We Keep Coding

Authorization has been denied for this request while integrating Identity server4 (ver 3.0.0) token into Microsoft.AspNet.WebApi (Framework 4.6.2)"

I am using Identity server4 (ver 3.0.0) and want to authenticate Microsoft.AspNet.WebApi " version="5.2.7" targetFramework="net462"
I have installed identity server3 in AspNet.WebApi project.While I am authenticating .net web api request using Bearer token
that i got from identity server4.this showing me unAuthorized Access. I am attaching some screenshots here :
Postman Screenshot:
https://prnt.sc/qu0sb6
Blockquote
public void Configuration(IAppBuilder app)
{
HttpConfiguration webApiConfig = new HttpConfiguration();
webApiConfig.IncludeErrorDetailPolicy = IncludeErrorDetailPolicy.Always;
app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);
app.Use<ExceptionHandler>();
ConfigureAuth(app);
app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
{
Authority = "https://localhost:44353/",
ClientId = "ConsoleApp_ClientId",
ClientSecret = "secret_for_the_consoleapp",
RequiredScopes = new[] { "SmarttrackReportAPI" },
DelayLoadMetadata = true
});
app.Use<SessionAuthenticator>();
WebApiConfig.Register(webApiConfig);
HttpServer webApiServer = new HttpServer(webApiConfig);
app.UseWebApi(webApiServer);
}
Installed package Screenshot:
https://prnt.sc/qu0sv1
Please help.

Generate SPNEGO Token Failured

I tried to generate the token which can be used as the HTTP header to authenticate to the HDFS WebHDFS URL and Oozie REST API URL.
I referenced the url below to have the below code to generate the Negotiate token.
https://www.ibm.com/support/knowledgecenter/en/SS7JFU_8.5.5/com.ibm.websphere.express.doc/ae/tsec_SPNEGO_token.html
public class TokenCreation {
private static final String SPNEGO_OID = "1.3.6.1.5.5.2";
private static final String KERBEROS_OID = "1.2.840.113554.1.2.2";
public static byte[] genToken(String principal) {
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
byte[] spnegoToken = new byte[0];
try {
Oid spnegoMechOid = new Oid(SPNEGO_OID);
Oid krb5MechOid = new Oid(KERBEROS_OID);
GSSCredential clientGssCreds = null;
GSSManager manager = GSSManager.getInstance();
GSSName gssUserName = manager.createName(principal, GSSName.NT_USER_NAME, krb5MechOid);
clientGssCreds = manager.createCredential(gssUserName.canonicalize(krb5MechOid),
GSSCredential.INDEFINITE_LIFETIME,
krb5MechOid,
GSSCredential.INITIATE_ONLY);
clientGssCreds.add(gssUserName,
GSSCredential.INDEFINITE_LIFETIME,
GSSCredential.INDEFINITE_LIFETIME,
spnegoMechOid, GSSCredential.INITIATE_ONLY);
GSSName gssServerName = manager.createName(principal, GSSName.NT_USER_NAME);
GSSContext clientContext = manager.createContext(gssServerName.canonicalize(spnegoMechOid),
spnegoMechOid,
clientGssCreds,
GSSContext.DEFAULT_LIFETIME);
// optional enable GSS credential delegation
clientContext.requestCredDeleg(true);
// create a SPNEGO token for the target server
spnegoToken = clientContext.initSecContext(spnegoToken, 0, spnegoToken.length);
} catch (GSSException e) {
e.printStackTrace();
}
return spnegoToken;
}
But after running the above code, I always got the below prompt:
2019-09-25 14:12:51 760 [INFO] [pool-2-thread-1] c.s.n.c.u.security.KrbUtils - after loginUserFromKeytab............AtoimcUser:HTTP/host1.exmaple.com#EXAMPLE.COM
2019-09-25 14:12:51 760 [INFO] [pool-2-thread-1] c.s.n.app.oozie.OozieAppCaller - ->>>>>>User Name is HTTP/host1.exmaple.com#EXAMPLE.COM
2019-09-25 14:12:51 760 [INFO] [pool-2-thread-1] c.s.n.app.oozie.OozieAppCaller - ->>>>>>Mode is KERBEROS
>>>KinitOptions cache name is /tmp/krb5cc_0
Kerberos username [root]: ^C^C^C
Kerberos password for root:
You can see at the end of the above output log.
The "Kerberos username" is always prompt to ask for username.
Also I have tried to manually run kinit the keytab.
and the above class can generate the token successfully.
But manually run kinit is NOT the way I wanted.
Would you please help it?
Thanks.

Kerberos and SPNEGO support in Java is cumbersome unfortunately.
I've created a small library to simplify some Kerberos use cases: https://github.com/bedrin/kerb4j
You can use it like this to generate SPNEGO token:
SpnegoClient spnegoClient = SpnegoClient.loginWithKeyTab("svc_consumer", "/opt/myapp/consumer.keytab");
URL url = new URL("http://api.provider.acme.com/api/operation1");
SpnegoContext context = spnegoClient.createContext("http://provider.acme.com"); // Will result in HTTP/provider.acme.com SPN
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
conn.setRequestProperty("Authorization", context.createTokenAsAuthroizationHeader());

JAAS auth kerberos error "java.net.SocketTimeoutException: Receive timed out"

i have installed a kerberos server.
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = SNSPRJ.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
SNSPRJ.COM = {
kdc = kerberos.snsprj.com
admin_server = kerberos.snsprj.com
}
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
.snsprj.com = SNSPRJ.COM
snsprj.com = SNSPRJ.COM
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
SNSPRJ.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
~
In the kerberos client ,i use kinit xiaoxiao/admin#SNSPRJ.COM and it's see ok
[root#bogon ~]# kinit xiaoxiao/admin#SNSPRJ.COM
Password for xiaoxiao/admin#SNSPRJ.COM:
[root#bogon ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: xiaoxiao/admin#SNSPRJ.COM
Valid starting Expires Service principal
08/24/2017 13:51:18 08/25/2017 13:51:17 krbtgt/SNSPRJ.COM#SNSPRJ.COM
[root#bogon ~]#
but when i use JAAS to auth kerberos server some error message occur :
java.net.SocketTimeoutException: Receive timed out
i have tey telnet 192.168.1.196 88 it's ok.
bogon:jaas0822 skh$ telnet 192.168.1.196 88
Trying 192.168.1.196...
Connected to bogon.
Escape character is '^]'.
JAAS Authentication:http://docs.oracle.com/javase/1.5.0/docs/guide/security/jgss/tutorials/AcnOnly.html
my code:
import javax.security.auth.login.*;
import com.sun.security.auth.callback.TextCallbackHandler;
/**
* This JaasAcn application attempts to authenticate a user
* and reports whether or not the authentication was successful.
*
* Created by skh on 2017/8/22.
*/
public class JaasAcn {
public static void main(String[] args) {
String path = "/workspace/idea/ssm/src/test/java/com/snsprj/jaas0822/";
System.setProperty("java.security.auth.login.config", path + "jaas.conf");
// System.setProperty("java.security.krb5.conf", path + "krb5.conf");
System.setProperty("java.security.krb5.realm", "SNSPRJ.COM");
System.setProperty("java.security.krb5.kdc", "kerberos.snsprj.com");
System.setProperty("java.security.krb5.debug", "true");
// Obtain a LoginContext, needed for authentication. Tell it
// to use the LoginModule implementation specified by the
// entry named "JaasSample" in the JAAS login configuration
// file and to also use the specified CallbackHandler.
LoginContext lc = null;
try {
lc = new LoginContext("JaasSample", new TextCallbackHandler());
// attempt authentication
try {
lc.login();
} catch (LoginException le) {
le.printStackTrace();
System.err.println("Authentication failed:");
System.err.println(" " + le.getMessage());
System.exit(-1);
}
} catch (LoginException le) {
System.err.println("Cannot create LoginContext. " + le.getMessage());
} catch (SecurityException se) {
System.err.println("Cannot create LoginContext. " + se.getMessage());
System.exit(-1);
}
System.out.println("Authentication succeeded!");
}
}
is something worry? anyone can help me ,think you very much!

Solution :use TCP
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = SNSPRJ.COM
default_ccache_name = KEYRING:persistent:%{uid}
# insert by xiaohb 20170824 start
udp_preference_limit = 1
# insert by xiaohb 20170824 end

oozie java api submit job, kerberos Authentication error

I hava hadoop-2.7 cluster, oozie-4.0.1 running in secure mode(with kerberos).
All are well. I can use cli commands submit job as follow:
Kinit myuser
oozie job -oozie https://10.1.130.10:21003/oozie -config job.properties -run
but I use oozie java api submit job, kerberos exception occur.
Exception in thread "main" AUTHENTICATION : Could not authenticate, GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
at org.apache.oozie.client.AuthOozieClient.createConnection(AuthOozieClient.java:150)
at org.apache.oozie.client.OozieClient.getSupportedProtocolVersions(OozieClient.java:577)
at org.apache.oozie.client.OozieClient.validateWSVersion(OozieClient.java:538)
at org.apache.oozie.client.OozieClient.createURL(OozieClient.java:651)
at org.apache.oozie.client.OozieClient.access$100(OozieClient.java:103)
at org.apache.oozie.client.OozieClient$ClientCallable.call(OozieClient.java:803)
at org.apache.oozie.client.OozieClient.run(OozieClient.java:999)
at com.huawei.oozie.OozieMain.main(OozieMain.java:47)
Caused by: org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:334)
at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.authenticate(KerberosAuthenticator.java:206)
at org.apache.hadoop.security.authentication.client.AuthenticatedURL.openConnection(AuthenticatedURL.java:215)
at org.apache.oozie.client.AuthOozieClient.createConnection(AuthOozieClient.java:144)
... 7 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:122)
at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:187)
at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:224)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
at org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.run(KerberosAuthenticator.java:313)
at org.apache.hadoop.security.authentication.client.KerberosAuthenticator$1.run(KerberosAuthenticator.java:288)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.apache.hadoop.security.authentication.client.KerberosAuthenticator.doSpnegoSequence(KerberosAuthenticator.java:288)
... 10 more
my java code as follow:
System.setProperty("java.security.auth.login.config", System.getProperty("user.dir") + File.separator + "conf"
+ File.separator + "jaas.conf ");
System.setProperty("java.security.krb5.conf", System.getProperty("user.dir") + File.separator + "conf"
+ File.separator + "krb5.conf ");
String url = "https://10.137.60.60:21003/oozie";
AuthOozieClient wc = new AuthOozieClient(url);
wc.setDebugMode(1);
Properties conf = wc.createConfiguration();
FileReader fr = new FileReader("conf/job.properties");
conf.load(fr);
System.out.println(conf.toString());
String jobId = wc.run(conf);
System.out.println("Workflow job submitted");
while (wc.getJobInfo(jobId).getStatus() == WorkflowJob.Status.RUNNING)
{
System.out.println("Workflow job running ...");
Thread.sleep(3 * 1000);
}
System.out.println("Workflow job completed ...");
System.out.println(wc.getJobInfo(jobId));
my conf/jaas.conf as follow:
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="D:/workspace/4.4-billing/Oozie/conf/oozie.keytab"
principal="oozie#HADOOP.COM"
useTicketCache=false
storeKey=true
debug=true;
};
can anyone help me ? I know oozie use hadoop-auth jar. but how to set keytab, write authenticate code, I cannot.

set your kerberos user account as
conf.setProperty(OozieClient.USER_NAME, "xyz");
oozieClient.run(conf);

Guvnor execution server getting 401 when using AD-configured Guvnor as endpoint

We are using:
• Drools Execution Server that came with Drools 5.0.x
• Drools Guvnor 5.2 configured with active directory
The execution server and guvnor run on the same Tomcat and use the same port.
With the execution server you can have a listener for each package within the configuration file. I have two such files, from-file-system.properties that points to a local directory where a drools binary package is manually deployed. This works fine.
But I try to use with-guvnor.properties which points to a package binary on 5.3 Guvnor. Here is the file:
name=ndipiazza
newInstance=true
# Absolute path of the directory containing pc.drl: placeholder replaced by Ant.
url=http://localhost:9109/drools-guvnor/rest/packages/NDD_Test/binary
poll=10
I get the following error:
RuleAgent(ndipiazza) INFO (Mon Jun 18 18:11:32 EDT 2012): Configuring package provider : URLScanner monitoring URLs: http://localhost:9109/drools-guvnor/rest/packages/NDD_Test/binary
RuleAgent(ndipiazza) WARNING (Mon Jun 18 18:11:34 EDT 2012): Was an error contacting http://localhost:9109/drools-guvnor/rest/packages/NDD_Test/binary. Reponse header: {null=[HTTP/1.1 401 Unauthorized]
Some sort of authorization error very likely related to the active directory configuration within Guvnor 5.2.
This used to work for us just fine with an earlier version of Guvnor.
How can I fix this issue?

So we isolated the problem today. Drools Server 5.0.x cannot support a URL endpoint when it has authentication of any sort.
I reported a bug: https://issues.jboss.org/browse/JBRULES-3554
Without these changes, this will not work.
drools-core's org/drools/agent/HttpClientImpl.java
These two methods need to have authentication added in (marked by START and END NDD), and obviously switched with your username/password.
public LastUpdatedPing checkLastUpdated(URL url) throws IOException {
URLConnection con = url.openConnection();
HttpURLConnection httpCon = (HttpURLConnection) con;
try {
// **** START NDD *****
BASE64Encoder enc = new sun.misc.BASE64Encoder();
String userpassword = "ad-user" + ":" + "ad-password";
String encodedAuthorization = enc.encode( userpassword.getBytes() );
httpCon.setRequestProperty("Authorization", "Basic "+
encodedAuthorization);
// **** END NDD *****
httpCon.setRequestMethod( "HEAD" );
String lm = httpCon.getHeaderField( "lastModified" );
LastUpdatedPing ping = new LastUpdatedPing();
ping.responseMessage = httpCon.getHeaderFields().toString();
if ( lm != null ) {
ping.lastUpdated = Long.parseLong( lm );
} else {
long httpLM = httpCon.getLastModified();
if ( httpLM > 0 ) {
ping.lastUpdated = httpLM;
}
}
return ping;
} finally {
httpCon.disconnect();
}
}
public Package fetchPackage(URL url) throws IOException,
ClassNotFoundException {
URLConnection con = url.openConnection();
HttpURLConnection httpCon = (HttpURLConnection) con;
try {
// **** START NDD *****
BASE64Encoder enc = new sun.misc.BASE64Encoder();
String userpassword = "ad-user" + ":" + "ad-password";
String encodedAuthorization = enc.encode( userpassword.getBytes() );
httpCon.setRequestProperty("Authorization", "Basic "+
encodedAuthorization);
// **** END NDD *****
httpCon.setRequestMethod( "GET" );
Object o = DroolsStreamUtils.streamIn( httpCon.getInputStream() );
if ( o instanceof KnowledgePackageImp ) {
return ((KnowledgePackageImp) o).pkg;
} else {
return (Package) o;
}
} finally {
httpCon.disconnect();
}
}
Mystery solved.