SPNEGO SSO FAQ
Licensing
- I just visited your web site and i'm very interested in a demo
- What about license terms and princing for the product?
- Can you describe your license models?
Runtime or configuration errors
- Error: java.io.IOException: insufficient data
- What should I change in the server principal name in the demo?
- Is it correct to visit http://localhost:8080/spnegosample/spnego
- Does the IE automatically popup a window and prompt for userid and password?
- Error: Authentication time of ticket cannot be null
- No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)
- Error: Mechanism level: KDC has no support for encryption type (14)
- My token looks like Negotiate TlRMTVNTUAADAAAAAAAAAEAAAA...
- The demo doesn't work if I run client browser on the Active Directory server, why?
- My TGT on my windows machine is timed out! How can I renew? do I really need to logoff and logon?
- Using the Tomcat Authenticator plugin, i get the following error: java.io.IOException: userid test could not be authenticated, check user and password
- Client java programs using the SSO tickets stopped working after I installed SP2 on XP
Other questions
- Must I use Active Directory?
- What about mail and other non-HTTP protocols?
- Other clients than Internet Expolorer? Mozilla? FireFox? Fat-Java?
- Can I use the library to create SPNEGO/Kerberos tokens for usage in client Java applications?
- Can the library be integrated into security plugins i application servers like Tomcat, WebSphere, WebLogic or the like?
- Does the SPNEGO/Kerberos module support Active Directory domain trees in a domain forest?
- What is the PAC and is it supported?
- What platforms are supported?
- Is delegated tickets supported?
Q:
I just visited your web site and i'm very interested in a demo
A:
Goto the appliedcrypto.com support page and register to download and acquire a 30 day trial license.
Q:
Must I use Active Directory? Can I use other third part LDAP product or Kerberos implementations like MIT?
A:
SPNEGO SSO is designed to work with Active Directory. However Microsoft Active Directory does integrate with MIT Kerberos. Microsoft has several papers and articles that describes how to setup MIT or howto setup Microsoft Active Directory in a trusted environment.
Q:
I get the following error calling the library. What’s wrong?
... java.io.IOException: insufficient data at sun.security.util.DerInputBuffer.truncate(DerInputBuffer.java:108) at sun.security.util.DerValue.(DerValue.java:249) at sun.security.util.DerInputStream.getDerValue(DerInputStream.java:369) at dk.itp.spnego.asn1.Spnego.spnego(DashoA2957) at dk.itp.spnego.SpnegoContext.a(DashoA2957) at dk.itp.spnego.SpnegoContext.jgss_comms(DashoA2957) ...
A:
The library is called with a non-spnego token. Check the browser settings. If the settings (security, proxy,…) is not correct, the browser will not send a SPNEGO/Kerberos token and the library will fail to parse and depre.
Take a closer look at SPNEGO/Kerberos part II site:.microsoft. com, Client Side—Internet Explorer, especially in the section with the decription on howto setup the browser (search for "Client Side—Internet Explorer")
Q:
What should I change in the server principal name in the demo? I have a Active Directory domain named "server.net" that mapped to local ip address "192.168.168.1". Do I need to change serverPrincipalName to "HTTP/spnego.server.net@SERVER.NET" in your demo?
A:
The last part @SERVER.NET is the REALM (upper case of windows the domain). The spnego.server.net is the host name of the SPNEGO/Kerberos authentication servlet. HTTP/ is a prefix (a protocol class) which the browser adds to the SPN
Note that the SPN is case sensitive.
Q:
Is it correct to visit http://localhost/spnegosample/spnego to authenticate if my domain is server.net and my SPN is spnego.server.net?
A:
Specifying localhost wont work. You must use the host spnego.server.net to have the browser request the correct service ticket. Service tickets is issued for a specific server. In the above example it is the spnego.server.net.
Try using the URL: http://spnego.server.net/spnegosample/spnego instead.
Q:
Does the IE automatically popup a window and prompt for userid and password?
A:
The whole point in using SPNEGO/Kerberos is that the user is NEVER prompted for userid and password. The spnego (and kerberos) is used to authenticate the user, based on the credentials that he already used when he authenticated logging on to the domain.
Authenticators, security plugins to the various application servers, does provide fallback authentication mechanism like Basic Authentication to support the cases where SPNEGO is not supported.
Q:
ERROR SpnegoServlet - Could not logon user with SPNEGO token java.lang.IllegalArgumentException: Authentication time of ticket cannot be null at javax.security.auth.kerberos.KerberosTicket.init(KerberosTicket.java:279) at javax.security.auth.kerberos.KerberosTicket.(KerberosTicket.java:222) at sun.security.jgss.krb5.Krb5InitCredential.(Krb5InitCredential.java:119) at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:199) at sun.security.jgss.krb5.InitSecContextToken.(InitSecContextToken.java:107) at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:719) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:300) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246) at dk.itp.spnego.SpnegoContext.jgss_comms(DashoA2957)
A:
Check delegation on the principal user. It might be enabled. Set this to "disabled"
This only fails when using SUN JDK. Delegation works using IBM JDK.
Q:
ERROR SpnegoServlet - Could not logon user with SPNEGO token GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Key) at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:82) at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75) at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149) at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334) at sun.security.jgss.GSSCredentialImpl.(GSSCredentialImpl.java:44) at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102) at dk.itp.spnego.SpnegoContext.jgss_comms(DashoA2957)
A:
Check the KEYTAB file location and server principal name. The SPN must match the domain name of the authentication servlet. Otherwise the encryption key cannot be found in the keytab. Also check the host name in browser request is correct.
Verify that the SPN is unique in the Active Directory.
Check the SPN case. The domain and the SPN name is case sensitive.
Also check time settings on client (browser machine), SPNEGO/Kerberos server and ActiveDirectory server. All machines must be in timesync, otherwise tickets cannot be validated and a time skew exception will be thrown. The time skew error could be the cause of the above error.
Q:
ERROR: Mechanism level: KDC has no support for encryption type (14)
A:
This error occurs when the SPN account uses the Active Directory default encryption type RC4-HMAC. However, SUN JDK does not support this encryption type. SUN JDK only supports DES. But if IBM JDK is used, RC4-HMAC is supported.
Check the SPN user account. It must have the "use des..." checked for the user.
Also check the default enctypes in the krb5.conf file They must be set to "des-cbc-md5;des-cbc-crc"
Q:
My token looks like Negotiate TlRMTVNTUAADAAAAAAAAAEAAAA...
A:
Its not a SPNEGO/Kerberos token. A BASE64 depred version of the above token looks like:
0000: 4E 54 4C 4D 53 53 50 00 - 03 00 00 00 00 00 00 00 NTLMSSP......... 0010: 40 00 @.
which specifies that its a NTLM based authentication token.
A typical SPNEGO/Kerberos looks like: Negotiate YIIJUQYGKwYBBQUCoIIJRTCCCU...
0000: 60 82 09 51 06 06 2B 06 - 01 05 05 02 A0 82 09 45 `..Q..+........E 0010: 30 82 0.
which starts with a 0x60 (ASN.1 tag)
If the client is running on a seperate machine than the Active Directory server, its probably caused by misconfiguration of the browser. Check browser settings.
Also see how to setup the browser for more information on how to setup the Internet Explorer to send SPNEGO/Kerberos tokens.
Q:
What about mail and other non-HTTP protocols?
A:
From the SPNEGO/Kerberos library perspective, its just handling Kerberos tokens. My sample web only shows HTTP authentication, but the ibrary could be integrated into mail and other solutions.
The Kerberos ticket can be marked a delegate'able. This means that server side can impersonate the client and do calls to Kerberized (GSS-API authentication) backend servers, like WEB-mail or databases.
Q:
The demo doesn't work if I run client browser on the Active Directory server, but it works if I run the client browser on a seperate machine and the active directory on another. Why?
A:
It's correct that it doesn't work if you use the browser on the physical Active Directory server. But it does work if use use a seperate machine as a client.
If the client browser runs on the Active Directory server, the browser does not send the SPNEGO/Kerberos token. It sends the NTLM token instead. This is why the token cannot be verified.
The solution is to run the client browser on a seperate machine.
For development and pre testing setups, a vmware using different virtual machines for Active Directory, test browser and SPNEGO/Kerberos token authentication servlet can do the job.
Q:
Is it possible to run with other clients than Internet Explorer, like Mozilla or even Java Applications?
A:
Yes, Internet Explorer 5.5sp1+ and Java clients based on SUN JDK 1.4.1+ is supported. Mozilla and FireFox browsers from mozilla.org are also supported
Q:
Can I use the library to create SPNEGO/Kerberos tokens which can be used from client Java a application?
A:
Yes. Take a look at the article Client side single sign-on using SPNEGO/Kerberos with Java. It shows how to create SPNEGO/Kerberos tokens using the SPNEGO/Kerberos library. This pre can be integrated into Java applications and applets.
Also take a look at the article Using JAAS and SPNEGO/Kerberos to single sign-on from fat java clients. This article describes how to use JAAS and SPNEGO/Kerberos to do login validation from client Java applications.
Q:
Can the library be integrated into security plugins i application servers like Tomcat, WebSphere, WebLogic or the like?
A:
Yes, as long as they run on top of SUN JDK 1.4 and above, IBM JDK 1.4.1 or IBM JDK 1.3.1 (patched).
Q:
What about license terms and princing for the product?
A:
or e-mail spnego_AT_it-practice.dk for more information.
Q:
My TGT on my windows machine has timed out! How can I renew? do I really need to logoff and logon?
A:
It's correct that the ticket will be renewed when during logon.
But the net commands on windows has the same functionality. The client will get its ticket renewed if a resource on the domain controller, fx. a network drive is accessed.
This means, if the system will authenticate and the KRBTRAY program shows that the ticket has expired, the ticket will get renewed by executing a simple:
dir \\mydomain\somealiasLater versions of the JDK's, does include functionality to renew expired tickets.
Q:
Using the Tomcat Authenticator plugin, i get the following error: java.io.IOException: userid test could not be authenticated, check user and password
A:
The Tomcat Authenticator will try to negotiate using SPNEGO/Kerberos, if that fails it will fallback to BASIC authentication. This error is caused by the browser. Check the browser settings. Check ticket cache using the KERBTRAY utility from the Microsoft resource kit.
Q:
Does the SPNEGO/Kerberos module support Active Directory domain trees in a domain forest?
A:
Yes, this works out of the box with the SUN JDK 1.4+ and IBM JDK 1.4.1+.
Q:
Client java programs using the SSO tickets stopped working after I installed SP2 on XP
A:
Microsoft has builtin some security protection pre, that stops the capability of external programs to read out the session key of the TGT in the native windows ticket cache.
This can be enabled by changing a bit in the registry:
On Windows 2003 server, Windows 2000 server SP4:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
AllowTGTSessionKey = 0x01 (DWORD)
On Windows XP SP2 the key is specified as
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos
AllowTGTSessionKey = 0x01 (DWORD)Setting this bit, will re-enable this capability
Q:
What is the PAC and is it supported?
A:
Microsoft Privilege Attribute Certificates aka PAC is an extension to the Kerberos authentication ticket that contains Microsoft Active Directory specific information like the group membership information of the authenticated user.
The PAC and its content are supported in the Tomcat Authenticator plugins and in the ServletFilter.
The PAC Active Directory groups are mapped to J2EE security roles that tightly integrates to the application server plugin and decouples the J2EE roles from the group names in Active Directory.
Q:
What platforms are supported?
A:
SPNEGO SSO is pure Java and is written for SUN JDK 1.4+, Jrockit 1.4+ and IBM JDK 1.3+ (and greater).
Any application server that uses these JDK's, will be able to run our product. This includes vendor specific JDK's which are compliant with SUN or IBM implementation.
Supported application servers (not limited to)
-
Tomcat 4.x, 5.x, 5.5
-
WebLogic 8.1 and greater
-
WebSphere 5.x, 6.x
-
Any server that can run a ServletFilter
Supported OS' (not limited to) includes Linux, Unix and Windows.
Q:
Is delegated tickets supported?
A:
Yes.
Q:
Can you describe your license models?
A:
We have different license models.
or e-mail spnego_AT_it-practice.dk for details.
