spring-security-kerberos
spring-security-kerberos copied to clipboard
spring-projects
Negotiate Header Invalid
I've asked the question over at StackOverflow but to no avail: LINK Using the 1.0.1.RELEASE version of this project (via Grails Spring Security Kerberos plugin). I am getting "Negotiate Header was Invalid"
I found the following reply:
I've done some digging and it appears to have nothing to do with NTLM, but how the user ID is presented. If NTLM token uses a username in the form of "someuser", it doesn't work. But, if you format the user credentials in the form of DOMAIN\someuser or [email protected] all is good. We've had success in cases where the user is prompted for credentials and used the DOMAIN\someuser format.
Originally posted by @damnhandy in https://github.com/spring-projects/spring-security-kerberos/issues/89#issuecomment-216862725
In the logs the username shows up as [email protected]. I am testing in IE on Windows Server 2012 and it doesn't give me a chance to type in creds. I have to use a computer in another domain. Even why typing in creds in the format suggested I get the same error.
All the details on this issue are in the StackOverFlow link provided but here is the console output:
2019-03-20 15:05:43.684 DEBUG --- [nio-8080-exec-7] o.s.s.k.w.a.SpnegoEntryPoint : Add header WWW-Authenticate:Negotiate to http://devbox.tst.trknow.com:8080/secure/index, forward: no
2019-03-20 15:05:43.684 DEBUG --- [nio-8080-exec-7] o.s.s.k.w.a.SpnegoEntryPoint : Add header WWW-Authenticate:Negotiate to http://devbox.tst.trknow.com:8080/secure/index, forward: no
2019-03-20 15:05:55.323 DEBUG --- [io-8080-exec-10] w.a.SpnegoAuthenticationProcessingFilter : Received Negotiate Header for request http://devbox.tst.trknow.com:8080/secure/index: Negotiate YIIHKwYGKwYBBQUCoIIHHzCCBxugMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYK*Truncated*
2019-03-20 15:05:55.323 DEBUG --- [io-8080-exec-10] w.a.SpnegoAuthenticationProcessingFilter : Received Negotiate Header for request http://devbox.tst.trknow.com:8080/secure/index: Negotiate YIIHKwYGKwYBBQUCoIIHHzCCBxugMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYK*Truncated*
2019-03-20 15:05:55.324 DEBUG --- [io-8080-exec-10] .a.KerberosServiceAuthenticationProvider : Try to validate Kerberos Token
2019-03-20 15:05:55.324 DEBUG --- [io-8080-exec-10] .a.KerberosServiceAuthenticationProvider : Try to validate Kerberos Token
Found KeyTab C:\grails3projects\http-grails.keytab for HTTP/[email protected]
Found KeyTab C:\grails3projects\http-grails.keytab for HTTP/[email protected]
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Java config name: null
Native config name: C:\windows\krb5.ini
Loaded from native config
>>> KeyTabInputStream, readName(): TST.TRKNOW.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): devbox.tst.trknow.com
>>> KeyTab: load() entry length: 70; type: 1
>>> KeyTabInputStream, readName(): TST.TRKNOW.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): devbox.tst.trknow.com
>>> KeyTab: load() entry length: 70; type: 3
>>> KeyTabInputStream, readName(): TST.TRKNOW.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): devbox.tst.trknow.com
>>> KeyTab: load() entry length: 78; type: 23
>>> KeyTabInputStream, readName(): TST.TRKNOW.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): devbox.tst.trknow.com
>>> KeyTab: load() entry length: 94; type: 18
>>> KeyTabInputStream, readName(): TST.TRKNOW.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): devbox.tst.trknow.com
>>> KeyTab: load() entry length: 78; type: 17
Looking for keys for: HTTP/[email protected]
Added key: 17version: 14
Added key: 18version: 14
Added key: 23version: 14
Found unsupported keytype (3) for HTTP/[email protected]
Found unsupported keytype (1) for HTTP/[email protected]
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Using builtin default etypes for permitted_enctypes
default etypes for permitted_enctypes: 18 17 16 23.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
MemoryCache: add 1553108589/041556/905183D04DE02C32E30F1CE01B5F9AC2/[email protected] to [email protected]|HTTP/[email protected]
>>> KrbApReq: authenticate succeed.
Krb5Context setting peerSeqNumber to: 710158400
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Krb5Context setting mySeqNumber to: 59568554
>>> Constrained deleg from GSSCaller{UNKNOWN}
2019-03-20 15:05:56.104 DEBUG --- [io-8080-exec-10] .a.KerberosServiceAuthenticationProvider : Succesfully validated [email protected]
2019-03-20 15:05:56.104 DEBUG --- [io-8080-exec-10] .a.KerberosServiceAuthenticationProvider : Succesfully validated [email protected]
2019-03-20 15:05:56.289 WARN --- [io-8080-exec-10] w.a.SpnegoAuthenticationProcessingFilter : Negotiate Header was invalid: Negotiate YIIHKwYGKwYBBQUCoIIHHzCCBxugMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYK*Truncate*
grails.plugin.springsecurity.userdetails.NoStackUsernameNotFoundException: User not found
2019-03-20 15:05:56.289 WARN --- [io-8080-exec-10] w.a.SpnegoAuthenticationProcessingFilter : Negotiate Header was invalid: Negotiate YIIHKwYGKwYBBQUCoIIHHzCCBxugMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYK*Truncate*
grails.plugin.springsecurity.userdetails.NoStackUsernameNotFoundException: User not found
