You can securely negotiate and authenticate HTTP requests for secured resources in WebSphere® Application Server by using the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO). This article describes the issues you might encounter using Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) as the web authentication service for WebSphere Application Server.
If you are unable to resolve the Kerberos principal name, as shown in the following trace example:
[11/11/03 1:42:29:795 EST] 1d01b21e GetKrbToken > Negotiation (GSS): Begin handshake [11/11/03 1:42:29:795 EST] 1d01b21e Context > GSS Context init, servername:HTTP@johnwang5.jwcmd.com [11/11/03 1:42:29:866 EST] 1d01b21e TraceNLS u No message text associated with key Error.getting.the.Token, .GSS.Exception:org.ietf.jgss.GSSException,.major.code:.13,.minor.code:.0 major.string:.Invalid.credentials minor.string:.Cannot.get.credential.from.JAAS.Subject.for.principal:.HTTP/192.168.0.4@168.0.4 in bundle com.ibm.ejs.resources.security [11/11/03 1:42:29:866 EST] 1d01b21e GetKrbToken E Error getting the Token, GSS Exception:org.ietf.jgss.GSSException, major code: 13, minor code: 0 major string: Invalid credentials minor string: Cannot get credential from JAAS Subject for principal: HTTP/192.168.0.4@168.0.4 [11/11/03 1:42:29:876 EST] 1d01b21e TraceNLS u No message text associated with key SpnegoTAI.exits.due.to.an.exception. in bundle com.ibm.ejs.resources.security [11/11/03 1:42:29:876 EST] 1d01b21e SpnegoTAI E SpnegoTAI exits due to an exception.
add the IP address of the server in its host file. You must also recycle the application server to load the new host file.
[11/11/03 1:44:09:499 EST] 1d01b21e GetKrbToken > Negotiation (GSS): Begin handshake [11/11/03 1:44:09:499 EST] 1d01b21e Context > GSS Context init, servername:HTTP@backendrc4.ibm.net [11/11/03 1:44:09:499 EST] 1d01b21e Context > GSS Context init, done. [11/11/03 1:44:09:679 EST] 1d01b21e SpnegoTAI > Server response token as follows... 0000: 6082014f 06062b06 01050502 a1820143 `?.O..+.....¡?.C 0010: 3082013f a0030a01 01a10b06 092a8648 0?.? ....¡...*?H 0020: 82f71201 0202a282 01290482 01256082 ?÷....¢?.).?.%`? 0030: 01210609 2a864886 f7120102 0203007e .!..*?H?÷......~ 0040: 82011030 82010ca0 03020105 a1030201 ?..0?.. ....¡... 0050: 1ea41118 0f323030 33313131 31303634 .¤...20031111064 0060: 3430395a a5050203 0a3548a6 03020125 409Z¥....5H¦...% 0070: a90b1b09 4a57434d 442e434f 4daa2630 ©.....IBM.NETª&0 0080: 24a00302 0100a11d 301b1b04 48545450 $ ....¡.0...HTTP 0090: 1b136a6f 686e7761 6e67352e 6a77636d ..backendrc4.ibm 00a0: 642e636f 6dab81ab 1b81a86f 72672e69 .net.«?«.?¨org.i 00b0: 6574662e 6a677373 2e475353 45786365 etf.jgss.GSSExce 00c0: 7074696f 6e2c206d 616a6f72 20636f64 ption, major cod 00d0: 653a2031 302c206d 696e6f72 20636f64 e: 10, minor cod 00e0: 653a2033 370a096d 616a6f72 20737472 e: 37..major str 00f0: 696e673a 20446566 65637469 76652074 ing: Defective t 0100: 6f6b656e 0a096d69 6e6f7220 73747269 oken..minor stri 0110: 6e673a20 436c6965 6e742074 696d6520 ng: Client time 0120: 54756573 6461792c 204e6f76 656d6265 Tuesday, Novembe 0130: 72203131 2c203230 30332061 7420313a r 11, 2003 at 1: 0140: 33353a30 3120414d 20746f6f 20736b65 35:01 AM too ske 0150: 776564 wed
You can fix this issue in one of two ways. The preferred method is to synchronize the WebSphere system time to within 5 minutes of the time of the AD server. A best practice is to use a time server to keep all of the systems synchronized. Alternatively, you can also add or adjust the clockskew parameter in the Kerberos configuration file. Note that the default is 300 seconds (5 minutes).
[4/8/05 22:51:24:542 EDT] 5003e481 SystemOut O [JGSS_DBG_PROV] Provider IBMJGSSProvider version 1.01 does not support mech 1.3.6.1.5.5.2 [4/8/05 22:51:24:582 EDT] 5003e481 ServerCredent E com.ibm.issw.spnegoTAI.ServerCredential initialize() SPNEGO014: Kerberos initialization Failure: org.ietf.jgss.GSSException, major code: 2, minor code: 0 major string: Unsupported mechanism minor string: No factory available to create name for mechanism 1.3.6.1.5.5.2 at com.ibm.security.jgss.i18n.I18NException.throwGSSException(I18NException.java:30) at com.ibm.security.jgss.GSSManagerImpl.a(GSSManagerImpl.java:36) at com.ibm.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:217) at com.ibm.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:264) . .
security.provider.6=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
Error authenticating request. Reporting to client Major code = 11, Minor code = 31 org.ietf.jgss.GSSException, major code: 11, minor code: 31 major string: General failure, unspecified at GSSAPI level minor string: Kerberos error while decoding and verifying token: com.ibm.security.krb5.internal.KrbException, status code: 31 message: Integrity check on decrypted field failed
If the problem is with the keytab file, then fix it. If the problem is with multiple SPN definitions, remove the extra or conflicting SPN, confirm that the SPN is no longer registered with AD, and then add the SPN again. Read about Creating a Kerberos service principal name and keytab file for more information. The Active Directory might need to be searched for other entries with SPNs defined that clash with the SPN using an LDAP browser.
setspn –l useridshould return with:
Cannot find account userid
If the userid and keytab are for DES-CBC-MD5, after you create the userid, change the password for the userid and then create the keytab file. If you are using Windows Server 2003 upgrade to the latest version of ktpass.
Client sent back a non-SPNEGO authentication header, SpnegoTAI exits
setspn –a HTTP/server.realm.com userid
If the SPN is defined incorrectly as HTTP/server.realm.com@REALM.COM with the addition of @REALM.COM, then delete the user, redefine it, and then redefine the SPN.
com.ibm.security.krb5.internal.crypto.KrbCryptoException, status code: 0 message: Checksum error; received checksum does not match computed checksum
0000: 01 00 6e 82 04 7f 30 82 04 7b a0 03 02 01 05 a1 ..n...0......... 0010: 03 02 01 0e a2 07 03 05 00 20 00 00 00 a3 82 03 ................ 0020: a5 61 82 03 a1 30 82 03 9d a0 03 02 01 05 a1 0a .a...0.......... 0030: 1b 08 45 50 46 44 2e 4e 45 54 a2 18 30 16 a0 03 ...REALM.COM.0.. 0040: 02 01 01 a1 0f 30 0d 1b 0b 65 70 66 64 77 61 73 .....0...userid 0050: 75 6e 69 74 a3 82 03 6e 30 82 03 6a a0 03 02 01 .a.f...n0..j....
0000: 01 00 6e 82 04 56 30 82 04 52 a0 03 02 01 05 a1 ..n..V0..R...... 0010: 03 02 01 0e a2 07 03 05 00 20 00 00 00 a3 82 03 ................ 0020: 82 61 82 03 7e 30 82 03 7a a0 03 02 01 05 a1 0a .a...0..z....... 0030: 1b 08 45 50 46 44 2e 4e 45 54 a2 2a 30 28 a0 03 ..REALM.COM.0... 0040: 02 01 02 a1 21 30 1f 1b 04 48 54 54 50 1b 17 75 .....0...HTTP..u 0050: 73 31 30 6b 65 70 66 77 61 73 73 30 31 2e 65 70 serid.realm.com. 0060: 66 64 2e 6e 65 74 a3 82 03 39 30 82 03 35 a0 03 ...n.....90..5..
To correct the problem, either use single DES encryption or use a Windows Server 2003 for a KDC. Remember to regenerate the SPN and the keytab file.
[JGSS_DBG_CTX] Successfully decrypted ticket [JGSS_DBG_CTX] Put authz info in cache [JGSS_DBG_CTX] Session key type = rc4-hmac … [JGSS_DBG_CTX] Successfully decrypted authenticator [JGSS_DBG_CTX] Error authenticating request. Reporting to client … Major code = 11, Minor code = 0 org.ietf.jgss.GSSException, major code: 11, minor code: 0 major string: General failure, unspecified at GSSAPI level minor string: Kerberos error converting KRBCred: com.ibm.security.krb5.internal.crypto.KrbCryptoException, status code: 0 message: Checksum error; received checksum does not match computed checksum
This indicates that the delegated credential contained in the SPNEGO token was not encrypted with the proper key.
Obtain APAR IY76826. This replaces ibmjgssprovider.jar with a version that can accept the Microsoft defined RC4 encrypted delegated credential.
Use a non-null password for the service account, and then use that password when invoking ktpass.
Use the Support Tools SP2 version of ktpass to generate the keytab file.
com.ibm.security.krb5.KrbException, status code: 101 message: Invalid option in ticket request
the Kerberos configuration file is not properly configured. Ensure that neither renewable nor proxiable are set to true.
Bad Request Your browser sent a request that this server could not understand. Size of request header field exceeds server limit. Authorization: Negotiate YII……
This message is generated by the Apache/IBM HTTP Server, and indicates that the authorization header that your browser has returned is too large. The long string that follows the word Negotiate is the SPNEGO token. This SPNEGO token is a wrapper of the Windows Kerberos token. Windows includes the PAC information of the user in the Kerberos token. The more security groups that the user belongs to, the more PAC information is inserted in the Kerberos token, and the larger SPNEGO becomes. IBM® HTTP Server 2.0 (as well as Apache 2.0 and IBM HTTP Server 6.0) limit the size of any acceptable HTTP header to be 8K. In Windows domains with many groups, and with user membership in many groups, the size of the user's SPNEGO token can exceed the 8K limit.
If possible, reduce the number of security groups that the user is a member of. IBM HTTP Server 2.0.47 cumulative fix PK01070 allows for HTTP header sizes up to and beyond the Microsoft limit of 12K.
After applying the fix you must specify the LimitRequestFieldSize parameter in the httpd.conf file to increase the size of allowable headers from the default of 8192.
While most of the JGSS tracing is controlled by the com.ibm.security.jgss.debug property, a small set of messages are controlled by the com.ibm.security.krb5.Krb5Debug property. The default value of the krb5 property is to emit some messages to SystemOut.log.
To remove all KRB_DBG_KDC messages from the SystemOut.log, set the JVM property to -Dcom.ibm.security.krb5.Krb5Debug=none.
DsCrackNames returned 0x2 in the name entry for server3 Failed getting target domain for specified user.
In an Active Directory forest, the userid lookup used by the ktpass.exe does not have a default domain name to be used. This does not occur when the domain controller is not in a forest.
To fix this problem, instead of specifying option -mapUser userid, use -mapUser userid@domain instead. For example, specify –mapUser server3@WIBM.NET.
> com.ibm.issw.spnegoTAI.Context getDelegateCred() Entry d com.ibm.issw.spnegoTAI.Context getDelegateCred() unable to get Delegate Credential < com.ibm.issw.spnegoTAI.Context getDelegateCred() Exit W com.ibm.issw.spnegoTAI.SpnegoHandler handleRequest() SPNEGO021: No delegated credentials were found for user: nauser@NA.IBM.NET
the domain account on which the SPN is attached does not have the “Account is trusted for Delegation” property defined.
To address this issue, ensure that the domain account does define the “Account is trusted for Delegation” property.
< com.ibm.issw.spnegoTAI.SpnegoTAI getAuthenticatedUsername(): lansche Exit d com.ibm.issw.spnegoTAI.SpnegoTAI negotiateValidateandEstablishTrust(): Handshake finished, sending 200 :SC_OK < com.ibm.issw.spnegoTAI.SpnegoTAI negotiateAndValidateEstablishedTrust Exit A SECJ0222E: An unexpected exception occurred when trying to create a LoginContext. The LoginModule alias is system.WEB_INBOUND and the exception is...
To fix this problem, ensure that the user that is being asserted to WebSphere Application Server by the TAI is the configured WebSphere registry.
If a user using the Novell client cannot authenticate using SPNEGO they might receive a “An NTLM token is received.” message.
The user might have logged into the Novell Client but did not perform a Windows Kerberos login (this can be confirmed using the Kerbtray utility). If a user has logged onto the Windows domain and has a Kerberos ticket, the user cannot utilize SPNEGO authentication.
To fix this problem, remove the Novell client and use the default Windows domain login.
If you access SPNEGO sites via some caching proxy servers you might not be able to authenticate using SPNEGO. The message “SPNEGO authentication not supported on this client” might be displayed.
It is possible that the caching proxy is changing the hostname that returns on the HTTP 401 Authenticate Negotiate response.
If you have this issue, contact your proxy vendor for a possible solution.
You might experience problems with VPN software and firewalls that might interfere with SPNEGO operations.
To resolve these issues, contact your VPN and or firewall vendors for any configuration changes that might be necessary.
There might be a browser issue if you log onto a domain machine using one password (for example, passwordA) and then log onto a second domain machine by changing your original password (for example, you might change your password on the second domain machine to passwordB).
Once you return to the original domain machine, you might not be able to obtain either a SPNEGO/Kerberos or an NTLM response to the Negotiate challenge. After two attempts, the browser displays an HTTP 404 error message.
To resolve this issue, log off the original domain machine and log back on with the new password (passwordB).
When WebSphere Application Server is configured with SPNEGO and fallback is enabled for a request, Internet Explorer 6.0 might fail to login to the form login pages.
Could not load the SPNEGO not supported content, going with the default content. Exception received: java.net.ProtocolException: Server redirected too many times (20)
This issue occurs when the loaded file performs an automatic redirect. It is not possible to both load the file from a web server and also use an automatic redirection
To resolve this issue, load the content from a file:/// URL, not an http:// URL.
com.ibm.ws.security.spnego.SpnegoHandler isAuthHeaderNotSPNEGO ENTRY Negotiate
com.ibm.ws.security.spnego.SpnegoHandler isAuthHeaderNotSPNEGO Client sent back a non-SPNEGO authentication header
When a Microsoft Internet Security Acceleration Server (ISA) exists between a client browser and WebSphere Application Server, ISA might intercept the SPNEGO authentication header from the client browser request. ISA converts the SPNEGO object identifier (OID) to a Kerberos OID. The authentication attempt with WebSphere Application Server fails because the SPNEGO OID has been converted and is now missing.
For information about how to fix this issue, see the "Users cannot access a web site that is published in ISA Server 2006 if the web site accepts only the SPNEGO authentication package" topic on the Microsoft Corporation Support site.
Client sent back a non-SPNEGO authentication header....
It is recommended that you change your encryption type to RC4-HMAC or to AES. If you still choose to use the DES encryption type, however, you must refer to the Windows 7 documentation for help on how to enable the DES encryption type.
The following is an example of how to change your encryption type from DES to RC4:
default_tkt_enctypes = rc4-hmac des-cbc-md5 default_tgs_enctypes = rc4-hmac des-cbc-md5