single-sign-onkerberosweblogic12cspnego
SSO Authentication using Weblogic12 + SPNEGO + Kerberos + LDAP
I have an EE application that I am working on and I am trying to implement SSO with the windows network using SPNEGO provider connected to the Windows Active Directory through a Multitenancy WebLogic Server (12.2.1.2). The SPNEGO provider is configured and appears to be working correctly with the Active Directory. I have created a small application that consists of one servlet in the WAR that should display login information to the screen if the authentication succeeds.
The problem that I am having is that looking at the log files from the server the authentication is succeeding but the server is not sending me forward once I have been authenticated through SPNEGO. I can see where the SPNEGO token is being passed and used to authenticate my identity and even all of the groups that I am a member of from the Active Directory.
Here is the Web.xml for the test application
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Development</param-value>
</context-param>
<servlet>
<servlet-name>AuthSimpleTestServlet</servlet-name>
<servlet-class>functional.test.SimpleTestServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>AuthSimpleTestServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<security-role>
<description>Admin Role</description>
<role-name>DEV_ADMIN</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>secured pages</web-resource-name>
<url-pattern>/*</url-pattern>
<url-pattern>/</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>DEV_ADMIN</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>myrealm</realm-name>
</login-config>
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>/AuthSimpleTestServlet</welcome-file>
</welcome-file-list>
The weblogic.xml
<security-role-assignment>
<role-name>DEV_ADMIN</role-name>
<principal-name>@APP_DEV_ADMIN</principal-name>
<principal-name>APP_DEV_ADMIN</principal-name>
</security-role-assignment>
I can see where it looks like the Principals are being added to the Subject. Not a JS Snippet used for formatting purposes.
<Aug 6, 2018, 1:48:15,491 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <login succeeded for username DCConway>
<Aug 6, 2018, 1:48:15,491 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login delegated, returning true>
<Aug 6, 2018, 1:48:15,491 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.commit>
<Aug 6, 2018, 1:48:15,491 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <LDAP Atn Commit>
<Aug 6, 2018, 1:48:15,491 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <LDAP Atn Principals Added>
<Aug 6, 2018, 1:48:15,491 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.commit delegated, returning true>
<Aug 6, 2018, 1:48:15,491 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login logged in>
<Aug 6, 2018, 1:48:15,492 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login subject=Subject:
Principal: DCConway
Principal: @APP_DEV_ADMIN
Principal: APP_DEV_ADMINEven though it looks like everything is working correctly I am receiving a 403 Forbidden Error when trying to access the servlet.
The request header appears to have the correct token.
I'm hoping that someone can help me to determine what the problem is and how to solve it.
Below is some copied sections of the log files for review and it's a large amount of log information. The names of servers, etc has been altered.
<Aug 6, 2018, 1:48:15,327 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <PrincipalAuthenticator.assertIdentity using common security>
<Aug 6, 2018, 1:48:15,327 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <weblogic.security.service.WLSIdentityAssertionServiceWrapper.assertIdentity>
<Aug 6, 2018, 1:48:15,327 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.IdentityAssertionServiceImpl.assertIdentity(Authorization)>
<Aug 6, 2018, 1:48:15,327 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.IdentityAssertionTokenServiceImpl.assertIdentity(Authorization)>
<Aug 6, 2018, 1:48:15,327 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.IdentityAssertionTokenServiceImpl.assertIdentity - IdentityAssertionException>
<Aug 6, 2018, 1:48:15,327 PM EDT> <Debug> <WebAppIdentityAssertion> <BEA-000000> <Permission check failed for weblogic.servlet.internal.ServletRequestImpl@11524151[
GET /STIP_Ken/SPNEGO_TEST HTTP/1.1
Accept: text/html, application/xhtml+xml, image/jxr, */*
Referer: http://os-serv-li-env800.os.comapny.com:7005/console/console.portal?_nfpb=true&_pageLabel=WebAppApplicationTestingPage&handle=com.bea.console.handles.AppDeploymentHandle%28%22com.bea%3AName%3DSPNEGO_TEST%2CType%3DAppDeployment%2CPartition%3Dken_partition%2CResourceGroup%3DPartitionResourceGroup-ken%22%29
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate, peerdist
DNT: 1
Connection: Keep-Alive
Authorization: *
X-P2P-PeerDist: Version=1.1
X-P2P-PeerDistEx: MinContentInformation=1.0, MaxContentInformation=2.0
]>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <NegotiateIdentityAsserterServiceImpl.process() called>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <CERT auth type found for webapp>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <All request headers:>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: Accept : text/html, application/xhtml+xml, image/jxr, */*>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: Referer : http://os-serv-li-env800.os.comapny.com:7005/console/console.portal?_nfpb=true&_pageLabel=WebAppApplicationTestingPage&handle=com.bea.console.handles.AppDeploymentHandle%28%22com.bea%3AName%3DSPNEGO_TEST%2CType%3DAppDeployment%2CPartition%3Dken_partition%2CResourceGroup%3DPartitionResourceGroup-ken%22%29>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: Accept-Language : en-US>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: User-Agent : Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: Accept-Encoding : gzip, deflate, peerdist>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: Host : os-serv-li-env800.os.comapny.com:7027>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: DNT : 1>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: Connection : Keep-Alive>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: Cookie : JSESSIONID=bVMQKy4C_QQlGvaTKZUwkiEsW2tVrTRkQ_A4yU_vGb22z85hWfEV!1153673829; ADMINCONSOLESESSION=F2UQTg7hP-Xz-h9kpjTkEPLp4hdHnKSKLqnupTfTl4HxVZ9eEIAi!-803667715>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: Authorization : Negotiate YIILBAYGKwYBBQUCoIIK+DCCCvS...
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: X-P2P-PeerDist : Version=1.1>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: X-P2P-PeerDistEx : MinContentInformation=1.0, MaxContentInformation=2.0>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < processing header: Negotiate YIILBAYGKwYBBQUCoIIK+DCCCvSgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCCr4Eggq6YIIKtgYJKoZIhvcSAQICAQBuggqlMIIKoaADAgEFoQMCAQ6iBwMFACAAAACjggi1YYIIsTCCCK2gAwIBBaETGxFNQUlOLkFEUy5VU0NHLk1JTKIvMC2gAwIBAqEmMCQbBEhUVFAbHG9zYy1zLWxpbS1hcDgwMC5vc2MudXNjZy5taWyjggheMIIIWqADAgESoQMCAQeigghMBIIISOIHiNd0PhKH07ahpwtToHkw3cO1MILaInEboKRe9r5MeR4xBpHwK8qMRsgM3vZfozvwRrskv4tftg7ZjKBbBDzNKFBbqAUNPJ9NWc8eq6p9gBcvzzuacRPVn1O80Q1Y+XEIAqQpbEY+LkdWTjcDy8xM/OdXTldBoYFmrmpnxEPe3J0vY1CdEoCefPfp0B+xN7lQ3dS4XQQvww2BYzF55wUXUxRYCfogZnxhkUARyT9M1S4xwFog6Ap+wAe1UextvB9R9IW7nE3eT3EJbcLgCFpXh502KcFwt7ht7O2L93tU6SjaLl2ogq2d+m24bgobnPD+YRPk4873REkTFmXrTAkkgw+mXmga2iP9ML7X+hiXGraJQmj6GbwfpSc0sITOnIktm25UwNrQXjabh0XfN5XoMeQW6x0cWW0j4plpgH+kGGSuj0fFe7zrBu+IgV0XkC/dbcYaTkVWVfs+oAGUWHcpGWxNduXFqm78rlAg915/eHvEXuZgP9PLCCpC3fXGqaxlO4oF81Ly/3NLWBybWQs7S2NVbmDfTg+puVkBL7vYZR8jkOo7cmtijpCgA0kHAS/5sV8pZCabpTh+UkiI4QgiwdBSEVhIxnhKAByewYU4D0wpmT5ebSqhnrJzZufMr0Fz3PvVx/F0f+nH/bLj+VWURyNu3SsQ5tz+JwV1lG+9MRwiPIe/SFbiOV8KvqBJFzJ3RgzUWVk7L8CzGQg88ahKUdO9jHV+XiclVpL5qCX9TRD960bEJGYgvemeI172tOnQXQEm0H9i4x02gLarvmlb18fwycaj4OJV6wRFUUbWXs1OnfMBH9PKeh6sAmow2Knh2+noSwHceizjDY4HarD/bnUXQ9TNIqu0onJYfQsWLYXwOyl5IVBaRxhBLBodJCv8mJMJuM7sWBwXuGJft7HbIJgcpaECQk28zBtD5EYS/LkX46zFJlGEoQFV1qrARMH3rtf4RMG3kaWkpmEIVj6DT3ZvtTWy52gcFNrJNeWRgKJuatSahm8tWjDfEgPs1quyKds/j1cMAyEYZVkpZLlXKRTe4tQ8nW1atVL/ZyFKPJi/gFj9yIp1gghc1VHevRglxoUQCvMLrXbcx71+oc07EyAN1wfd9Gc0Tyz9PRiblhpV7+Akqt3PQcpGtlgBmuiMS1JmT1BsjUpyi8Zr46KKwnBYLqlUqDaHaxmExG5H40vVF0UqIvL3tw80o6R0qZiyoWK5tJ7Y/IioETWdxobNevKUZDQDojrxVVynVefgqEbjGBZ2pRkEKpcCzgm6PY3xv6EenscDaDaOeRSBVLl0bBtP6w+TSvdAFtjm2GF61+c1+ug/bi5g7feoiB2ahhlhsUp37N59FLC50Jk7nhOzKLY1+IdXN5C8/vtbWA4xe2m0pCrwvtucgWBO/3L49TsQIE8HokI5cBXGQSj1ZKOLgdvMoAiKP9HEHyCS7zkSM04PZYH93h9OfDnv8hf0GnSjcw5Tq8bY0AKruC+aysPo00BEHMlxHie9bAMcT3/mL5i4kAHzZVwt9yjbpGeSiWzXh2j3CHJeB3n9MNN5tn7pus7xii+zNV1MA4l3RoRKL4inyt6U18elY02FvhbzYDfkfcEqKudZ9H/TyiZbzB/EcIfPbth1l1UOsQVcAF9fNrNyPG0ezlnkIUNBGRBuX23F7Y6rZfkXQys2pv3FlPjTK7f3EtwX7xunrvtVR1chSfZEfz6xsiVC3YPpUk3NUpTlg4DNbFUnhfEeLbZBKI3I1cYKPeftFiqygjxbyFEnzTPLY1UP63wCmdNip6PppJZHY8lS6cDOkEWjj/6pbiHpH2yoJQXR+bh2P3TdqV55vXt1gItG+aufuE1unh1GqAY7DwgRRdMd8pVHZ/FkOIIwGLCnVVUsVkNxjkTMW5KMfms7VM4EgiW4VkpyV/yM90ArMN0BDYluIP5rlw9hL2MLsUDfNQa1yX2RY9DTKPjMU3TqqCbD7YZ2t7FwRdGDXH9qOyXsbxqrudGpqL44NrpDgHEtCxzh0Eyz0CctAAQoGt5DkAbNv8KbraQNwFnIPxCXQ0R+jyQVAqoBlTMYajtmpr9oYlWyAozZ0wYbKMM0a/eFBJe2FQtbSVBLTY2D8h/laX/dMW4siAiSUvBr+Fys99W28Y0O9qcNZXf3sARNrcANIy2EZ6n2XYMPZ5LW96TaWLq6Y5KUHmhz9i1yO3QXk4KF7if99QI0qicMnnUJ99MaLA5VPQavbm77jCkW3cpVubBWfDUeMbGoxEMdUxjC7p3JM7duptr8t2GteZgSSj81gdxTqoGAM2eLZhH/spzSDfO7/mNmymF81/It4aXrTx9PQjcvH8t5xz7MDKuaucJSvu3rrgc35bbBz94UlrubZLAdiS348XVlTdsMvWmVZu5EPHPCUUgSx1riTkmVxHbgVbR/pSvKsmvNCIqwOfHK3QlLWJQqLB//8jLBjlv0u7h4tYo6bLEmAp21hkorzMlEMDSKKZH/b+1fWJipK6MVRW1OIRGiPMEUcK6Rw5bf2WfofhG8OW7NtGewIsG1K9dYPAIlZOHiVoFyZbCI6boplgVGqhiab57qs8Z0Zibos9dCYY52UQMEGUmgI/b0hu2IPDl1+wEOGLLO2A+lT+TmQNu1X/09yFduJmb+r3Dw9s9cCrTjO4r5GNenjrq7NjeK6Q4WpBaW5I8aSn6P3Q6cyJaPHKjudlfM/N9sPFBc3ylj2BZRrNWLYaLywDJD5UlMMM2Cv6R95Ft9i/yb+q1vs/3uhpeoKk6Ny7jjyp5xu0Xmb392SlCQZzfBMCuCGEaAH41whgZeOX5HZJr/vyyrwrFQlRCNpIIB0TCCAc2gAwIBEqKCAcQEggHA4fZXLJsGEn1cx6r3wF0FiTLJLX2Fu/GwlmidzC7/7VfGMDDWTCuSKasFwi9lC5QkV74etXYMa3ndwr+aPM4aPwaEIIFQe8r4bW7jol00FB4SavtHfhonKBBZVw1Y8RbDE+TnGQUb5R11TPbi+wfomKcQM4Fhew3dueNfhFT/sQ6eKQQ6UmqSTzZKjmQhjOpaBLyqV+ciZM52ctC49wPc+xN3SbAPCI4m3H5b/C8VTTbOwtE+vMnlj3sjQYQR82bCLKRoJXTWP8ImerWYSlD7MlUXWdQH+msG2RHE8U8XCwhPRUQuyNgdUzvt1cYndfuz7jPR8YzFj/e7NWSLfDKbJiskuK8W+gLGfCMuROVMoyp3+bXaTjY1/tNhgcu0NAtzh+uT/UOmksLdbosNlhQ5nEoRbu1b5sB58HlmooJeK7TVxxjmStYtua/+blmUo+pn/OHMIJly9T9+KQ9hXeh9i7Eivy2VZR08/OuFK63k/6Nej/I+aogo7bpLJGrhKJLNE2Hgi3yevKTKIN168ES5j/KHt+jeZyQrHyMu2Y6Pa1UBoZj2BKeksyA59y8LyuuicCA2rWqBATpfZOH0NcL0bA==>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: SPNEGO static oid 0: 0606 2b06 0105 0502 ..+.....
>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: SPNEGO in oid 0: 0606 2b06 0105 0502 ..+.....
>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: Neg token found>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: len of neg token 2808>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: sequence found>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: len of sequence token 2804>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: choice is 160>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: len of mech type 48>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: len of mech type seq 46>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: mech type offset 24>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <mech type token
16: 0609 2a86 4882 f712 ..*.H...
more lines...
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: Mech list oid 1.2.840.48018.1.2.2>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: Mech list oid 1.2.840.113554.1.2.2>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: Mech list oid 1.3.6.1.4.1.311.2.2.30>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: Mech list oid 1.3.6.1.4.1.311.2.2.10>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: Mech token len 2750>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: Mech token
0: 6082 0ab6 0609 2a86 4886 f712 0102 0201 `.....*.H.......
16: 006e 820a a530 820a a1a0 0302 0105 a103 .n...0..........
more lines..
<Aug 6, 2018, 1:48:15,330 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <Found Negotiate with SPNEGO token>
<Aug 6, 2018, 1:48:15,330 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <Negotiate filter: new session, no negotiation has started>
<Aug 6, 2018, 1:48:15,330 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.ChallengeIdentityAssertionServiceImpl.assertChallengeIdentity(Authorization.Negotiate)>
<Aug 6, 2018, 1:48:15,330 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.ChallengeIdentityAssertionTokenServiceImpl.assertChallengeIdentity(Authorization.Negotiate)>
<Aug 6, 2018, 1:48:15,330 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ChallengeIdentityAsserterV2Adapter.assertChallengeIdentity(Authorization.Negotiate)>
<Aug 6, 2018, 1:48:15,330 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.JAASIdentityAssertionConfigurationServiceImpl.getAppConfigurationEntry(com.sun.security.jgss.krb5.accept)>
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is cglims_mt_dev.keytab refreshKrb5Config is false principal is HTTP/ [email protected] tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Looking for keys for: HTTP/ [email protected]
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ [email protected]
Found unsupported keytype (1) for HTTP/ [email protected]
Looking for keys for: HTTP/ [email protected]
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ [email protected]
Found unsupported keytype (1) for HTTP/ [email protected]
default etypes for default_tkt_enctypes: 18.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=os-vd-m-009.main.ads.comapny.com UDP:88, timeout=30000, number of retries =3, #bytes=175
>>> KDCCommunication: kdc=os-vd-m-009.main.ads.comapny.com UDP:88, timeout=30000,Attempt =1, #bytes=175
>>> KrbKdcReq send: #bytes read=220
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18, salt = MAIN.ADS.COMAPNY.COMHTTPos-serv-li-env800.os.comapny.com, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove os-vd-m-009
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Mon Aug 06 13:48:15 EDT 2018 1533577695000
suSec is 67734
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/ [email protected]
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18, salt = MAIN.ADS.COMAPNY.COMHTTPos-serv-li-env800.os.comapny.com, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 18.
Looking for keys for: HTTP/ [email protected]
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ [email protected]
Found unsupported keytype (1) for HTTP/ [email protected]
Looking for keys for: HTTP/ [email protected]
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ [email protected]
Found unsupported keytype (1) for HTTP/ [email protected]
default etypes for default_tkt_enctypes: 18.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=os-vd-m-009.main.ads.comapny.com UDP:88, timeout=30000, number of retries =3, #bytes=264
>>> KDCCommunication: kdc=os-vd-m-009.main.ads.comapny.com UDP:88, timeout=30000,Attempt =1, #bytes=264
>>> KrbKdcReq send: #bytes read=106
>>> KrbKdcReq send: kdc=os-vd-m-009.main.ads.comapny.com TCP:88, timeout=30000, number of retries =3, #bytes=264
>>> KDCCommunication: kdc=os-vd-m-009.main.ads.comapny.com TCP:88, timeout=30000,Attempt =1, #bytes=264
>>>DEBUG: TCPClient reading 1923 bytes
>>> KrbKdcReq send: #bytes read=1923
>>> KdcAccessibility: remove os-vd-m-009
Looking for keys for: HTTP/ [email protected]
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ [email protected]
Found unsupported keytype (1) for HTTP/ [email protected]
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/os-serv-li-env800.os.comapny.com
principal is HTTP/ [email protected]
Will use keytab
Commit Succeeded
Found KeyTab cglims_mt_dev.keytab for HTTP/ [email protected]
Found ticket for HTTP/ [email protected] to go to krbtgt/ [email protected] expiring on Mon Aug 06 23:48:15 EDT 2018
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Looking for keys for: HTTP/ [email protected]
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ [email protected]
Found unsupported keytype (1) for HTTP/ [email protected]
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Using builtin default etypes for permitted_enctypes
default etypes for permitted_enctypes: 18 17 16 23.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
MemoryCache: add 1533577695/003265/F340CA7D6DD3AB5499310326FEBE8EA9/[email protected] to [email protected]|HTTP/ [email protected]
MemoryCache: Existing AuthList:
#1: 1533574589/003195/3E34B0B548DBF2570B1E8140F1C0CBCD/[email protected]
>>> KrbApReq: authenticate succeed.
Krb5Context setting peerSeqNumber to: 1542758160
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Krb5Context setting mySeqNumber to: 241351631
<Aug 6, 2018, 1:48:15,346 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <gssContext isEstablished true>
<Aug 6, 2018, 1:48:15,346 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <Out token
.................
<Aug 6, 2018, 1:48:15,346 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <GSS name is [email protected]>
<Aug 6, 2018, 1:48:15,346 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <User name is DCConway>
>>> Constrained deleg from GSSCaller{UNKNOWN}
<Aug 6, 2018, 1:48:15,346 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.JAASIdentityAssertionConfigurationServiceImpl.getAppConfigurationEntry(com.sun.security.jgss.krb5.accept)>
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is cglims_mt_dev.keytab refreshKrb5Config is false principal is HTTP/ [email protected] tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Looking for keys for: HTTP/ [email protected]
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ [email protected]
Found unsupported keytype (1) for HTTP/ [email protected]
Looking for keys for: HTTP/ [email protected]
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ [email protected]
Found unsupported keytype (1) for HTTP/ [email protected]
default etypes for default_tkt_enctypes: 18.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=os-vd-m-009.main.ads.comapny.com UDP:88, timeout=30000, number of retries =3, #bytes=175
>>> KDCCommunication: kdc=os-vd-m-009.main.ads.comapny.com UDP:88, timeout=30000,Attempt =1, #bytes=175
>>> KrbKdcReq send: #bytes read=220
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18, salt = MAIN.ADS.COMAPNY.COMHTTPos-serv-li-env800.os.comapny.com, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove os-vd-m-009
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Mon Aug 06 13:48:15 EDT 2018 1533577695000
suSec is 67734
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/ [email protected]
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18, salt = MAIN.ADS.COMAPNY.COMHTTPos-serv-li-env800.os.comapny.com, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 18.
Looking for keys for: HTTP/ [email protected]
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ [email protected]
Found unsupported keytype (1) for HTTP/ [email protected]
Looking for keys for: HTTP/ [email protected]
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ [email protected]
Found unsupported keytype (1) for HTTP/ [email protected]
default etypes for default_tkt_enctypes: 18.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=os-vd-m-009.main.ads.comapny.com UDP:88, timeout=30000, number of retries =3, #bytes=264
>>> KDCCommunication: kdc=os-vd-m-009.main.ads.comapny.com UDP:88, timeout=30000,Attempt =1, #bytes=264
>>> KrbKdcReq send: #bytes read=106
>>> KrbKdcReq send: kdc=os-vd-m-009.main.ads.comapny.com TCP:88, timeout=30000, number of retries =3, #bytes=264
>>> KDCCommunication: kdc=os-vd-m-009.main.ads.comapny.com TCP:88, timeout=30000,Attempt =1, #bytes=264
>>>DEBUG: TCPClient reading 1923 bytes
>>> KrbKdcReq send: #bytes read=1923
>>> KdcAccessibility: remove os-vd-m-009
Looking for keys for: HTTP/ [email protected]
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ [email protected]
Found unsupported keytype (1) for HTTP/ [email protected]
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/os-serv-li-env800.os.comapny.com
principal is HTTP/ [email protected]
Will use keytab
Commit Succeeded
Found ticket for HTTP/ [email protected] to go to krbtgt/ [email protected] expiring on Mon Aug 06 23:48:15 EDT 2018
<Aug 6, 2018, 1:48:15,359 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <delegate state is true, acquire delegated credential...>
<Aug 6, 2018, 1:48:15,359 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <Username was found, setting up callbackhandler>
...........
<Aug 6, 2018, 1:48:15,503 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate authenticate succeeded for user DCConway, Identity=Subject: 46Solution
Try to remove this tag from your web.xml file : / 403 errors may occur when security constraints are not well configured
- Integration of SSO using MSAL in Angular project gets 401 returned error after login
- Simple way to put AWS Lambda app behind SAML authentication
- Why wouldn't the IdP initiate contact with the SP in a SAML 2.0 SSO integration?
- Log out from SSO kerberos
- Getting TypeError: client_secret_basic client authentication method requires a client_secret
- SSO not working in iOS when using AWS Cognito and Azure AD
- Logout from next-auth with keycloak provider not works
- Azure b2c still authenticated after hitting logout
- What's the relationship between Keycloak SSO Session Idle Time and Spring Session Timeout?
- Execute a RESTAPI request from Powershell using the credentials of the user logged into the windows machine(AD Credential's)
- Python SSO: pysaml2 and python3-saml
- Keycloak adapter not able retrieve current username from windows AD logged-in user
- keycloak - realm resolution based on username (email address)
- Rolify and acts_as_tenant with Single Signon (with some Devise & Pundit on the side) - can it be done?
- which Oauth flow is good for Token authentication with javascript SPA
- Can I have secrets that don't expire in Microsoft SSO via Azure Microsoft Entra ID?
- Java 17 Allow RC4 HMAC while keeping allow_weak_crypto as false in krb5.conf
- Zabbix SAML Config using ActiveDirectory WIN 2016-ADFS
- Do Personal Accounts Have a UPN
- Buildfire: login api
- Moodle intergration with ADFS--Plugin SAML2 Single sign on
- Share authentication cookie between IdentityServer4 clients
- Kerberos SSO Issue with AD change of upns in Spring Boot Application
- Integrate SAML in Laravel using existing Idp and SP
- How can i enable Token_IDs in the new Azure/Microsoft Entra interface
- Okta SSO (Allowing other users from another organization to use SSO with the OpenID application i created on my Okta developer dashboard)
- Keycloak: Unique SAML endpoint per SAML Client in the same Realm
- Implement single signon (SSO) using SAML in java and AzureAD as IDP
- AADSTS9002325: Proof Key for Code Exchange is required for cross-origin authorization code redemption
- Why is a client secret required when setting up an Azure AD / Identity SSO in Asp.net (legacy .Net Framework), but it is not required in asp.net core?