Implémentation de SPNEGO (exo)

**seb974** · 28/01/2013, 17h22

Bonjour,

Je souhaite configurer du SSO en utilisant SPNEGO sur un portail eXo. Le problème c'est que j'obtiens une redirection infinie lorsque j'ai tout configuré.

Voici mon environnement:
- Windows 2008 R2 avec Active Directory
- Debian : eXo Platform 3.5.4 sous JBoss EAP 5.1

Domaine : TESTMITECH.LAN

Concernant l'encryption Kerberos, j'ai activé RC4_HMAC dans le Local Security Setting puis gpupdate /force.

Ensuite, j'ai ajouté un utilisateur "exosso". Je n'ai rien coché sauf : Password never expires.

J'ai ensuite modifié sa Delegation pour sélectionner :
- "Trust this user for delegation to any service (Kerberos)".
J'ai ensuite modifier l'attribut userPrincipalName pour mettre :
- "HTTP/WIN-VTUT3UQANQM.testmitech.lan@TESTMITECH.LAN

Je génère ensuite le keytab en RC4-HMAC :

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
6
7
8
C:\Users\Administrator>ktpass -princ HTTP/WIN-VTUT3UQANQM.testmitech.lan@TESTMITECH.LAN -pass P@ssw0rd -mapuser TESTMITECH\exosso -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out c:\temp\exo.keytab -kvno 0
Targeting domain controller: WIN-VTUT3UQANQM.testmitech.lan
Successfully mapped HTTP/WIN-VTUT3UQANQM.testmitech.lan to exosso.
Password succesfully set!
Key created.
Output keytab to c:\temp\exo.keytab:
Keytab version: 0x502
keysize 85 HTTP/WIN-VTUT3UQANQM.testmitech.lan@TESTMITECH.LAN ptype 1 (KRB5_NT_PRINCIPAL) vno 0 etype 0x17 (RC4-HMAC) keylength 16 (0xe19ccf75ee54e06b06a5907af13cef42)

Et set le spn pour l'utilisateur exosso :

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
C:\Users\Administrator>setspn -A HTTP/WIN-VTUT3UQANQM.testmitech.lan@TESTMITECH.LAN TESTMITECH\exosso
Registering ServicePrincipalNames for CN=exosso,CN=Users,DC=testmitech,DC=lan
        HTTP/WIN-VTUT3UQANQM.testmitech.lan@TESTMITECH.LAN
Updated object

Pour l'installation de eXo sous Debian/JBoss, j'ai suivi la documentation officielle : http://docs.exoplatform.com/PLF35/to...Boss_EARS.html

J'ai ensuite connecté mon eXo à l'active directory (en readonly), synchronisé les utilisateurs (en utilisant REST) et vérifié que je pouvais m'identifier avec les utilisateurs du domaine.

Pour la partie SSO, j'ai aussi suivi la documentation officielle : http://docs.exoplatform.com/PLF35/in...iguration.html

Voici ce que cela donne :

extrait du fichier login-config.xml :

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
6
7
8
9
10
11
12
13
<!-- SPNEGO domain -->
<application-policy name="host">
  <authentication>
	<login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
	  <module-option name="storeKey">true</module-option>
	  <module-option name="useKeyTab">true</module-option>
	  <module-option name="principal">HTTP/WIN-VTUT3UQANQM.testmitech.lan@TESTMITECH.LAN</module-option>
	  <module-option name="keyTab">/etc/exo.keytab</module-option>
	  <module-option name="doNotPrompt">true</module-option>
	  <module-option name="debug">true</module-option>
	</login-module>
  </authentication>
 </application-policy>

extrait du fichier gatein-jboss-beans.xml :

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<application-policy xmlns="urn:jboss:security-beans:1.0" name="gatein-domain">
	<authentication>
	 <login-module
		 code="org.gatein.sso.spnego.SPNEGOLoginModule"
		 flag="requisite">
		 <module-option name="password-stacking">useFirstPass</module-option>
		 <module-option name="serverSecurityDomain">host</module-option>
		 <module-option name="removeRealmFromPrincipal">true</module-option>
		 <module-option name="usernamePasswordDomain">gatein-form-auth-domain</module-option>
	  </login-module>
	  <login-module
		 code="org.gatein.sso.agent.login.SPNEGORolesModule"
		 flag="required">
		<module-option name="password-stacking">useFirstPass</module-option>
		<module-option name="portalContainerName">portal</module-option>
		<module-option name="realmName">gatein-domain</module-option>
	  </login-module>
	</authentication>
</application-policy>

extrait du fichier web.xml :

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<filter>
  <filter-name>LoginRedirectFilter</filter-name>
  <filter-class>org.gatein.sso.agent.filter.LoginRedirectFilter</filter-class>
  <init-param>
  <!-- This should point to your SSO authentication server -->
	<param-name>LOGIN_URL</param-name>
	<param-value>/portal/private</param-value>
  </init-param>
</filter>
 
<filter>
 <filter-name>SPNEGOFilter</filter-name>
 <filter-class>org.gatein.sso.agent.filter.SPNEGOFilter</filter-class>
</filter>
 
<filter-mapping>
  <filter-name>LoginRedirectFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>
 
<filter-mapping>
  <filter-name>SPNEGOFilter</filter-name>
  <url-pattern>/login</url-pattern>
</filter-mapping>

J'ai testé par la même occasion que je pouvais récupérer un ticket sur le Debian en utilisant la commande suivante (ticket que j'ai détruit ensuite) :

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
6
7
8
root@VM-test:/etc# kinit -k -t /etc/exo.keytab HTTP/WIN-VTUT3UQANQM.testmitech.lan@TESTMITECH.LAN
root@VM-test:/etc# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/WIN-VTUT3UQANQM.testmitech.lan@TESTMITECH.LAN

Valid starting     Expires            Service principal
01/25/13 12:09:22  01/25/13 22:09:57  krbtgt/TESTMITECH.LAN@TESTMITECH.LAN
        renew until 01/26/13 12:09:22

Je suis ensuite passé sur un ordinateur de mon domaine. Je m'authentifie en tant que Administrator et configure mes navigateurs.

Sous Firefox par exemple :

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
network.negotiate-auth.allow-proxies = true
network.negotiate-auth.delegation-uris = .testmitech.lan
network.negotiate-auth.gsslib (no-value)
network.negotiate-auth.trusted-uris = .testmitech.lan
network.negotiate-auth.using-native-gsslib = true

Voici ce que j'obtiens au niveau du log quand j'essaies de m'authentifier :

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
14:01:24,482 INFO  [ServerImpl] JBoss (Microcontainer) [5.1.0 (build: SVNTag=JBPAPP_5_1_0 date=201009150028)] Started in 3m:58s:464ms
14:02:03,372 INFO  [STDOUT] Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /etc/exo.keytab refreshKrb5Config is false principal is HTTP/WIN-VTUT3UQANQM.testmitech.lan@TESTMITECH.LAN tryFirstPass is false useFirstPass is false storePass is false clearPass is false
14:02:03,376 INFO  [STDOUT] >>> KeyTabInputStream, readName(): TESTMITECH.LAN
14:02:03,376 INFO  [STDOUT] >>> KeyTabInputStream, readName(): HTTP
14:02:03,376 INFO  [STDOUT] >>> KeyTabInputStream, readName(): WIN-VTUT3UQANQM.testmitech.lan
14:02:03,377 INFO  [STDOUT] >>> KeyTab: load() entry length: 85; type: 23
14:02:03,377 INFO  [STDOUT] Added key: 23version: 0
14:02:03,378 INFO  [STDOUT] Ordering keys wrt default_tkt_enctypes list
14:02:03,379 INFO  [STDOUT] Config name: /etc/krb5.conf
14:02:03,379 INFO  [STDOUT] default etypes for default_tkt_enctypes:
14:02:03,379 INFO  [STDOUT]  23
14:02:03,379 INFO  [STDOUT] .
14:02:03,380 INFO  [STDOUT] 0: EncryptionKey: keyType=23 kvno=0 keyValue (hex dump)=
0000: E1 9C CF 75 EE 54 E0 6B   06 A5 90 7A F1 3C EF 42  ...u.T.k...z.<.B
14:02:03,380 INFO  [STDOUT] principal's key obtained from the keytab
14:02:03,380 INFO  [STDOUT] Acquire TGT using AS Exchange
14:02:03,382 INFO  [STDOUT] default etypes for default_tkt_enctypes:
14:02:03,382 INFO  [STDOUT]  23
14:02:03,382 INFO  [STDOUT] .
14:02:03,382 INFO  [STDOUT] >>> KrbAsReq calling createMessage
14:02:03,382 INFO  [STDOUT] >>> KrbAsReq in createMessage
14:02:03,384 INFO  [STDOUT] >>> KrbKdcReq send: kdc=WIN-VTUT3UQANQM.testmitech.lan UDP:88, timeout=30000, number of retries =3, #bytes=171
14:02:03,386 INFO  [STDOUT] >>> KDCCommunication: kdc=WIN-VTUT3UQANQM.testmitech.lan UDP:88, timeout=30000,Attempt =1, #bytes=171
14:02:03,387 INFO  [STDOUT] >>> KrbKdcReq send: #bytes read=185
14:02:03,387 INFO  [STDOUT] >>> KrbKdcReq send: #bytes read=185
14:02:03,388 INFO  [STDOUT] >>> KdcAccessibility: remove WIN-VTUT3UQANQM.testmitech.lan
14:02:03,388 INFO  [STDOUT] >>> KDCRep: init() encoding tag is 126 req type is 11
14:02:03,389 INFO  [STDOUT] >>>KRBError:
14:02:03,389 INFO  [STDOUT]      sTime is Fri Jan 25 14:00:36 CET 2013 1359118836000
14:02:03,389 INFO  [STDOUT]      suSec is 531830
14:02:03,389 INFO  [STDOUT]      error code is 25
14:02:03,390 INFO  [STDOUT]      error Message is Additional pre-authentication required
14:02:03,390 INFO  [STDOUT]      realm is TESTMITECH.LAN
14:02:03,390 INFO  [STDOUT]      sname is krbtgt/TESTMITECH.LAN
14:02:03,390 INFO  [STDOUT]      eData provided.
14:02:03,390 INFO  [STDOUT]      msgType is 30
14:02:03,390 INFO  [STDOUT] >>>Pre-Authentication Data:
14:02:03,390 INFO  [STDOUT]      PA-DATA type = 11
14:02:03,390 INFO  [STDOUT]      PA-ETYPE-INFO etype = 23
14:02:03,390 INFO  [STDOUT]      PA-ETYPE-INFO salt =
14:02:03,390 INFO  [STDOUT] >>>Pre-Authentication Data:
14:02:03,390 INFO  [STDOUT]      PA-DATA type = 19
14:02:03,391 INFO  [STDOUT]      PA-ETYPE-INFO2 etype = 23
14:02:03,391 INFO  [STDOUT]      PA-ETYPE-INFO2 salt = null
14:02:03,391 INFO  [STDOUT] >>>Pre-Authentication Data:
14:02:03,391 INFO  [STDOUT]      PA-DATA type = 2
14:02:03,391 INFO  [STDOUT]      PA-ENC-TIMESTAMP
14:02:03,391 INFO  [STDOUT] >>>Pre-Authentication Data:
14:02:03,391 INFO  [STDOUT]      PA-DATA type = 16
14:02:03,391 INFO  [STDOUT] >>>Pre-Authentication Data:
14:02:03,391 INFO  [STDOUT]      PA-DATA type = 15
14:02:03,391 INFO  [STDOUT] AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
14:02:03,391 INFO  [STDOUT] >>>KrbAsReq salt is TESTMITECH.LANHTTPWIN-VTUT3UQANQM.testmitech.lan
14:02:03,391 INFO  [STDOUT] default etypes for default_tkt_enctypes:
14:02:03,391 INFO  [STDOUT]  23
14:02:03,392 INFO  [STDOUT] .
14:02:03,392 INFO  [STDOUT] Pre-Authenticaton: find key for etype = 23
14:02:03,392 INFO  [STDOUT] AS-REQ: Add PA_ENC_TIMESTAMP now
14:02:03,393 INFO  [STDOUT] >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
14:02:03,397 INFO  [STDOUT] >>> KrbAsReq calling createMessage
14:02:03,397 INFO  [STDOUT] >>> KrbAsReq in createMessage
14:02:03,397 INFO  [STDOUT] >>> KrbKdcReq send: kdc=WIN-VTUT3UQANQM.testmitech.lan UDP:88, timeout=30000, number of retries =3, #bytes=254
14:02:03,397 INFO  [STDOUT] >>> KDCCommunication: kdc=WIN-VTUT3UQANQM.testmitech.lan UDP:88, timeout=30000,Attempt =1, #bytes=254
14:02:03,398 INFO  [STDOUT] >>> KrbKdcReq send: #bytes read=100
14:02:03,398 INFO  [STDOUT] >>> KrbKdcReq send: #bytes read=100
14:02:03,398 INFO  [STDOUT] >>> KdcAccessibility: remove WIN-VTUT3UQANQM.testmitech.lan
14:02:03,398 INFO  [STDOUT] >>> KDCRep: init() encoding tag is 126 req type is 11
14:02:03,399 INFO  [STDOUT] >>>KRBError:
14:02:03,399 INFO  [STDOUT]      sTime is Fri Jan 25 14:00:36 CET 2013 1359118836000
14:02:03,399 INFO  [STDOUT]      suSec is 547455
14:02:03,399 INFO  [STDOUT]      error code is 52
14:02:03,399 INFO  [STDOUT]      error Message is Response too big for UDP, retry with TCP
14:02:03,399 INFO  [STDOUT]      realm is TESTMITECH.LAN
14:02:03,399 INFO  [STDOUT]      sname is krbtgt/TESTMITECH.LAN
14:02:03,399 INFO  [STDOUT]      msgType is 30
14:02:03,399 INFO  [STDOUT] >>> KrbKdcReq send: kdc=WIN-VTUT3UQANQM.testmitech.lan TCP:88, timeout=30000, number of retries =3, #bytes=254
14:02:03,401 INFO  [STDOUT] >>>DEBUG: TCPClient reading 1513 bytes
14:02:03,401 INFO  [STDOUT] >>> KrbKdcReq send: #bytes read=1513
14:02:03,401 INFO  [STDOUT] >>> KrbKdcReq send: #bytes read=1513
14:02:03,401 INFO  [STDOUT] >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
14:02:03,403 INFO  [STDOUT] >>> KrbAsRep cons in KrbAsReq.getReply HTTP/WIN-VTUT3UQANQM.testmitech.lan
14:02:03,403 INFO  [STDOUT] principal is HTTP/WIN-VTUT3UQANQM.testmitech.lan@TESTMITECH.LAN
14:02:03,403 INFO  [STDOUT] EncryptionKey: keyType=23 keyBytes (hex dump)=0000: E1 9C CF 75 EE 54 E0 6B   06 A5 90 7A F1 3C EF 42  ...u.T.k...z.<.B
14:02:03,405 INFO  [STDOUT] Added server's keyKerberos Principal HTTP/WIN-VTUT3UQANQM.testmitech.lan@TESTMITECH.LANKey Version 0key EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: E1 9C CF 75 EE 54 E0 6B   06 A5 90 7A F1 3C EF 42  ...u.T.k...z.<.B
14:02:03,405 INFO  [STDOUT]             [Krb5LoginModule] added Krb5Principal  HTTP/WIN-VTUT3UQANQM.testmitech.lan@TESTMITECH.LAN to Subject
14:02:03,406 INFO  [STDOUT] Commit Succeeded
14:02:03,419 INFO  [STDOUT]             [Krb5LoginModule]: Entering logout
14:02:03,419 INFO  [STDOUT]             [Krb5LoginModule]: logged out Subject
14:02:03,436 INFO  [STDOUT] Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /etc/exo.keytab refreshKrb5Config is false principal is HTTP/WIN-VTUT3UQANQM.testmitech.lan@TESTMITECH.LAN tryFirstPass is false useFirstPass is false storePass is false clearPass is false
14:02:03,436 INFO  [STDOUT] KeyTab instance already exists
14:02:03,436 INFO  [STDOUT] Added key: 23version: 0
14:02:03,436 INFO  [STDOUT] Ordering keys wrt default_tkt_enctypes list
14:02:03,436 INFO  [STDOUT] default etypes for default_tkt_enctypes:
14:02:03,436 INFO  [STDOUT]  23
14:02:03,436 INFO  [STDOUT] .
14:02:03,436 INFO  [STDOUT] 0: EncryptionKey: keyType=23 kvno=0 keyValue (hex dump)=
0000: E1 9C CF 75 EE 54 E0 6B   06 A5 90 7A F1 3C EF 42  ...u.T.k...z.<.B
14:02:03,437 INFO  [STDOUT] principal's key obtained from the keytab
14:02:03,437 INFO  [STDOUT] Acquire TGT using AS Exchange
14:02:03,437 INFO  [STDOUT] default etypes for default_tkt_enctypes:
14:02:03,437 INFO  [STDOUT]  23
14:02:03,437 INFO  [STDOUT] .
14:02:03,437 INFO  [STDOUT] >>> KrbAsReq calling createMessage
14:02:03,437 INFO  [STDOUT] >>> KrbAsReq in createMessage
14:02:03,437 INFO  [STDOUT] >>> KrbKdcReq send: kdc=WIN-VTUT3UQANQM.testmitech.lan UDP:88, timeout=30000, number of retries =3, #bytes=171
14:02:03,437 INFO  [STDOUT] >>> KDCCommunication: kdc=WIN-VTUT3UQANQM.testmitech.lan UDP:88, timeout=30000,Attempt =1, #bytes=171
14:02:03,439 INFO  [STDOUT] >>> KrbKdcReq send: #bytes read=185
14:02:03,439 INFO  [STDOUT] >>> KrbKdcReq send: #bytes read=185
14:02:03,439 INFO  [STDOUT] >>> KdcAccessibility: remove WIN-VTUT3UQANQM.testmitech.lan
14:02:03,439 INFO  [STDOUT] >>> KDCRep: init() encoding tag is 126 req type is 11
14:02:03,439 INFO  [STDOUT] >>>KRBError:
14:02:03,439 INFO  [STDOUT]      sTime is Fri Jan 25 14:00:36 CET 2013 1359118836000
14:02:03,439 INFO  [STDOUT]      suSec is 594330
14:02:03,440 INFO  [STDOUT]      error code is 25
14:02:03,440 INFO  [STDOUT]      error Message is Additional pre-authentication required
14:02:03,440 INFO  [STDOUT]      realm is TESTMITECH.LAN
14:02:03,440 INFO  [STDOUT]      sname is krbtgt/TESTMITECH.LAN
14:02:03,440 INFO  [STDOUT]      eData provided.
14:02:03,440 INFO  [STDOUT]      msgType is 30
14:02:03,440 INFO  [STDOUT] >>>Pre-Authentication Data:
14:02:03,440 INFO  [STDOUT]      PA-DATA type = 11
14:02:03,440 INFO  [STDOUT]      PA-ETYPE-INFO etype = 23
14:02:03,440 INFO  [STDOUT]      PA-ETYPE-INFO salt =
14:02:03,440 INFO  [STDOUT] >>>Pre-Authentication Data:
14:02:03,440 INFO  [STDOUT]      PA-DATA type = 19
14:02:03,440 INFO  [STDOUT]      PA-ETYPE-INFO2 etype = 23
14:02:03,440 INFO  [STDOUT]      PA-ETYPE-INFO2 salt = null
14:02:03,440 INFO  [STDOUT] >>>Pre-Authentication Data:
14:02:03,440 INFO  [STDOUT]      PA-DATA type = 2
14:02:03,440 INFO  [STDOUT]      PA-ENC-TIMESTAMP
14:02:03,440 INFO  [STDOUT] >>>Pre-Authentication Data:
14:02:03,441 INFO  [STDOUT]      PA-DATA type = 16
14:02:03,441 INFO  [STDOUT] >>>Pre-Authentication Data:
14:02:03,441 INFO  [STDOUT]      PA-DATA type = 15
14:02:03,441 INFO  [STDOUT] AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
14:02:03,441 INFO  [STDOUT] >>>KrbAsReq salt is TESTMITECH.LANHTTPWIN-VTUT3UQANQM.testmitech.lan
14:02:03,441 INFO  [STDOUT] default etypes for default_tkt_enctypes:
14:02:03,441 INFO  [STDOUT]  23
14:02:03,441 INFO  [STDOUT] .
14:02:03,441 INFO  [STDOUT] Pre-Authenticaton: find key for etype = 23
14:02:03,441 INFO  [STDOUT] AS-REQ: Add PA_ENC_TIMESTAMP now
14:02:03,441 INFO  [STDOUT] >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
14:02:03,442 INFO  [STDOUT] >>> KrbAsReq calling createMessage
14:02:03,442 INFO  [STDOUT] >>> KrbAsReq in createMessage
14:02:03,442 INFO  [STDOUT] >>> KrbKdcReq send: kdc=WIN-VTUT3UQANQM.testmitech.lan UDP:88, timeout=30000, number of retries =3, #bytes=254
14:02:03,442 INFO  [STDOUT] >>> KDCCommunication: kdc=WIN-VTUT3UQANQM.testmitech.lan UDP:88, timeout=30000,Attempt =1, #bytes=254
14:02:03,443 INFO  [STDOUT] >>> KrbKdcReq send: #bytes read=100
14:02:03,443 INFO  [STDOUT] >>> KrbKdcReq send: #bytes read=100
14:02:03,443 INFO  [STDOUT] >>> KdcAccessibility: remove WIN-VTUT3UQANQM.testmitech.lan
14:02:03,443 INFO  [STDOUT] >>> KDCRep: init() encoding tag is 126 req type is 11
14:02:03,443 INFO  [STDOUT] >>>KRBError:
14:02:03,443 INFO  [STDOUT]      sTime is Fri Jan 25 14:00:36 CET 2013 1359118836000
14:02:03,443 INFO  [STDOUT]      suSec is 594330
14:02:03,443 INFO  [STDOUT]      error code is 52
14:02:03,443 INFO  [STDOUT]      error Message is Response too big for UDP, retry with TCP
14:02:03,443 INFO  [STDOUT]      realm is TESTMITECH.LAN
14:02:03,443 INFO  [STDOUT]      sname is krbtgt/TESTMITECH.LAN
14:02:03,443 INFO  [STDOUT]      msgType is 30
14:02:03,443 INFO  [STDOUT] >>> KrbKdcReq send: kdc=WIN-VTUT3UQANQM.testmitech.lan TCP:88, timeout=30000, number of retries =3, #bytes=254
14:02:03,445 INFO  [STDOUT] >>>DEBUG: TCPClient reading 1513 bytes
14:02:03,445 INFO  [STDOUT] >>> KrbKdcReq send: #bytes read=1513
14:02:03,445 INFO  [STDOUT] >>> KrbKdcReq send: #bytes read=1513
14:02:03,446 INFO  [STDOUT] >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
14:02:03,452 INFO  [STDOUT] >>> KrbAsRep cons in KrbAsReq.getReply HTTP/WIN-VTUT3UQANQM.testmitech.lan
14:02:03,452 INFO  [STDOUT] principal is HTTP/WIN-VTUT3UQANQM.testmitech.lan@TESTMITECH.LAN
14:02:03,452 INFO  [STDOUT] EncryptionKey: keyType=23 keyBytes (hex dump)=0000: E1 9C CF 75 EE 54 E0 6B   06 A5 90 7A F1 3C EF 42  ...u.T.k...z.<.B
14:02:03,453 INFO  [STDOUT] Added server's keyKerberos Principal HTTP/WIN-VTUT3UQANQM.testmitech.lan@TESTMITECH.LANKey Version 0key EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: E1 9C CF 75 EE 54 E0 6B   06 A5 90 7A F1 3C EF 42  ...u.T.k...z.<.B
14:02:03,453 INFO  [STDOUT]             [Krb5LoginModule] added Krb5Principal  HTTP/WIN-VTUT3UQANQM.testmitech.lan@TESTMITECH.LAN to Subject
14:02:03,453 INFO  [STDOUT] Commit Succeeded
14:02:03,487 INFO  [STDOUT] Found key for HTTP/WIN-VTUT3UQANQM.testmitech.lan@TESTMITECH.LAN(23)
14:02:03,488 INFO  [STDOUT] Entered Krb5Context.acceptSecContext with state=STATE_NEW
14:02:03,490 INFO  [STDOUT] >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
14:02:03,492 INFO  [STDOUT] Using builtin default etypes for permitted_enctypes
14:02:03,492 INFO  [STDOUT] default etypes for permitted_enctypes:
14:02:03,492 INFO  [STDOUT]  3
14:02:03,495 INFO  [STDOUT]  1
14:02:03,495 INFO  [STDOUT]  23
14:02:03,495 INFO  [STDOUT]  16
14:02:03,495 INFO  [STDOUT]  17
14:02:03,495 INFO  [STDOUT] .
14:02:03,495 INFO  [STDOUT] >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
14:02:03,499 INFO  [STDOUT] >>> Config try resetting default kdc TESTMITECH.LAN
14:02:03,499 INFO  [STDOUT] replay cache for Administrator@TESTMITECH.LAN is null.
14:02:03,500 INFO  [STDOUT] object 0: 1359118836577/577174
14:02:03,500 INFO  [STDOUT] object 0: 1359118836577/577174
14:02:03,500 INFO  [STDOUT] >>> KrbApReq: authenticate succeed.
14:02:03,501 INFO  [STDOUT] Krb5Context setting peerSeqNumber to: 2115409478
14:02:03,502 INFO  [STDOUT] >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
14:02:03,503 INFO  [STDOUT] Krb5Context setting mySeqNumber to: 749960489
14:02:03,504 INFO  [STDOUT]             [Krb5LoginModule]: Entering logout
14:02:03,504 INFO  [STDOUT]             [Krb5LoginModule]: logged out Subject

Tout semble ok, mais au niveau du navigateur, j'obtiens des erreurs HTTP 302 :

J'ai l'impression que le module SPNEGOn'est jamais appelé ou qu'il n'est pas trouvé ?

Ci-joint les librairies que j'utilise :
- spnego-1.1.1-GA
- sso-agent-1.3.0.Final
- jboss-negotiation-2.0.4.GA : https://repository.jboss.org/nexus/c...n-2.0.4.GA.jar

Auriez-vous une idée aussi infime soit-elle du pourquoi du comment svp?

Implémentation de SPNEGO (exo) [eXo Portal]

Portails Java

Mode arborescent

Discussions similaires

Partager

Partager