Kerberos SSO : high level flow and ldap access

StackOverflow https://stackoverflow.com/questions/17710177

Question

Having a few problems grasping the entire flow. I'm trying to accomplish the all mighty kerberos SSO integration, where auth user information is picked directly from windows.

I'm using:

  • Spnego filter in tomcat 7 in order to obtain the username from IWA
  • java 1.6
  • windows server 2003 on the backend / windows XP as client machine for tests

My understanding of the entire flow, is, on a high level like this :

  • I can use spnego to get the user name via that tomcat filter(this part is already working)
  • I make a separate call via LDAP (on which I authenticate with Kerberos), to retrieve whatever information I need about the logged in user (such as groups it belongs to, etc)

I am trying to use apacheds 2 for searching the LDAP part.

Question (1): is my understanding correct ? Is this usually done in a different way? (Maybe using spnego to directly get all the info I need?)

Now, I'm trying to login in the backend, to LDAP, via kerberos, using apacheds, in order to retrieve the user info, like this :

    System.setProperty("sun.security.krb5.debug", "true");

    LdapConnectionConfig config = new LdapConnectionConfig();
    config.setLdapHost("example.com");
    config.setLdapPort(389);
    config.setName("a_valid_username");
    config.setCredentials("the_correct_password");

    LdapNetworkConnection ldapNetworkConnection = new LdapNetworkConnection(config);
    SaslGssApiRequest saslGssApiRequest = new SaslGssApiRequest();
    saslGssApiRequest.setRealmName("EXAMPLE.COM");
    saslGssApiRequest.setKdcHost("example.com");

    System.setProperty("java.security.auth.login.config", "C:\\workspace\\kerberos_stuff\\login.conf");
    saslGssApiRequest.setLoginModuleConfiguration( Configuration.getConfiguration() );
    saslGssApiRequest.setLoginContextName("spnego-client");

    saslGssApiRequest.setKrb5ConfFilePath("C:\\workspace\\kerberos_stuff\\krb5.ini");
    saslGssApiRequest.setMutualAuthentication(false);
    saslGssApiRequest.setUsername("a_valid_username");
    saslGssApiRequest.setCredentials("the_correct_password");

    ldapNetworkConnection.connect();
    ldapNetworkConnection.bind(saslGssApiRequest);

I get this error :

KrbException: Server not found in Kerberos database (7)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:61)
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106)
at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:557)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:175)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3812)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.access$200(LdapNetworkConnection.java:178)
at org.apache.directory.ldap.client.api.LdapNetworkConnection$2.run(LdapNetworkConnection.java:1531)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:396)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1527)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1429)
<edited out>
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58)
at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46)
... 22 more
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:194)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3812)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.access$200(LdapNetworkConnection.java:178)
at org.apache.directory.ldap.client.api.LdapNetworkConnection$2.run(LdapNetworkConnection.java:1531)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:396)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1527)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1429)
<edited out>
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)
Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:663)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:175)
... 14 more
Caused by: KrbException: Server not found in Kerberos database (7)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:61)
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106)
at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:557)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594)
... 17 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58)
at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46)
... 22 more
org.apache.directory.api.ldap.model.exception.LdapException:   java.security.PrivilegedActionException: org.apache.directory.api.ldap.model.exception.LdapException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1537)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1429)
<edited out>
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)
Caused by: java.security.PrivilegedActionException: org.apache.directory.api.ldap.model.exception.LdapException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:396)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1527)
... 8 more
Caused by: org.apache.directory.api.ldap.model.exception.LdapException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3902)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.access$200(LdapNetworkConnection.java:178)
at org.apache.directory.ldap.client.api.LdapNetworkConnection$2.run(LdapNetworkConnection.java:1531)
... 11 more
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:194)
at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindSasl(LdapNetworkConnection.java:3812)
... 13 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:663)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:175)
... 14 more
Caused by: KrbException: Server not found in Kerberos database (7)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:61)
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106)
at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:557)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594)
... 17 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58)
at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46)
... 22 more

My questions are :

Q2: I would think that ldap+kerberos is a pretty used combination; I would also think that apacheds is a commonly used library for this purpose (if not, what do you people use?). However, try as I might, I don't really find any example code for Kerberos through apacheds, to access ldap. I find tons of information about ldap clients via apacheds, but not with kerberos authentication. This usually indicates that I'm doing something wrong, or I grasped the wrong end of the stick on this one (walking in the wrong direction). Any idea here ?

Q3: SaslGssApiRequest seems like the exact way in which LdapNetworkConnection is meant to be used in order to access ldap through kerberos (in terms of apacheds I mean). However, a quick search on google only for this class's name shows zero useful information (such as documentation on how it's meant to be used). Is there another, simpler way to accomplish my target, by using apacheds (clientside I mean) but without SaslGssApiRequest ?

Q4: Why my above code isn't working? Please note that if I change either user or pass to something invalid (I'm currently using my regular XP user user/pass to login to ldap), I get exactly the same error. Is there a need to specify somewhere the ldap's service principal name (even though I already specified host/port) ? If so, where ?

P.S. My login.conf and krb5.ini files are exactly the same that I use in the already working spnego example, so they should be correct.

Was it helpful?

Solution

If anyone's interested, I found the problem.

It seems that apacheds, when using SaslGssApiRequest, it builds the service's principal name out of the hostname placed in config.setLdapHost("example.com");

Although in my setup, ldap.example.com and example.com point to the same machine, my LDAP service principal name was LDAP/ldap.example.com, but apacheds would attempt to find LDAP/example.com .

Changing

config.setLdapHost("example.com");

to

config.setLdapHost("ldap.example.com");

solved my problem.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top