire - << "[EOL]"
2010/05/06 15:51:23:969 MESZ [DEBUG] DefaultClientConnection - Receiving response: HTTP/1.1 401 Authorization Required
2010/05/06 15:51:23:969 MESZ [DEBUG] headers - << HTTP/1.1 401 Authorization Required
2010/05/06 15:51:23:969 MESZ [DEBUG] headers - << Date: Thu, 06 May 2010 13:51:24 GMT
2010/05/06 15:51:23:969 MESZ [DEBUG] headers - << Server: Apache/2.2.9 (Debian) mod_auth_kerb/5.3 DAV/2 SVN/1.5.1 mod_fastcgi/2.4.6 mod_jk/1.2.26 PHP/5.2.6-1+lenny8 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g mod_wsgi/2.5
2010/05/06 15:51:23:969 MESZ [DEBUG] headers - << Vary: Accept-Encoding
2010/05/06 15:51:23:969 MESZ [DEBUG] headers - << Content-Length: 649
2010/05/06 15:51:23:969 MESZ [DEBUG] headers - << Keep-Alive: timeout=15, max=99
2010/05/06 15:51:23:969 MESZ [DEBUG] headers - << Connection: Keep-Alive
2010/05/06 15:51:23:969 MESZ [DEBUG] headers - << Content-Type: text/html; charset=iso-8859-1
2010/05/06 15:51:23:970 MESZ [DEBUG] DefaultHttpClient - Connection can be kept alive for 15000 ms
2010/05/06 15:51:23:970 MESZ [DEBUG] DefaultHttpClient - Target requested authentication
2010/05/06 15:51:23:970 MESZ [WARN] DefaultHttpClient - Authentication error: Negotiate authorization challenge expected, but not found
----------------------------------------
HTTP/1.1 401 Authorization Required
----------------------------------------
2010/05/06 15:51:23:973 MESZ [DEBUG] wire - << "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">[\n]"
2010/05/06 15:51:23:973 MESZ [DEBUG] wire - << "<html><head>[\n]"
2010/05/06 15:51:23:973 MESZ [DEBUG] wire - << "<title>401 Authorization Required</title>[\n]"
2010/05/06 15:51:23:973 MESZ [DEBUG] wire - << "</head><body>[\n]"
2010/05/06 15:51:23:973 MESZ [DEBUG] wire - << "<h1>Authorization Required</h1>[\n]"
2010/05/06 15:51:23:973 MESZ [DEBUG] wire - << "<p>This server could not verify that you[\n]"
2010/05/06 15:51:23:973 MESZ [DEBUG] wire - << "are authorized to access the document[\n]"
2010/05/06 15:51:23:973 MESZ [DEBUG] wire - << "requested. Either you supplied the wrong[\n]"
2010/05/06 15:51:23:974 MESZ [DEBUG] wire - << "credentials (e.g., bad password), or your[\n]"
2010/05/06 15:51:23:974 MESZ [DEBUG] wire - << "browser doesn't understand how to supply[\n]"
2010/05/06 15:51:23:974 MESZ [DEBUG] wire - << "the credentials required.</p>[\n]"
2010/05/06 15:51:23:974 MESZ [DEBUG] wire - << "<hr>[\n]"
2010/05/06 15:51:23:974 MESZ [DEBUG] wire - << "<address>Apache/2.2.9 (Debian) mod_auth_kerb/5.3 DAV/2 SVN/1.5.1 mod_fastcgi/2.4.6 mod_jk/1.2.26 PHP/5.2.6-1+lenny8 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g mod_wsgi/2.5 Server at blao.de Port 80</address>[\n]"
2010/05/06 15:51:23:974 MESZ [DEBUG] wire - << "</body></html>[\n]"
2010/05/06 15:51:23:974 MESZ [DEBUG] SingleClientConnManager - Releasing connection org.apache.http.impl.conn.SingleClientConnManager$ConnAdapter@3747c1db
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Authorization Required</title>
</head><body>
<h1>Authorization Required</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
<hr>
<address>Apache/2.2.9 (Debian) mod_auth_kerb/5.3 DAV/2 SVN/1.5.1 mod_fastcgi/2.4.6 mod_jk/1.2.26 PHP/5.2.6-1+lenny8 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g mod_wsgi/2.5 Server at blao.de Port 80</address>
</body></html>
----------------------------------------
2010/05/06 15:51:23:975 MESZ [DEBUG] DefaultClientConnection - Connection shut down
> kerberos auth not working
> -------------------------
>
> Key: HTTPCLIENT-934
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-934
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: Examples, HttpClient
> Affects Versions: 4.1 Alpha1
> Reporter: Dennis Rieks
> Priority: Minor
>
> Hi,
> i used org/apache/http/examples/client/ClientKerberosAuthentication.java to test kerberos authentication.
> My Setup:
> Apache2 on Debian (virtual machine "server4.kdctest.local") is setup to deliver kerberos authenticated content via http and https.
> The Kerberos kdc (virtual maschine "kdc.kdctest.local") also runs on debian.
> On my Desktop (ubuntu) i can use kinit/klist/kdestory to sign in on the kerberos domain and server4 only delivers content when signed on.
> I used firefox (with extra settings for http in about:config) and curl (curl -k --negotiate -u : http://server4.kdctest.local/test.php) to test my kerberos setup.
> The Problem:
> ClientKerberosAuthentication always asks the username/password and dont care about kinit. Also there is always an http 401 error and no content is deliverd.
> I used the latest svn version of httpclient
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] Commented: (HTTPCLIENT-934) kerberos auth not working
Posted by "Vinod K V (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-934?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12901055#action_12901055 ]
Vinod K V commented on HTTPCLIENT-934:
--------------------------------------
I ran into the same kind of problem.
Web search threw this at me: http://hbaseblog.com/2010/07/21/up-and-running-with-secure-hadoop/.
See section Note for MIT Kerberos 1.8.1+.
{quote}
The latest JDK I've tested (1.6.0.20) is not aware of the configuration principal names,
and so it breaks parsing the config entries.
As a workaround, you can renew your krb ticket (kinit -R), which upon renewal rewrites the credential cache without the config entry
{quote}
The problem went away after doing a fresh kinit -R.
> kerberos auth not working
> -------------------------
>
> Key: HTTPCLIENT-934
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-934
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: Examples, HttpClient
> Affects Versions: 4.1 Alpha1
> Reporter: Dennis Rieks
> Priority: Minor
>
> Hi,
> i used org/apache/http/examples/client/ClientKerberosAuthentication.java to test kerberos authentication.
> My Setup:
> Apache2 on Debian (virtual machine "server4.kdctest.local") is setup to deliver kerberos authenticated content via http and https.
> The Kerberos kdc (virtual maschine "kdc.kdctest.local") also runs on debian.
> On my Desktop (ubuntu) i can use kinit/klist/kdestory to sign in on the kerberos domain and server4 only delivers content when signed on.
> I used firefox (with extra settings for http in about:config) and curl (curl -k --negotiate -u : http://server4.kdctest.local/test.php) to test my kerberos setup.
> The Problem:
> ClientKerberosAuthentication always asks the username/password and dont care about kinit. Also there is always an http 401 error and no content is deliverd.
> I used the latest svn version of httpclient
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] Commented: (HTTPCLIENT-934) kerberos auth not working
Posted by "Dennis Rieks (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-934?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12864767#action_12864767 ]
Dennis Rieks commented on HTTPCLIENT-934:
-----------------------------------------
Hi,
i have installed a kerberos server on my private server. Same problem here. You can test it with this krb5.conf file:
-----------------------------------------------------
[libdefaults]
default_realm = BLAO.DE
[realms]
BLAO.DE = {
kdc = blao.de
admin_server = blao.de
}
[domain_realm]
.blao.de = BLAO.DE
blao.de = BLAO.DE
-----------------------------------------------------
There are 3 users:
test1@BLAO.DE passwd test1
test2@BLAO.DE passwd test2
test3@BLAO.DE passwd test3
Try this url: http://blao.de/krb5/user.php (or https for firefox also works)
On Linux, using kinit test1@BLAO.DE the authentication works for firefox and curl.
But httpclient gives me "WARNUNG: Authentication error: Negotiate authorization challenge expected, but not found"
Can you reproduce this?
Dennis
> kerberos auth not working
> -------------------------
>
> Key: HTTPCLIENT-934
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-934
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: Examples, HttpClient
> Affects Versions: 4.1 Alpha1
> Reporter: Dennis Rieks
> Priority: Minor
>
> Hi,
> i used org/apache/http/examples/client/ClientKerberosAuthentication.java to test kerberos authentication.
> My Setup:
> Apache2 on Debian (virtual machine "server4.kdctest.local") is setup to deliver kerberos authenticated content via http and https.
> The Kerberos kdc (virtual maschine "kdc.kdctest.local") also runs on debian.
> On my Desktop (ubuntu) i can use kinit/klist/kdestory to sign in on the kerberos domain and server4 only delivers content when signed on.
> I used firefox (with extra settings for http in about:config) and curl (curl -k --negotiate -u : http://server4.kdctest.local/test.php) to test my kerberos setup.
> The Problem:
> ClientKerberosAuthentication always asks the username/password and dont care about kinit. Also there is always an http 401 error and no content is deliverd.
> I used the latest svn version of httpclient
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] Commented: (HTTPCLIENT-934) kerberos auth not working
Posted by "Oleg Kalnichevski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-934?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12864455#action_12864455 ]
Oleg Kalnichevski commented on HTTPCLIENT-934:
----------------------------------------------
Have you read and followed these instructions?
http://hc.apache.org/httpcomponents-client/tutorial/html/authentication.html#spnego
Oleg
> kerberos auth not working
> -------------------------
>
> Key: HTTPCLIENT-934
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-934
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: Examples, HttpClient
> Affects Versions: 4.1 Alpha1
> Reporter: Dennis Rieks
> Priority: Minor
>
> Hi,
> i used org/apache/http/examples/client/ClientKerberosAuthentication.java to test kerberos authentication.
> My Setup:
> Apache2 on Debian (virtual machine "server4.kdctest.local") is setup to deliver kerberos authenticated content via http and https.
> The Kerberos kdc (virtual maschine "kdc.kdctest.local") also runs on debian.
> On my Desktop (ubuntu) i can use kinit/klist/kdestory to sign in on the kerberos domain and server4 only delivers content when signed on.
> I used firefox (with extra settings for http in about:config) and curl (curl -k --negotiate -u : http://server4.kdctest.local/test.php) to test my kerberos setup.
> The Problem:
> ClientKerberosAuthentication always asks the username/password and dont care about kinit. Also there is always an http 401 error and no content is deliverd.
> I used the latest svn version of httpclient
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] Updated: (HTTPCLIENT-934) kerberos auth not working
Posted by "Dennis Rieks (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-934?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dennis Rieks updated HTTPCLIENT-934:
------------------------------------
Description:
Hi,
i used org/apache/http/examples/client/ClientKerberosAuthentication.java to test kerberos authentication.
My Setup:
Apache2 on Debian (virtual machine "server4.kdctest.local") is setup to deliver kerberos authenticated content via http and https.
The Kerberos kdc (virtual maschine "kdc.kdctest.local") also runs on debian.
On my Desktop (ubuntu) i can use kinit/klist/kdestory to sign in on the kerberos domain and server4 only delivers content when signed on.
I used firefox (with extra settings for http in about:config) and curl (curl -k --negotiate -u : http://server4.kdctest.local/test.php) to test my kerberos setup.
The Problem:
ClientKerberosAuthentication always asks the username/password and dont care about kinit. Also there is always an http 401 error and no content is deliverd.
I used the latest svn version of httpclient
was:
Hi,
i used org/apache/http/examples/client/ClientKerberosAuthentication.java to test kerberos authentication.
My Setup:
Apache2 on Debian (virtual machine "server4.kdctest.local") is setup to deliver kerberos authenticated content via http and https.
The Kerberos kdc (virtual maschine "kdc.kdctest.local") also runs on debian.
On my Desktop (ubuntu) i can use kinit/klist/kdestory to sign in on the kerberos domain and server4 only delivers content when signed on.
I used firefox (with extra settings for http in about:config) and curl (curl -k --negotiate -u : http://server4.kdctest.local/test.php) to test my kerberos setup.
The Problem:
ClientKerberosAuthentication always asks the username/password and dont care about kinit. Also there is always an http 401 error and no content is deliverd.
> kerberos auth not working
> -------------------------
>
> Key: HTTPCLIENT-934
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-934
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: Examples, HttpClient
> Affects Versions: 4.1 Alpha1
> Reporter: Dennis Rieks
> Priority: Minor
>
> Hi,
> i used org/apache/http/examples/client/ClientKerberosAuthentication.java to test kerberos authentication.
> My Setup:
> Apache2 on Debian (virtual machine "server4.kdctest.local") is setup to deliver kerberos authenticated content via http and https.
> The Kerberos kdc (virtual maschine "kdc.kdctest.local") also runs on debian.
> On my Desktop (ubuntu) i can use kinit/klist/kdestory to sign in on the kerberos domain and server4 only delivers content when signed on.
> I used firefox (with extra settings for http in about:config) and curl (curl -k --negotiate -u : http://server4.kdctest.local/test.php) to test my kerberos setup.
> The Problem:
> ClientKerberosAuthentication always asks the username/password and dont care about kinit. Also there is always an http 401 error and no content is deliverd.
> I used the latest svn version of httpclient
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] Commented: (HTTPCLIENT-934) kerberos auth not working
Posted by "Oleg Kalnichevski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-934?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12864784#action_12864784 ]
Oleg Kalnichevski commented on HTTPCLIENT-934:
----------------------------------------------
All I can say something craps out inside Java security code either due to unexpected or invalid input or due to an incompatibility with the Sun's Kerberos implementation.
I do not have a slightest idea how Kerberos works and unfortunately cannot be of any help here.
This is how open-source functions: you have to be prepared to scratch your own itch. It is very unlikely anyone else would do that for you. If you are willing to troubleshoot Kerberos related stuff I will happily help you with HttpClient specific aspects, as well as review and apply patches.
Oleg
> kerberos auth not working
> -------------------------
>
> Key: HTTPCLIENT-934
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-934
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: Examples, HttpClient
> Affects Versions: 4.1 Alpha1
> Reporter: Dennis Rieks
> Priority: Minor
>
> Hi,
> i used org/apache/http/examples/client/ClientKerberosAuthentication.java to test kerberos authentication.
> My Setup:
> Apache2 on Debian (virtual machine "server4.kdctest.local") is setup to deliver kerberos authenticated content via http and https.
> The Kerberos kdc (virtual maschine "kdc.kdctest.local") also runs on debian.
> On my Desktop (ubuntu) i can use kinit/klist/kdestory to sign in on the kerberos domain and server4 only delivers content when signed on.
> I used firefox (with extra settings for http in about:config) and curl (curl -k --negotiate -u : http://server4.kdctest.local/test.php) to test my kerberos setup.
> The Problem:
> ClientKerberosAuthentication always asks the username/password and dont care about kinit. Also there is always an http 401 error and no content is deliverd.
> I used the latest svn version of httpclient
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] Commented: (HTTPCLIENT-934) kerberos auth not working
Posted by "Dennis Rieks (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-934?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12864746#action_12864746 ]
Dennis Rieks commented on HTTPCLIENT-934:
-----------------------------------------
Hi,
yes i have, i followed them step by step. But I had to remove udp_preference_limit = 1 from krb5.conf
I think this is the problem:
WARNUNG: Authentication error: Negotiate authorization challenge expected, but not found
(WARNUNG is WARNING in german..)
This is the log file:
>>>KinitOptions cache name is /tmp/krb5cc_1000
Kerberos-Benutzername [drieks]: hallo@KDCTEST.LOCAL
Kerberos-Passwort für hallo@KDCTEST.LOCAL: hallo
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=kdc.kdctest.local UDP:88, timeout=30000, number of retries =3, #bytes=150
>>> KDCCommunication: kdc=kdc.kdctest.local UDP:88, timeout=30000,Attempt =1, #bytes=150
>>> KrbKdcReq send: #bytes read=533
>>> KrbKdcReq send: #bytes read=533
>>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
>>> KrbAsRep cons in KrbAsReq.getReply hallo
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
Found ticket for hallo@KDCTEST.LOCAL to go to krbtgt/KDCTEST.LOCAL@KDCTEST.LOCAL expiring on Fri May 07 13:52:06 CEST 2010
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 3 1 23 16 17.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
>>>crc32: 12ba57aa
>>>crc32: 10010101110100101011110101010
>>> KrbKdcReq send: kdc=kdc.kdctest.local UDP:88, timeout=30000, number of retries =3, #bytes=568
>>> KDCCommunication: kdc=kdc.kdctest.local UDP:88, timeout=30000,Attempt =1, #bytes=568
>>> KrbKdcReq send: #bytes read=507
>>> KrbKdcReq send: #bytes read=507
>>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
>>>crc32: 5cfa8fb0
>>>crc32: 1011100111110101000111110110000
>>> KrbApReq: APOptions are 00100000 00000000 00000000 00000000
>>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
>>>crc32: 9a6c3d10
>>>crc32: 10011010011011000011110100010000
Krb5Context setting mySeqNumber to: 1056242984
Created InitSecContextToken:
0000: 01 00 6E 82 01 C3 30 82 01 BF A0 03 02 01 05 A1 ..n...0.........
0010: 03 02 01 0E A2 07 03 05 00 20 00 00 00 A3 81 F8 ......... ......
0020: 61 81 F5 30 81 F2 A0 03 02 01 05 A1 0F 1B 0D 4B a..0...........K
0030: 44 43 54 45 53 54 2E 4C 4F 43 41 4C A2 28 30 26 DCTEST.LOCAL.(0&
0040: A0 03 02 01 00 A1 1F 30 1D 1B 04 48 54 54 50 1B .......0...HTTP.
0050: 15 73 65 72 76 65 72 34 2E 6B 64 63 74 65 73 74 .server4.kdctest
0060: 2E 6C 6F 63 61 6C A3 81 AF 30 81 AC A0 03 02 01 .local...0......
0070: 10 A1 03 02 01 02 A2 81 9F 04 81 9C 1E 71 81 EA .............q..
0080: 28 50 4A A7 76 52 82 E6 0A 91 17 5E C5 44 F0 DD (PJ.vR.....^.D..
0090: 49 A2 6A 4F 49 69 DE 15 BC CE 53 A7 C6 1B 65 30 I.jOIi....S...e0
00A0: 30 1F 6B E2 B5 A0 53 6E 51 8C 0C AC 49 E9 B4 29 0.k...SnQ...I..)
00B0: C6 4B 51 84 10 2D D1 C7 EA 0A 09 1F 40 DE 3B 01 .KQ..-......@.;.
00C0: 73 41 DE 9F 4A 25 6D CD 36 32 4B BC 17 98 46 ED sA..J%m.62K...F.
00D0: 17 07 3C 6A A0 97 EC 95 42 89 F6 A8 31 BA F9 5F ..<j....B...1.._
00E0: E4 75 79 BC 0D F0 49 BE 16 6A A8 00 89 16 A9 99 .uy...I..j......
00F0: 37 55 3A 7E 6D 37 C5 2E EA 16 F0 CC C2 1F F1 FE 7U:.m7..........
0100: 39 FB B3 E6 14 27 FD CD 79 26 19 F3 87 D8 45 11 9....'..y&....E.
0110: 58 9E 93 05 EC 85 F4 3C A4 81 AE 30 81 AB A0 03 X......<...0....
0120: 02 01 01 A2 81 A3 04 81 A0 17 55 4F B8 26 1D C8 ..........UO.&..
0130: B4 94 1F 60 75 A2 02 CE 77 27 C3 45 6A 37 F6 C9 ...`u...w'.Ej7..
0140: E1 B6 5C 59 6E 99 7C E8 3E 83 65 15 03 C3 5E EB ..\Yn...>.e...^.
0150: 95 ED 44 21 8B 76 4A C0 CB BB C6 E7 05 80 65 CB ..D!.vJ.......e.
0160: F3 56 16 15 C6 C1 38 E6 B0 C1 D2 E8 5F FA 76 E7 .V....8....._.v.
0170: 55 5C 2A A4 7D 85 9C AB B3 B3 D1 C2 68 2D DB 37 U\*.........h-.7
0180: 1D 68 07 2F A9 32 AA 4D D3 0E 3E 91 83 D1 21 91 .h./.2.M..>...!.
0190: A6 A2 1F DB 8D AA AD 0C F6 0C C0 8A FD 25 F7 7D .............%..
01A0: 23 D2 00 5F 47 02 A0 28 59 E0 FB 6F 3E EA 0B D3 #.._G..(Y..o>...
01B0: 1C 8D D2 D5 B0 C9 0B CA 43 F1 17 77 69 85 98 4D ........C..wi..M
01C0: 1A 17 76 5B DD 92 07 DB 59 ..v[....Y
06.05.2010 13:52:06 org.apache.http.impl.client.DefaultRequestDirector handleResponse
WARNUNG: Authentication error: Negotiate authorization challenge expected, but not found
----------------------------------------
HTTP/1.1 401 Authorization Required
----------------------------------------
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Authorization Required</title>
</head><body>
<h1>Authorization Required</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
<hr>
<address>Apache/2.2.9 (Debian) mod_auth_kerb/5.3 PHP/5.2.6-1+lenny8 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0 Server at server4.kdctest.local Port 80</address>
</body></html>
----------------------------------------
Using Wireshark, everythink seems to be ok:
> GET /test.php HTTP/1.1
> Host: server4.kdctest.local
> Connection: Keep-Alive
> User-Agent: Apache-HttpClient/4.1-alpha2-SNAPSHOT (java 1.5)
< HTTP/1.1 401 Authorization Required
< Date: Thu, 06 May 2010 11:52:00 GMT
< Server: Apache/2.2.9 (Debian) mod_auth_kerb/5.3 PHP/5.2.6-1+lenny8 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0
< WWW-Authenticate: Negotiate
< Vary: Accept-Encoding
< Content-Length: 630
< Keep-Alive: timeout=15, max=100
< Connection: Keep-Alive
< Content-Type: text/html; charset=iso-8859-1
<
< <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
< <html><head>
< <title>401 Authorization Required</title>
< </head><body>
< <h1>Authorization Required</h1>
< <p>This server could not verify that you
< are authorized to access the document
< requested. Either you supplied the wrong
< credentials (e.g., bad password), or your
< browser doesn't understand how to supply
< the credentials required.</p>
< <hr>
< <address>Apache/2.2.9 (Debian) mod_auth_kerb/5.3 PHP/5.2.6-1+lenny8 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0 Server at server4.kdctest.local Port 80</address>
< </body></html>
>GET /test.php HTTP/1.1
>Host: server4.kdctest.local
>Connection: Keep-Alive
>User-Agent: Apache-HttpClient/4.1-alpha2-SNAPSHOT (java 1.5)
>Authorization: Negotiate YIICBQYGKwYBBQUCoIIB+TCCAfWgDTALBgkqhkiG9xIBAgKhBAMCAD6iggHcBIIB2GCCAdQGCSqGSIb3EgECAgEAboIBwzCCAb+gAwIBBaEDAgEOogcDBQAgAAAAo4H4YYH1MIHyoAMCAQWhDxsNS0RDVEVTVC5MT0NBTKIoMCagAwIBAKEfMB0bBEhUVFAbFXNlcnZlcjQua2RjdGVzdC5sb2NhbKOBrzCBrKADAgEQoQMCAQKigZ8EgZwecYHqKFBKp3ZSguYKkRdexUTw3Umiak9Jad4VvM5Tp8YbZTAwH2vitaBTblGMDKxJ6bQpxktRhBAt0cfqCgkfQN47AXNB3p9KJW3NNjJLvBeYRu0XBzxqoJfslUKJ9qgxuvlf5HV5vA3wSb4WaqgAiRapmTdVOn5tN8Uu6hbwzMIf8f45+7PmFCf9zXkmGfOH2EURWJ6TBeyF9Dykga4wgaugAwIBAaKBowSBoBdVT7gmHci0lB9gdaICzncnw0VqN/bJ4bZcWW6ZfOg+g2UVA8Ne65XtRCGLdkrAy7vG5wWAZcvzVhYVxsE45rDB0uhf+nbnVVwqpH2FnKuzs9HCaC3bNx1oBy+pMqpN0w4+kYPRIZGmoh/bjaqtDPYMwIr9Jfd9I9IAX0cCoChZ4PtvPuoL0xyN0tWwyQvKQ/EXd2mFmE0aF3Zb3ZIH21k=
but here, the server respons with 401:
< HTTP/1.1 401 Authorization Required
< Date: Thu, 06 May 2010 11:52:06 GMT
< Server: Apache/2.2.9 (Debian) mod_auth_kerb/5.3 PHP/5.2.6-1+lenny8 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g <mod_perl/2.0.4 Perl/v5.10.0
< Vary: Accept-Encoding
< Content-Length: 630
< Keep-Alive: timeout=15, max=99
< Connection: Keep-Alive
< Content-Type: text/html; charset=iso-8859-1
<
< <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
< <html><head>
< <title>401 Authorization Required</title>
< </head><body>
< <h1>Authorization Required</h1>
< <p>This server could not verify that you
< are authorized to access the document
< requested. Either you supplied the wrong
< credentials (e.g., bad password), or your
< browser doesn't understand how to supply
< the credentials required.</p>
< <hr>
< <address>Apache/2.2.9 (Debian) mod_auth_kerb/5.3 PHP/5.2.6-1+lenny8 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0 Server at server4.kdctest.local Port 80</address>
< </body></html>
Compared to curl dump:
> GET /test.php HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15
> Host: server4.kdctest.local
> Accept: */*
< HTTP/1.1 401 Authorization Required
< Date: Thu, 06 May 2010 12:02:30 GMT
< Server: Apache/2.2.9 (Debian) mod_auth_kerb/5.3 PHP/5.2.6-1+lenny8 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g <mod_perl/2.0.4 Perl/v5.10.0
< WWW-Authenticate: Negotiate
< Vary: Accept-Encoding
< Content-Length: 630
< Content-Type: text/html; charset=iso-8859-1
<
< <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
< <html><head>
< <title>401 Authorization Required</title>
< </head><body>
< <h1>Authorization Required</h1>
< <p>This server could not verify that you
< are authorized to access the document
< requested. Either you supplied the wrong
< credentials (e.g., bad password), or your
< browser doesn't understand how to supply
< the credentials required.</p>
< <hr>
< <address>Apache/2.2.9 (Debian) mod_auth_kerb/5.3 PHP/5.2.6-1+lenny8 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0 Server at server4.kdctest.local Port 80</address>
< </body></html>
> GET /test.php HTTP/1.1
> Authorization: Negotiate YIICEwYJKoZIhvcSAQICAQBuggICMIIB/qADAgEFoQMCAQ6iBwMFAAAAAACjggEaYYIBFjCCARKgAwIBBaEPGw1LRENURVNULkxPQ0FMoigwJqADAgEDoR8wHRsESFRUUBsVc2VydmVyNC5rZGN0ZXN0LmxvY2Fso4HPMIHMoAMCARChAwIBAqKBvwSBvCRjqmUXayAu9Y18Br4KUC2rLsMREylJ/xJscLrF5PXlGEvR2SwNo2flt7RmXAeRbYyI9VEBiLbcVUM8FOjh3UL8zKrBbvpYm1R7QgWUMhNYb5NawlgbQRkiLqf8eaGwivfrqGgFy4F+eeEML2Fb7yN3HkSIrITdtyxXjr8kedd7bJ372DXNWOS8I42ahuAV3PBYg9rOZvttKiGZCKDchqcum4BkQpxzlDdI57ya5Tr/dfLnaBpt0nIKZlC0pIHKMIHHoAMCARCigb8EgbxXqQ30BWszcxaHKdqXc2BlK+AhSNO6fsvs3MuM4Qsu28Trt/447l23Wy4U6gFLLvOY+iNLD29ZqpjNUiBVXhTw4HWss8ml1emShu2Q4RFiK1A494mfE6kTbPSst6LWtAbfnW2PgivWS0K0Wn31FtqoxI5hUD/hHKaVuwby/I2YGA0hHHmBUYvbUvvA63P95QhFYIv0Lj2ZiJsi6rCQLqq+QZxz0CpyhzukZ0cjMHRLdfq25rrCOgrD0f+b/g==
> User-Agent: curl/7.19.7 (x86_64-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15
> Host: server4.kdctest.local
> Accept: */*
< HTTP/1.1 200 OK
< Date: Thu, 06 May 2010 12:02:30 GMT
< Server: Apache/2.2.9 (Debian) mod_auth_kerb/5.3 PHP/5.2.6-1+lenny8 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0
< X-Powered-By: PHP/5.2.6-1+lenny8
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
< Content-Type: text/html
<
< 2005
< <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
< <html><head>
< <style type="text/css">
(...)
I cant find a solution for this. The http server works fine with curl and firefox.
ClientKerberosAuthentication.java also always asks for the username and password, ignoring kinit / kdestory in the terminal
With kdestory:
>>>KinitOptions cache name is /tmp/krb5cc_1000
Kerberos-Benutzername [drieks]:
With kinit hallo@KDCTEST.LOCAL:
>>>KinitOptions cache name is /tmp/krb5cc_1000
>>>DEBUG <CCacheInputStream> client principal is hallo@KDCTEST.LOCAL
>>>DEBUG <CCacheInputStream> server principal is krbtgt/KDCTEST.LOCAL@KDCTEST.LOCAL
>>>DEBUG <CCacheInputStream> key type: 16
>>>DEBUG <CCacheInputStream> auth time: Thu May 06 14:02:26 CEST 2010
>>>DEBUG <CCacheInputStream> start time: Thu May 06 14:02:26 CEST 2010
>>>DEBUG <CCacheInputStream> end time: Fri May 07 14:02:26 CEST 2010
>>>DEBUG <CCacheInputStream> renew_till time: Thu Jan 01 01:00:00 CET 1970
>>> CCacheInputStream: readFlags() INITIAL;
>>>DEBUG <CCacheInputStream>
>>>DEBUG <CCacheInputStream> client principal is hallo@KDCTEST.LOCAL
>>>DEBUG <CCacheInputStream> server principal is X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/KDCTEST.LOCAL@KDCTEST.LOCAL
>>>DEBUG <CCacheInputStream> key type: 0
>>>DEBUG <CCacheInputStream> auth time: Thu Jan 01 01:00:00 CET 1970
>>>DEBUG <CCacheInputStream> start time: Thu Jan 01 01:00:00 CET 1970
>>>DEBUG <CCacheInputStream> end time: Thu Jan 01 01:00:00 CET 1970
>>>DEBUG <CCacheInputStream> renew_till time: Thu Jan 01 01:00:00 CET 1970
>>> CCacheInputStream: readFlags()
java.io.IOException: extra data given to DerValue constructor
at sun.security.util.DerValue.init(Unknown Source)
at sun.security.util.DerValue.<init>(Unknown Source)
at sun.security.krb5.internal.Ticket.<init>(Unknown Source)
at sun.security.krb5.internal.ccache.CCacheInputStream.readData(Unknown Source)
at sun.security.krb5.internal.ccache.CCacheInputStream.readCred(Unknown Source)
at sun.security.krb5.internal.ccache.FileCredentialsCache.load(Unknown Source)
at sun.security.krb5.internal.ccache.FileCredentialsCache.acquireInstance(Unknown Source)
at sun.security.krb5.internal.ccache.CredentialsCache.getInstance(Unknown Source)
at sun.security.krb5.Credentials.acquireTGTFromCache(Unknown Source)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)
at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.access$000(Unknown Source)
at javax.security.auth.login.LoginContext$5.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeCreatorPriv(Unknown Source)
at javax.security.auth.login.LoginContext.login(Unknown Source)
at sun.security.jgss.GSSUtil.login(Unknown Source)
at sun.security.jgss.krb5.Krb5Util.getTicket(Unknown Source)
at sun.security.jgss.krb5.Krb5InitCredential$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Unknown Source)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Unknown Source)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)
at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Unknown Source)
at sun.security.jgss.GSSManagerImpl.getMechanismContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(Unknown Source)
at sun.security.jgss.spnego.SpNegoContext.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at org.apache.http.impl.auth.NegotiateScheme.authenticate(NegotiateScheme.java:233)
at org.apache.http.client.protocol.RequestTargetAuthentication.process(RequestTargetAuthentication.java:104)
at org.apache.http.protocol.ImmutableHttpProcessor.process(ImmutableHttpProcessor.java:108)
at org.apache.http.protocol.HttpRequestExecutor.preProcess(HttpRequestExecutor.java:167)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:453)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:693)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:624)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:602)
at org.apache.http.examples.client.ClientKerberosAuthentication.main(ClientKerberosAuthentication.java:153)
Kerberos-Benutzername [drieks]:
Do you have any suggestion?
Thank you,
Dennis
> kerberos auth not working
> -------------------------
>
> Key: HTTPCLIENT-934
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-934
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: Examples, HttpClient
> Affects Versions: 4.1 Alpha1
> Reporter: Dennis Rieks
> Priority: Minor
>
> Hi,
> i used org/apache/http/examples/client/ClientKerberosAuthentication.java to test kerberos authentication.
> My Setup:
> Apache2 on Debian (virtual machine "server4.kdctest.local") is setup to deliver kerberos authenticated content via http and https.
> The Kerberos kdc (virtual maschine "kdc.kdctest.local") also runs on debian.
> On my Desktop (ubuntu) i can use kinit/klist/kdestory to sign in on the kerberos domain and server4 only delivers content when signed on.
> I used firefox (with extra settings for http in about:config) and curl (curl -k --negotiate -u : http://server4.kdctest.local/test.php) to test my kerberos setup.
> The Problem:
> ClientKerberosAuthentication always asks the username/password and dont care about kinit. Also there is always an http 401 error and no content is deliverd.
> I used the latest svn version of httpclient
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] Commented: (HTTPCLIENT-934) kerberos auth not working
Posted by "Oleg Kalnichevski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-934?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12864765#action_12864765 ]
Oleg Kalnichevski commented on HTTPCLIENT-934:
----------------------------------------------
(1) Make sure you are using the latest code snapshot from SVN trunk
(2) When troubleshooting always run HttpClient with wire/context logging on as described here [1]. Feel free to attach the log to this report
(3) Try running your application with Java 1.6 instead of Java 1.5. Kerberos support in Java 1.5 is said to be very limited or broken.
(4) See HTTPCLIENT-901 [2]. As the _absolutely_ last resort try to get in touch with Sebastiaan van Erk and _kindly_ ask him if he would be willing / able to contribute his enhancements to HttpClient SPNEGO code
(5) You are out of luck and on your own. I have no clue about Kerberos and cannot be of much help other than reviewing / committing patches.
Oleg
[1] http://hc.apache.org/httpcomponents-client/logging.html
[2] https://issues.apache.org/jira/browse/HTTPCLIENT-901
> kerberos auth not working
> -------------------------
>
> Key: HTTPCLIENT-934
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-934
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: Examples, HttpClient
> Affects Versions: 4.1 Alpha1
> Reporter: Dennis Rieks
> Priority: Minor
>
> Hi,
> i used org/apache/http/examples/client/ClientKerberosAuthentication.java to test kerberos authentication.
> My Setup:
> Apache2 on Debian (virtual machine "server4.kdctest.local") is setup to deliver kerberos authenticated content via http and https.
> The Kerberos kdc (virtual maschine "kdc.kdctest.local") also runs on debian.
> On my Desktop (ubuntu) i can use kinit/klist/kdestory to sign in on the kerberos domain and server4 only delivers content when signed on.
> I used firefox (with extra settings for http in about:config) and curl (curl -k --negotiate -u : http://server4.kdctest.local/test.php) to test my kerberos setup.
> The Problem:
> ClientKerberosAuthentication always asks the username/password and dont care about kinit. Also there is always an http 401 error and no content is deliverd.
> I used the latest svn version of httpclient
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] Updated: (HTTPCLIENT-934) kerberos auth not working
Posted by "Dennis Rieks (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-934?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dennis Rieks updated HTTPCLIENT-934:
------------------------------------
Comment: was deleted
(was: Im using "Sun jre1.6.0_18")
> kerberos auth not working
> -------------------------
>
> Key: HTTPCLIENT-934
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-934
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: Examples, HttpClient
> Affects Versions: 4.1 Alpha1
> Reporter: Dennis Rieks
> Priority: Minor
>
> Hi,
> i used org/apache/http/examples/client/ClientKerberosAuthentication.java to test kerberos authentication.
> My Setup:
> Apache2 on Debian (virtual machine "server4.kdctest.local") is setup to deliver kerberos authenticated content via http and https.
> The Kerberos kdc (virtual maschine "kdc.kdctest.local") also runs on debian.
> On my Desktop (ubuntu) i can use kinit/klist/kdestory to sign in on the kerberos domain and server4 only delivers content when signed on.
> I used firefox (with extra settings for http in about:config) and curl (curl -k --negotiate -u : http://server4.kdctest.local/test.php) to test my kerberos setup.
> The Problem:
> ClientKerberosAuthentication always asks the username/password and dont care about kinit. Also there is always an http 401 error and no content is deliverd.
> I used the latest svn version of httpclient
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] Resolved: (HTTPCLIENT-934) kerberos auth not working
Posted by "Oleg Kalnichevski (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-934?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Oleg Kalnichevski resolved HTTPCLIENT-934.
------------------------------------------
Resolution: Invalid
It is not entirely clear why the authentication process fails but so far there has been no evidence to prove that Httpclient is at fault. This looks more like an issue with the Java krb5 implementation.
Oleg
> kerberos auth not working
> -------------------------
>
> Key: HTTPCLIENT-934
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-934
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: Examples, HttpClient
> Affects Versions: 4.1 Alpha1
> Reporter: Dennis Rieks
> Priority: Minor
>
> Hi,
> i used org/apache/http/examples/client/ClientKerberosAuthentication.java to test kerberos authentication.
> My Setup:
> Apache2 on Debian (virtual machine "server4.kdctest.local") is setup to deliver kerberos authenticated content via http and https.
> The Kerberos kdc (virtual maschine "kdc.kdctest.local") also runs on debian.
> On my Desktop (ubuntu) i can use kinit/klist/kdestory to sign in on the kerberos domain and server4 only delivers content when signed on.
> I used firefox (with extra settings for http in about:config) and curl (curl -k --negotiate -u : http://server4.kdctest.local/test.php) to test my kerberos setup.
> The Problem:
> ClientKerberosAuthentication always asks the username/password and dont care about kinit. Also there is always an http 401 error and no content is deliverd.
> I used the latest svn version of httpclient
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] Commented: (HTTPCLIENT-934) kerberos auth not working
Posted by "Dennis Rieks (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-934?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12864428#action_12864428 ]
Dennis Rieks commented on HTTPCLIENT-934:
-----------------------------------------
Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is hallo@KDCTEST.LOCAL tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
>>>KinitOptions cache name is /tmp/krb5cc_1000
>>>DEBUG <CCacheInputStream> client principal is hallo@KDCTEST.LOCAL
>>>DEBUG <CCacheInputStream> server principal is krbtgt/KDCTEST.LOCAL@KDCTEST.LOCAL
>>>DEBUG <CCacheInputStream> key type: 16
>>>DEBUG <CCacheInputStream> auth time: Wed May 05 19:22:19 CEST 2010
>>>DEBUG <CCacheInputStream> start time: Wed May 05 19:22:19 CEST 2010
>>>DEBUG <CCacheInputStream> end time: Thu May 06 19:22:19 CEST 2010
>>>DEBUG <CCacheInputStream> renew_till time: Wed May 05 19:22:19 CEST 2010
>>> CCacheInputStream: readFlags() RENEWABLE; INITIAL;
>>>DEBUG <CCacheInputStream>
>>>DEBUG <CCacheInputStream> client principal is hallo@KDCTEST.LOCAL
>>>DEBUG <CCacheInputStream> server principal is X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/KDCTEST.LOCAL@KDCTEST.LOCAL
>>>DEBUG <CCacheInputStream> key type: 0
>>>DEBUG <CCacheInputStream> auth time: Thu Jan 01 01:00:00 CET 1970
>>>DEBUG <CCacheInputStream> start time: Thu Jan 01 01:00:00 CET 1970
>>>DEBUG <CCacheInputStream> end time: Thu Jan 01 01:00:00 CET 1970
>>>DEBUG <CCacheInputStream> renew_till time: Thu Jan 01 01:00:00 CET 1970
>>> CCacheInputStream: readFlags()
java.io.IOException: extra data given to DerValue constructor
at sun.security.util.DerValue.init(Unknown Source)
at sun.security.util.DerValue.<init>(Unknown Source)
at sun.security.krb5.internal.Ticket.<init>(Unknown Source)
at sun.security.krb5.internal.ccache.CCacheInputStream.readData(Unknown Source)
at sun.security.krb5.internal.ccache.CCacheInputStream.readCred(Unknown Source)
at sun.security.krb5.internal.ccache.FileCredentialsCache.load(Unknown Source)
at sun.security.krb5.internal.ccache.FileCredentialsCache.acquireInstance(Unknown Source)
at sun.security.krb5.internal.ccache.CredentialsCache.getInstance(Unknown Source)
at sun.security.krb5.Credentials.acquireTGTFromCache(Unknown Source)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)
at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.access$000(Unknown Source)
at javax.security.auth.login.LoginContext$5.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeCreatorPriv(Unknown Source)
at javax.security.auth.login.LoginContext.login(Unknown Source)
at sun.security.jgss.GSSUtil.login(Unknown Source)
at sun.security.jgss.krb5.Krb5Util.getTicket(Unknown Source)
at sun.security.jgss.krb5.Krb5InitCredential$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Unknown Source)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Unknown Source)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)
at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Unknown Source)
at sun.security.jgss.GSSManagerImpl.getMechanismContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(Unknown Source)
at sun.security.jgss.spnego.SpNegoContext.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at org.apache.http.impl.auth.NegotiateScheme.authenticate(NegotiateScheme.java:233)
at org.apache.http.client.protocol.RequestTargetAuthentication.process(RequestTargetAuthentication.java:104)
at org.apache.http.protocol.ImmutableHttpProcessor.process(ImmutableHttpProcessor.java:108)
at org.apache.http.protocol.HttpRequestExecutor.preProcess(HttpRequestExecutor.java:167)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:453)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:693)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:624)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:602)
at eu.tradespark.krb5.ClientKerberosAuthentication.main(ClientKerberosAuthentication.java:157)
Principal is hallo@KDCTEST.LOCAL
null credentials from Ticket Cache
Kerberos-Passwort für hallo@KDCTEST.LOCAL: hallo
[Krb5LoginModule] user entered username: hallo@KDCTEST.LOCAL
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
Acquire TGT using AS Exchange
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=kdc.kdctest.local UDP:88, timeout=30000, number of retries =3, #bytes=150
>>> KDCCommunication: kdc=kdc.kdctest.local UDP:88, timeout=30000,Attempt =1, #bytes=150
>>> KrbKdcReq send: #bytes read=533
>>> KrbKdcReq send: #bytes read=533
>>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
>>> KrbAsRep cons in KrbAsReq.getReply hallo
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
principal is hallo@KDCTEST.LOCAL
EncryptionKey: keyType=3 keyBytes (hex dump)=0000: DF B6 38 1A F2 8C 0D 15
EncryptionKey: keyType=1 keyBytes (hex dump)=0000: DF B6 38 1A F2 8C 0D 15
EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 09 5B 16 F9 21 A7 DA 5E A1 29 69 56 EC 3A 90 6B .[..!..^.)iV.:.k
EncryptionKey: keyType=16 keyBytes (hex dump)=0000: FD 07 15 49 75 7C FB 43 97 26 5E 02 68 76 F7 89 ...Iu..C.&^.hv..
0010: FD 80 97 1C 49 DA 3E 49
EncryptionKey: keyType=17 keyBytes (hex dump)=0000: 35 B1 F8 D5 F7 46 97 83 81 1A 8E AD AE A0 CE 73 5....F.........s
Commit Succeeded
Found ticket for hallo@KDCTEST.LOCAL to go to krbtgt/KDCTEST.LOCAL@KDCTEST.LOCAL expiring on Thu May 06 19:43:24 CEST 2010
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 3 1 23 16 17.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
>>>crc32: e5fdb8f4
>>>crc32: 11100101111111011011100011110100
>>> KrbKdcReq send: kdc=kdc.kdctest.local UDP:88, timeout=30000, number of retries =3, #bytes=568
>>> KDCCommunication: kdc=kdc.kdctest.local UDP:88, timeout=30000,Attempt =1, #bytes=568
>>> KrbKdcReq send: #bytes read=507
>>> KrbKdcReq send: #bytes read=507
>>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
>>>crc32: a79e462b
>>>crc32: 10100111100111100100011000101011
>>> KrbApReq: APOptions are 00100000 00000000 00000000 00000000
>>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
>>>crc32: c30c2a72
>>>crc32: 11000011000011000010101001110010
Krb5Context setting mySeqNumber to: 40618110
Created InitSecContextToken:
0000: 01 00 6E 82 01 C3 30 82 01 BF A0 03 02 01 05 A1 ..n...0.........
0010: 03 02 01 0E A2 07 03 05 00 20 00 00 00 A3 81 F8 ......... ......
0020: 61 81 F5 30 81 F2 A0 03 02 01 05 A1 0F 1B 0D 4B a..0...........K
0030: 44 43 54 45 53 54 2E 4C 4F 43 41 4C A2 28 30 26 DCTEST.LOCAL.(0&
0040: A0 03 02 01 00 A1 1F 30 1D 1B 04 48 54 54 50 1B .......0...HTTP.
0050: 15 73 65 72 76 65 72 34 2E 6B 64 63 74 65 73 74 .server4.kdctest
0060: 2E 6C 6F 63 61 6C A3 81 AF 30 81 AC A0 03 02 01 .local...0......
0070: 10 A1 03 02 01 02 A2 81 9F 04 81 9C 34 A6 73 0E ............4.s.
0080: 6C 75 7D C6 69 62 DE 63 3D 09 C8 54 CE B4 36 3A lu..ib.c=..T..6:
0090: 6C 24 09 AD 47 73 2E 53 08 CD 06 9A 11 7F E6 61 l$..Gs.S.......a
00A0: DB 79 27 09 A2 E5 E2 CE 3C 6C 10 DA 1C 98 87 B7 .y'.....<l......
00B0: 41 C3 2E 08 EB D5 1B 8A D9 0C 9E C5 7D 21 2F 5A A............!/Z
00C0: 98 DE 96 EA 11 59 01 A4 30 DC B2 96 02 27 A2 D4 .....Y..0....'..
00D0: 17 BD 56 26 5C 47 68 B1 57 7A 94 E1 28 6E 45 E3 ..V&\Gh.Wz..(nE.
00E0: 06 1B 05 CB 41 1E EC 05 73 E7 8E 44 F7 0F 40 42 ....A...s..D..@B
00F0: 34 37 64 53 11 58 75 B2 6F 4B 2A 1B 99 5E 86 2D 47dS.Xu.oK*..^.-
0100: 9E D4 BF 3B 84 1E 30 E3 7C B7 0B FE 01 21 5F 37 ...;..0......!_7
0110: 83 09 AB 0D 2E B1 95 0B A4 81 AE 30 81 AB A0 03 ...........0....
0120: 02 01 01 A2 81 A3 04 81 A0 A9 F7 5C FB 7F 65 40 ...........\..e@
0130: C8 00 82 55 88 6D 75 73 72 59 41 6F 1A 4C 02 E1 ...U.musrYAo.L..
0140: 79 1B D6 5C 76 12 13 74 96 0E F3 40 FD 80 E9 D3 y..\v..t...@....
0150: 08 68 8E 0F 46 A5 6F B6 49 A7 40 56 6F A0 19 4A .h..F.o.I.@Vo..J
0160: 29 41 F2 9A 2A 33 8B E4 07 5A A9 92 D5 E2 27 7F )A..*3...Z....'.
0170: F9 69 E1 CF 88 F0 85 4E A9 4D 09 CB FA 1C F5 FF .i.....N.M......
0180: ED 5F EF AE EF 3E 03 0F 76 A0 40 8F EC 02 16 81 ._...>..v.@.....
0190: F1 A4 70 B1 F2 02 F6 7A 05 E2 D2 31 B4 EA D8 5D ..p....z...1...]
01A0: D7 54 3E DD 6F 0B DA 1C CA F6 11 57 44 BC AD 0D .T>.o......WD...
01B0: 73 06 2F 21 AE 0D 27 AB 4D E1 6C 13 52 58 46 54 s./!..'.M.l.RXFT
01C0: 0A 6F A3 C8 05 01 EE 3A 53 .o.....:S
05.05.2010 19:43:25 org.apache.http.impl.client.DefaultRequestDirector handleResponse
WARNUNG: Authentication error: Negotiate authorization challenge expected, but not found
----------------------------------------
HTTP/1.1 401 Authorization Required
----------------------------------------
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Authorization Required</title>
</head><body>
<h1>Authorization Required</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
<hr>
<address>Apache/2.2.9 (Debian) mod_auth_kerb/5.3 PHP/5.2.6-1+lenny8 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ssl/2.2.9 OpenSSL/0.9.8g mod_perl/2.0.4 Perl/v5.10.0 Server at server4.kdctest.local Port 80</address>
</body></html>
----------------------------------------
> kerberos auth not working
> -------------------------
>
> Key: HTTPCLIENT-934
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-934
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: Examples, HttpClient
> Affects Versions: 4.1 Alpha1
> Reporter: Dennis Rieks
> Priority: Minor
>
> Hi,
> i used org/apache/http/examples/client/ClientKerberosAuthentication.java to test kerberos authentication.
> My Setup:
> Apache2 on Debian (virtual machine "server4.kdctest.local") is setup to deliver kerberos authenticated content via http and https.
> The Kerberos kdc (virtual maschine "kdc.kdctest.local") also runs on debian.
> On my Desktop (ubuntu) i can use kinit/klist/kdestory to sign in on the kerberos domain and server4 only delivers content when signed on.
> I used firefox (with extra settings for http in about:config) and curl (curl -k --negotiate -u : http://server4.kdctest.local/test.php) to test my kerberos setup.
> The Problem:
> ClientKerberosAuthentication always asks the username/password and dont care about kinit. Also there is always an http 401 error and no content is deliverd.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org
[jira] Commented: (HTTPCLIENT-934) kerberos auth not working
Posted by "Dennis Rieks (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/HTTPCLIENT-934?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12864768#action_12864768 ]
Dennis Rieks commented on HTTPCLIENT-934:
-----------------------------------------
Im using "Sun jre1.6.0_18"
> kerberos auth not working
> -------------------------
>
> Key: HTTPCLIENT-934
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-934
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: Examples, HttpClient
> Affects Versions: 4.1 Alpha1
> Reporter: Dennis Rieks
> Priority: Minor
>
> Hi,
> i used org/apache/http/examples/client/ClientKerberosAuthentication.java to test kerberos authentication.
> My Setup:
> Apache2 on Debian (virtual machine "server4.kdctest.local") is setup to deliver kerberos authenticated content via http and https.
> The Kerberos kdc (virtual maschine "kdc.kdctest.local") also runs on debian.
> On my Desktop (ubuntu) i can use kinit/klist/kdestory to sign in on the kerberos domain and server4 only delivers content when signed on.
> I used firefox (with extra settings for http in about:config) and curl (curl -k --negotiate -u : http://server4.kdctest.local/test.php) to test my kerberos setup.
> The Problem:
> ClientKerberosAuthentication always asks the username/password and dont care about kinit. Also there is always an http 401 error and no content is deliverd.
> I used the latest svn version of httpclient
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org