Spring Security/SPNEGO authentication issue: Checksum failed

Question

i'm using, for a Java project, Spring Security with SPNEGO for authentication. I followed every step illustrated at the link http://anmoljains.wordpress.com/2014/01/19/java-single-sign-on-using-spnego-and-jboss-eap-6-1-0/ , but, when I try to authenticate with IE from a machine different from server, I get the following error:

Negotiate Header was invalid: Negotiate YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAAEu8iH+9PA/ykFHFoL0fcG4pSiUY/1uV4d6rsrMhDt1gQWYkR7WJ+/z5C7xHvZptngAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo=: org.springframework.security.authentication.BadCredentialsException: Kerberos validation not succesfull ... Caused by: java.security.GeneralSecurityException: Checksum failed

Here's my applicationContext-security.xml:

<http entry-point-ref="spnegoEntryPoint" use-expressions="true">
<intercept-url pattern="/**" access="isAuthenticated()"/>
<intercept-url pattern="/report" filters="none"/>
<custom-filter ref="spnegoAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER"/>
<intercept-url pattern="/css/**" filters="none"/>
<intercept-url pattern="/resources/**" filters="none"/>
<intercept-url pattern="/js/**" filters="none"/>
<form-login login-page="/login" default-target-url="/report" authentication-failure-url="/accessDenied"/>
<logout logout-url=""/>
</http>
<beans:bean id="spnegoEntryPoint" class="org.springframework.security.extensions.kerberos.web.SpnegoEntryPoint"/>
<beans:bean id="spnegoAuthenticationProcessingFilter" class="org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter">
<beans:property name="authenticationManager" ref="authenticationManager"/>
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="kerberosServiceAuthenticationProvider"/>
<authentication-provider ref="kerberosAuthenticationProvider" /> 
</authentication-manager>
<beans:bean id="kerberosServiceAuthenticationProvider" class="org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider">
<beans:property name="ticketValidator">
<beans:bean class="org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator">
<beans:property name="servicePrincipal" value="HTTP/web.team.it@team.it/>

where userDetailsService is my implementation of org.springframework.security.core.userdetails.UserDetailsService.

And here's how I generated the keytab.pass:

C:\\Windows\\System32>ktpass /out http-web.keytab /mapuser http-web.team.it@team.it /princ HTTP/pc-web.team.it@team.it /crypto AES256-SHA1 /pType KR B5_NT_PRINCIPAL -kvno 0 /pass Password01

Using Wireshark, i get the following infos:

Accept: text/html, application/xhtml+xml, / Accept-Language: it-IT User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) Accept-Encoding: gzip, deflate Host: web.team.it:8080 DNT: 1 Connection: Keep-Alive Cookie: JSESSIONID=PDY3d6UIDOARlxk92scldt8Z.undefined Authorization: Negotiate YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAAEu8iH+9PA/ykFHFoL0fcG4pSiUY/1uV4d6rsrMhDt1gQWYkR7WJ+/z5C7xHvZptngAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo=

Trying to change the principal using only short machine name (web instead of web.team.it), i get the error:

Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96

I'm using Spring Security 3.0.5 and spring-security-kerberos-core-1.0.0.M2.jar. Also would be useful to have some full sample of this kind of authentication. Thanks to all.

Answer 1

添加到您的krb5.conf default_tkt_enctypes = aes256-cts-hmac-sha1-96 default_tgs_enctypes = aes256-cts-hmac-sha1-96