DEVHIDE
Login Or Sign up

Kerberos: GSSContext name of the context initiator is null

4.1k Views Asked by At

I'm trying to integrate SSO via Kerberos/SPNEGO in my application as described here https://docs.spring.io/spring-security-kerberos/docs/1.0.2.BUILD-SNAPSHOT/reference/htmlsingle/#samples-sec-server-win-auth

My context.xml looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xmlns:sec="http://www.springframework.org/schema/security"
           xmlns:context="http://www.springframework.org/schema/context"
           xsi:schemaLocation="
        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.2.xsd
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
    
    
        <sec:authentication-manager alias="authenticationManager">
            <sec:authentication-provider ref="kerberosAuthenticationProvider"/>
            <sec:authentication-provider ref="kerberosServiceAuthenticationProvider"/>
        </sec:authentication-manager>
    
        <bean id="kerberosAuthenticationProvider" class="org.springframework.security.kerberos.authentication.KerberosAuthenticationProvider">
            <property name="kerberosClient">
                <bean class="org.springframework.security.kerberos.authentication.sun.SunJaasKerberosClient">
                    <property name="debug" value="true"/>
                </bean>
            </property>
            <property name="userDetailsService" ref="userDetailsService"/>
        </bean>
    
        <bean class="org.springframework.security.kerberos.authentication.sun.GlobalSunJaasKerberosConfig">
            <property name="debug" value="true"/>
        </bean>
    
        <bean id="spnegoEntryPoint" class="org.springframework.security.kerberos.web.authentication.SpnegoEntryPoint">
            <constructor-arg value="/login"/>
        </bean>
    
        <bean id="spnegoAuthenticationProcessingFilter"
              class="org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter">
            <property name="authenticationManager" ref="authenticationManager" />
        </bean>
    
        <bean id="kerberosServiceAuthenticationProvider"
              class="org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider">
            <property name="ticketValidator">
                <bean class="org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator">
                    <property name="servicePrincipal" value="${myapp.kerberos.servicePrincipal}" />
                    <property name="keyTabLocation" value="${myapp.kerberos.keytabLocation}" />
                    <property name="debug" value="true" />
                    <property name="holdOnToGSSContext" value="true"/>
                </bean>
            </property>
            <property name="userDetailsService" ref="userDetailsService" />
        </bean>
    
        <bean id="kerberosLdapContextSource" class="org.springframework.security.kerberos.client.ldap.KerberosLdapContextSource">
            <constructor-arg value="${myapp.ldap.ldapServerUrl}"/>
            <property name="loginConfig">
                <bean class="org.springframework.security.kerberos.client.config.SunJaasKrb5LoginConfig">
                    <property name="keyTabLocation" value="${myapp.kerberos.keytabLocation}"/>
                    <property name="servicePrincipal" value="${myapp.kerberos.servicePrincipal}"/>
                    <property name="debug" value="true"/>
                    <property name="isInitiator" value="true"/>
                    <property name="useTicketCache" value="true"/>
                </bean>
            </property>
        </bean>

        <sec:ldap-user-service id="ldapUserDetailsService" server-ref="kerberosLdapContextSource" 
        user-search-filter="(| (userPrincipalName={0}) (sAMAccountName={0}))" />
</beans>

I can access the secret part of my application when explicitely opening login-form and entering AD-credentials (So it seems to work in general).

When I try to access secret part without previous explicit login (something like /myapp/administration) I get a BadCredentialsException with "GSSContext name of the context initiator is null."

2018-05-11 16:10:07,578 [http-apr-8080-exec-3] WARN  org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter - Negotiate Header was invalid: Negotiate YHcG(...)==
org.springframework.security.authentication.BadCredentialsException: GSSContext name of the context initiator is null
        at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:173)
        at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:153)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:422)
        at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:68)
        at org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:64)
        at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
        at org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter.doFilter(SpnegoAuthenticationProcessingFilter.java:145)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
        at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200)

I think exception says that the TGT send back from client to Kerberos was modified/isn't as expected, so client isn't assumed to be trustworthy to receive Service Ticket. But I'm not quite sure if this is correct.

So.... what am I missing?

spnego spring-security-kerberos
Original Q&A
1

There are 1 best solutions below

2
On

I had the same problem because I was using an invalid keytab file. Try to replace it and check your keytab creation process.

Related Questions in SPNEGO

Related Questions in SPRING-SECURITY-KERBEROS

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.