I'm moving an application from WebLogic to JBoss EAP 6.4 and I almost have it working. The issue is that I can only get Kerberos authentication to work if I play with the isInitiator property in my standalone-full-ha.xml for the spnego-server.
If I set isInitiator=true, then I get the error on app-start "Pre-authentication information was invalid".
If I set isInitiator=false, then I get "NTLM specified. Downgraded to Basic Auth (and/or SSL) but downgrade not supported" when I go to the page.
However, if I then go back to isInitiator=true after it had failed with false, it works for a day.
It goes back to "Pre-authentication information was invalid" the next day. I have to attempt to connect with isInitiator=false again to get it to work again.
My standalone-full-ha.xaml looks like this:
<system-properties>
<property name="java.net.preferIPv4Stack" value="true"/>
<property name="org.apache.coyote.http11.Http11Protocol.SERVER" value=""/>
<property name="java.security.auth.login.config" value="/app/jb-8443/login.conf"/>
<property name="java.security.krb5.conf" value="/app/jb-8443/krb5.conf"/>
<property name="sun.security.krb5.debug" value="true"/>
<property name="jboss.security.disable.secdomain.option" value="true"/>
<property name="javax.security.auth.useSubjectCredsOnly" value="false"/>
</system-properties>
...
<security-domain name="spnego-client" cache-type="default">
<authentication>
<login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required"/>
</authentication>
</security-domain>
<security-domain name="spnego-server" cache-type="default">
<authentication>
<login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
<module-option name="storeKey" value="true"/>
<module-option name="useKeyTab" value="true"/>
<module-option name="useTicketCache" value="false"/>
<module-option name="isInitiator" value="true"/>
<module-option name="keyTab" value="/app/jb-8443/krb5.keytab"/>
<module-option name="debug" value="true"/>
<module-option name="principal" value="JOBSERVICE@FOREST.COMPANY.COM"/>
<module-option name="doNotPrompt" value="true"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="com.sun.security.jgss.krb5.initiate" cache-type="default">
<authentication>
<login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
<module-option name="storeKey" value="true"/>
<module-option name="useKeyTab" value="true"/>
<module-option name="useTicketCache" value="false"/>
<module-option name="isInitiator" value="true"/>
<module-option name="keyTab" value="/app/jb-8443/krb5.keytab"/>
<module-option name="debug" value="true"/>
<module-option name="principal" value="JOBSERVICE@FOREST.COMPANY.COM"/>
<module-option name="doNotPrompt" value="true"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="com.sun.security.jgss.krb5.accept" cache-type="default">
<authentication>
<login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
<module-option name="storeKey" value="true"/>
<module-option name="useKeyTab" value="true"/>
<module-option name="useTicketCache" value="false"/>
<module-option name="isInitiator" value="true"/>
<module-option name="keyTab" value="/app/pyks0app/jb-8443/krb5.keytab"/>
<module-option name="debug" value="true"/>
<module-option name="principal" value="JOBSERVICE@FOREST.COMPANY.COM"/>
<module-option name="doNotPrompt" value="true"/>
</login-module>
</authentication>
</security-domain>
The login.conf has:
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="JOBSERVICE@FOREST.COMPANY.COM"
useKeyTab=true
useTicketCache=false
debug=true
keyTab="/app/jb-8443/krb5.keytab"
storeKey=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="JOBSERVICE@FOREST.COMPANY.COM"
useKeyTab=true
keyTab="/app/jb-8443/krb5.keytab"
storeKey=true
useTicketCache=false
isInitiator=false
refreshKrb5Config=true
moduleBanner=true
storePass=true;
};
spnego-client {
com.sun.security.auth.module.Krb5LoginModule required;
};
spnego-server {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
useTicketCache=false
keyTab="/app/jb-8443/krb5.keytab"
debug=true
principal="JOBSERVICE@FOREST.COMPANY.COM"
doNotPrompt=true;
};
The WebLogic deployment only had the spnego-client and spnego-server parts. I added the com.sun.security.jgss.krb5.initiate and com.sun.security.jgss.krb5.accept parts and after I added them I could connecting using the isInitiator flip trick.
Is there a way around this? Such as skipping pre-authentication if it hadn't connected today? If something cached for only 24h, keep it alive longer?
Are those initiate and accept parts needed on top of the spnego-server?
