0

We are facing an issue while setting up SSO with Wildfly 26.1.3 (Kerberos5, kdc , Spnego). We are getting the below error in logs while trying to authenticate. Need you assistance on solving the issue.

{
  "timestamp": "2024-02-23T08:01:00.237+01:00",
  "sequence": 13749,
  "loggerClassName": "org.jboss.logging.DelegatingBasicLogger",
  "loggerName": "org.wildfly.security.http.spnego",
  "level": "TRACE",
  "message": "Call to acceptSecContext failed.",
  "threadName": "default task-1",
  "threadId": 171,
  "mdc": {},
  "ndc": "",
  "hostName": "txxxxxxx-web-7bd785664-fzvn5",
  "processName": "jboss-modules.jar",
  "processId": 215,
  "stackTrace": ": GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)\n\tat sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:858)\n\tat sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)\n\tat sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)\n\tat sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:909)\n\tat sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:559)\n\tat sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)\n\tat sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)\n\tat org.wildfly.security.http.spnego.SpnegoAuthenticationMechanism.lambda$evaluateRequest$0(SpnegoAuthenticationMechanism.java:245)\n\tat java.security.AccessController.doPrivileged(Native Method)\n\tat javax.security.auth.Subject.doAs(Subject.java:422)\n\tat org.wildfly.security.http.spnego.SpnegoAuthenticationMechanism.evaluateRequest(SpnegoAuthenticationMechanism.java:245)\n\tat org.wildfly.security.http.util.SetMechanismInformationMechanismFactory$1.evaluateRequest(SetMechanismInformationMechanismFactory.java:119)\n\tat org.wildfly.security.http.util.SocketAddressCallbackServerMechanismFactory$1.evaluateRequest(SocketAddressCallbackServerMechanismFactory.java:82)\n\tat org.wildfly.security.auth.server.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:85)\n\tat org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:325)\n\tat org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$800(HttpAuthenticator.java:300)\n\tat org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:94)\n\tat org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:107)\n\tat org.wildfly.elytron.web.undertow.server.servlet.ServletSecurityContextImpl.authenticate(ServletSecurityContextImpl.java:115)\n\tat io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)\n\tat io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)\n\tat io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)\n\tat io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)\n\tat io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)\n\tat io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)\n\tat io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)\n\tat io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)\n\tat org.wildfly.elytron.web.undertow.server.servlet.CleanUpHandler.handleRequest(CleanUpHandler.java:38)\n\tat io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)\n\tat org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)\n\tat io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)\n\tat org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)\n\tat io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52)\n\tat io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)\n\tat io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:275)\n\tat io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:79)\n\tat io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:134)\n\tat io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:131)\n\tat io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)\n\tat io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)\n\tat org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544)\n\tat org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544)\n\tat org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544)\n\tat org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1544)\n\tat io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:255)\n\tat io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:79)\n\tat io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:100)\n\tat io.undertow.server.Connectors.executeRootHandler(Connectors.java:387)\n\tat io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:852)\n\tat org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)\n\tat org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)\n\tat org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)\n\tat org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)\n\tat org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1282)\n\tat java.lang.Thread.run(Thread.java:750)\nCaused by: KrbException: Checksum failed\n\tat sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:102)\n\tat sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:94)\n\tat sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:175)\n\tat sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:281)\n\tat sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149)\n\tat sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:140)\n\tat sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:831)\n\t... 54 more\nCaused by: java.security.GeneralSecurityException: Checksum failed\n\tat sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCrypto.java:408)\n\tat sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(ArcFourHmac.java:91)\n\tat sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:100)\n\t... 60 more\n",
  "label": "value"
}

in krb5.conf we have the below lib defaults

[libdefaults]

      default_realm = ABCD.XYZ
      dns_lookup_kdc = true
      dns_lookup_realm = true
      default_tkt_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96 des3-cbc-sha1 rc4-hmac des-cbc-md5 des3-cbc-sha1-kd rc4-hmac-md5
      default_tgs_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96 des3-cbc-sha1 rc4-hmac des-cbc-md5 des3-cbc-sha1-kd rc4-hmac-md5
      permitted_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96 des3-cbc-sha1 rc4-hmac des-cbc-md5 des3-cbc-sha1-kd rc4-hmac-md5

      allow_weak_crypto = true
      udp_preference_limit = 1
      ticket_lifetime = 24h  
      renew_lifetime = 7d  
      forwardable = true  
      rdns = false  
      pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt  
      default_ccache_name = KEYRING:persistent:%{uid}

We also tried enabling the below.

kdc_req_checksum_type = 1
safe_checksum_type = 1
ap_req_checksum_type = 1
1
  • Are your service credentials (keytab) still correct? This sounds very much like the service and the KDC ended up having different keys.
    – grawity_u1686
    Commented Feb 28 at 6:39

1 Answer 1

Reset to default
0

The exception in the trace refers to arcfour-hmac-md5 algorithm but your application config does not include this algorithm. Could you add this arcfour-hmac-md5 to your encryption algorithms in you config files? Ref: https://developer.jboss.org/thread/44032

Also the hostname in the event log is very long for Windows Server OS. Normally host portion of the FQDN does not exceed 15 characters. https://en.wikipedia.org/wiki/NetBIOS

In addition MaxTicketAge and MaxServiceAge for Kerberos defaults to 10 hrs in Windows, you have given as 24 hrs for ticket renewal time which does not coincide with the Windows defaults. If this has been changed in Active Directory, your configuration should reflect the same values.

Ref: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpsb/0fce5b92-bcc1-4b96-9c2b-56397c3f144f

Not the answer you're looking for? Browse other questions tagged or ask your own question.