After upgrading to JRE 6 update 45, kerberos authentication fails - kerberos

We use kerberos authentication to perform SSO. Earlier our product was on JRE 6 Update 22 and everything used to work fine. We recently migrated to JRE 6 update 45, and the kerberos authentication fails.
So, basically the code performs 2 steps - the connect and login
1. The "connect" step tests if the SPN name and credentials (either password or keytab) can login to the domain controller identified by the realm and KDC info.
2. The "login" step does the same, and then also tries to bind to the AD LDAP service using the GSSAPI authentication mechanism. So, it is attempting to perform a GSSAPI bind and at this step it is failing now.
So, here's what is happening -
Server(our product) sends AS-REQ to KDC
KDC responds back with error_code: KRB5KDC_ERR_PREAUTH_REQUIRED (25)
Server again sends AS-REQ to KDC with the timestamp
KDC responds back ( AS-REP) with TGT
MCIM sends the TGS-REQ – From our analysis, this is the problem area, this request is populated with incorrect details as explained below.
KDC responds back with error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
Now, the problem here is when the server is sending the TGS-REQ, it sends with Server Name (Unknown): ldap/10.213.177.3 whereas in the older JRE version it used to send the TGS-REQ as ldap/win2008.mcssoiwa.hari(hostname of kdc) even when the KDC IP is given.
Now, KDC does not have an SPN registered with ldap and IP whereas it has a SPN registered with Ldap/Hostname of the KDC
If we explicitly perform a setspn command for ldap/, everything starts working. So, what has changed in later versions of JRE 6 which is causing this issue. This is really a blocker for us and we are not aware how this can be resolved. Any help/guidance would be appreciated.
The code which is doing this -
LDAPConnection connection = new LDAPConnection(request.getServer(), request.getPort());
GSSAPIBindRequest bindRequest = new GSSAPIBindRequest(request.getAuthnId(), null, "N/A", null, null, "");
connection.bind(bindRequest); //throws exception
This throws the following exception
*
Caused by: com.unboundid.ldap.sdk.LDAPException: Unable to create the initial GSSAPI SASL request: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))] caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7)) caused by KrbException: Server not found in Kerberos database (7) caused by KrbException: Identifier doesn't match expected value (906)
at com.unboundid.ldap.sdk.SASLHelper.processSASLBind(SASLHelper.java:120)
at com.unboundid.ldap.sdk.GSSAPIBindRequest.run(GSSAPIBindRequest.java:1022)
... 56 common frames omitted
Caused by: javax.security.sasl.SaslException: GSS initiate failed
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
at com.unboundid.ldap.sdk.SASLHelper.processSASLBind(SASLHelper.java:114)
... 57 common frames omitted
Caused by: org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))
at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
... 59 common frames omitted
Caused by: sun.security.krb5.KrbException: Server not found in Kerberos database (7)
at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
... 62 common frames omitted
Caused by: sun.security.krb5.Asn1Exception: Identifier doesn&apos;t match expected value (906)
at sun.security.krb5.internal.KDCRep.init(Unknown Source)
at sun.security.krb5.internal.TGSRep.init(Unknown Source)
at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)*

Two things: briefly skimming over changes in JDK6 shows there are some mentions of LDAP between 22 and 45. I can't detect anything related immediately - maybe you have to scrutinize all changes in detail.
Release notes of UnboundID Solutions's LDAP SDK for Java could also give some indication. Maybe you need to upgrade the SDK to make up for a change in the JDK.

Related

Cannot login to Keycloak with HTTPS from Windows (but can from Linux)

I have Keycloak 17.0.0 (Quarkus) running in Kubernetes. When I start the Keycloak server with HTTP (http-enabled:true; hostname-strict-https:false), I can successfully log in to the administration console from both the Windows 10 and Fedora 35 systems (tried from two computers with Windows and three with Linux). I tried both Chrome and Firefox, and the behaviour is the same.
But when I start the Keycloak server with HTTPS (certificate generated using keytool, no root certificate), then I can log in from the Fedora systems, but can't from the Windows systems.
I'm not sure if this matters, but from both the Windows and Fedora systems, I'm connecting to the Keycloak server through a corporate VPN.
When trying to log in from the Windows machines, the server returns status code 400 - this is the request URL:
https://<ip>:<port>/realms/master/login-actions/authenticate?session_code=fUdxAl_f-vYHQFGUCX07SQnWEnncBCPf8hi3t3pmmHs&execution=05d68330-cbf2-4b28-9d04-2365989934d1&client_id=security-admin-console&tab_id=eK7ABwblVp8
In Keycloak logs, I see this exception (truncated where the three dots are for brevity):
2022-03-23 14:45:41,653 WARN [org.keycloak.services] (executor-thread-6) KC-SERVICES0013: Failed authentication: java.lang.RuntimeException: java.io.IOException: Underlying input stream returned zero bytes
at org.jboss.resteasy.plugins.server.BaseHttpRequest.getFormParameters(BaseHttpRequest.java:61)
at org.jboss.resteasy.plugins.server.BaseHttpRequest.getDecodedFormParameters(BaseHttpRequest.java:74)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.jboss.resteasy.core.ContextParameterInjector$GenericDelegatingProxy.invoke(ContextParameterInjector.java:166)
at com.sun.proxy.$Proxy46.getDecodedFormParameters(Unknown Source)
at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:104)
at org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:1002)
at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:321)
at org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:292)
at org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:276)
at org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:349)
...
Caused by: java.io.IOException: Underlying input stream returned zero bytes
at java.base/sun.nio.cs.StreamDecoder.readBytes(StreamDecoder.java:288)
at java.base/sun.nio.cs.StreamDecoder.implRead(StreamDecoder.java:326)
at java.base/sun.nio.cs.StreamDecoder.read(StreamDecoder.java:178)
at java.base/java.io.InputStreamReader.read(InputStreamReader.java:181)
at java.base/java.io.BufferedReader.fill(BufferedReader.java:161)
at java.base/java.io.BufferedReader.read1(BufferedReader.java:212)
at java.base/java.io.BufferedReader.read(BufferedReader.java:287)
at org.jboss.resteasy.plugins.providers.FormUrlEncodedProvider.parseForm(FormUrlEncodedProvider.java:88)
at org.jboss.resteasy.plugins.server.BaseHttpRequest.getFormParameters(BaseHttpRequest.java:57)
I compared the two outgoing authentication requests (from Windows and from Fedora) in Chrome's Network tab, and they looked almost identical: small difference in accepted-language header - but only the lowest priority one, (expected) differences in session cookies.

ZuulException: Forwarding error in Spring cloud running locally

I get this very common zuul error, when running spring cloud microservices locally.
If I specify microservice address in application.yml it works fine, so I am wondering why it doesn't discovery the service address properly without explicitly specifying it, especially that this is a new behaviour.
zuul:
routes:
my-service:
path: /myservice/**
#url: http://localhost:8081
Any hints what could have caused this?
Here is some part of stacktrace.
Caused by: java.lang.RuntimeException: java.net.SocketException: Permission denied: connect
at rx.exceptions.Exceptions.propagate(Exceptions.java:57)
at rx.observables.BlockingObservable.blockForSingle(BlockingObservable.java:463)
at rx.observables.BlockingObservable.single(BlockingObservable.java:340)
at com.netflix.client.AbstractLoadBalancerAwareClient.executeWithLoadBalancer(AbstractLoadBalancerAwareClien t.java:112)
... 137 common frames omitted
Caused by: java.net.SocketException: Permission denied: connect
Thanks!

Failed to read challenge file [Caused by java.io.FileNotFoundException: /jboss/standalone/tmp/auth/local4123__.challenge (No such file or directory)

I am trying to connect two machines both running JBoss EAP 7.1.0 using a JMS bridge. Machine 1 is to act as a web server and has a WAR file deployed which is accessible, and Machine 2 is to act as the app server and has all the necessary components deployed just fine.
This is the error I am receiving:
WARN [org.apache.activemq.artemis.jms.bridge] (ServerService Thread Pool -- 72) AMQ342010: Failed to connect JMS Bridge N/A: javax.naming.CommunicationException: WFNAM00018: Failed to connect to remote host [Root exception is javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed:
JBOSS-LOCAL-USER: javax.security.sasl.SaslException: ELY05128: [JBOSS-LOCAL-USER] Failed to read challenge file [Caused by java.io.FileNotFoundException: /.../.../jboss/standalone/tmp/auth/local3093626581916142639.challenge (No such file or directory)]]
at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentityForNaming(RemoteNamingProvider.java:110)
at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentityForNaming(RemoteNamingProvider.java:53)
at org.wildfly.naming.client.NamingProvider.getPeerIdentityForNamingUsingRetry(NamingProvider.java:105)
at org.wildfly.naming.client.remote.RemoteNamingProvider.getPeerIdentityForNamingUsingRetry(RemoteNamingProvider.java:91)
at org.wildfly.naming.client.remote.RemoteContext.lambda$lookupNative$0(RemoteContext.java:189)
at org.wildfly.naming.client.NamingProvider.performExceptionAction(NamingProvider.java:222)
at org.wildfly.naming.client.remote.RemoteContext.performWithRetry(RemoteContext.java:100)
at org.wildfly.naming.client.remote.RemoteContext.lookupNative(RemoteContext.java:188)
at org.wildfly.naming.client.AbstractFederatingContext.lookup(AbstractFederatingContext.java:74)
at org.wildfly.naming.client.AbstractFederatingContext.lookup(AbstractFederatingContext.java:60)
at org.wildfly.naming.client.WildFlyRootContext.lookup(WildFlyRootContext.java:144)
at javax.naming.InitialContext.lookup(InitialContext.java:417)
at javax.naming.InitialContext.lookup(InitialContext.java:417)
at org.apache.activemq.artemis.jms.bridge.impl.JNDIFactorySupport.createObject(JNDIFactorySupport.java:46)
at org.apache.activemq.artemis.jms.bridge.impl.JNDIDestinationFactory.createDestination(JNDIDestinationFactory.java:32)
at org.apache.activemq.artemis.jms.bridge.impl.JMSBridgeImpl.setupJMSObjects(JMSBridgeImpl.java:1072)
at org.apache.activemq.artemis.jms.bridge.impl.JMSBridgeImpl.start(JMSBridgeImpl.java:398)
at org.wildfly.extension.messaging.activemq.jms.bridge.JMSBridgeService.startBridge(JMSBridgeService.java:114)
at org.wildfly.extension.messaging.activemq.jms.bridge.JMSBridgeService$1.run(JMSBridgeService.java:84)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
at org.jboss.threads.JBossThread.run(JBossThread.java:320)
The connection to the target machine (application server) is being made as the path to JBoss is that of the path on the machine, which I verified by testing with a Windows application server environment and the path was the correct Windows path to the directory where the challenge file should be, so clearly the connection is being made as the directories are being accessed. However, the .challenge file isn't present each time which understandably causes the error message.
I have scoured SO and JBoss forums for days now and nothing is resolving my issue.
I saw this post: JBOSS-LOCAL-USER: javax.security.sasl.SaslException: Failed to read server challenge
This is the same issue that I am facing, but the answer which was marked as correct doesn't help me very much. The solution, in this case, was to replace the default ApplicationRealm with a JAAS realm, but I do not know if this is what I need, and I certainly do not currently have one. I did research it, but it seemed to not be applicable to my setup, but I could be wrong.
I also tried this solution: https://access.redhat.com/solutions/3209281 (Subscription only access)
This solution was to remove default-user="$local" from here:
<security-realm name="ApplicationRealm">
<authentication>
<local default-user="$local" allowed-users="*" skip-group-loading="true"/>
I did this to both standalone-full.xml files on both machines, and it appeared to make no difference at all.
I have created application users on both machines and given them superuser privileges through the JBoss console as I figured it was probably an issue with permissions when trying to write the file but this too was to no avail. I have also verified that both user credentials are correct.
The workaround was to switch to using a core bridge instead of a JMS bridge, as per the recommendation from Justin in the comments.

Remote Invocation of EJB in WildFly 10 using JNDI lookup

Im trying to invoke an EJB from a remote server using JNDI lookup, Im using EJB3 with Spring-MVC in WildFly 10 and the configuration guided in this documentation has been done in my client and remote server
https://docs.jboss.org/author/display/WFLY10/EJB+invocations+from+a+remote+client+using+JNDI
But still I'm not able to get the connection of remote server.
1) Created a user under ApplicationRealm and gave the permissions for master slave setup for remote EJB Invocation.
2) This is my jboss-ejb-client.properties file, Here I have given the wildfly User_Name and Password of Host server.
endpoint.name=client-endpoint
remote.connections=one, two
remote.connection.one.host=172.16.25.26
remote.connection.one.port=8080
remote.connection.one.username=ABCD
remote.connection.one.password=ABCD#123
remote.connection.two.host=localhost
remote.connection.two.port=8080
remote.connection.two.username=guest
remote.connection.two.username=guest
# org.jboss.as.logging.per-deployment=true
My exception is
javax.naming.AuthenticationException: Failed to connect to any server. Servers tried:
[http-remoting://172.16.25.26:8080 (Authentication failed: all available authentication mechanisms failed:
JBOSS-LOCAL-USER: javax.security.sasl.SaslException: Failed to read server challenge [Caused by
java.io.FileNotFoundException: D:\wildfly-10.0.0.Final\standalone\tmp\auth\local3540175271681581878.challenge
(The system cannot find the file specified)]
DIGEST-MD5: javax.security.sasl.SaslException: DIGEST-MD5: Cannot perform callback to acquire realm,
authentication ID or password [Caused by javax.security.auth.callback.UnsupportedCallbackException])]
[Root exception is javax.security.sasl.SaslException: Authentication failed: all available authentication
mechanisms failed:
Please tell me what am I missing here thats causing this exception and what is the significance of secret-key generated while creating the user in wildfly and where to configure that key

SonarLint Eclipse connecting to SonarQube server gives "No storage for server 'sonar'. Please update."

My company upgraded to SonarQube 5.3. This requires changing from the SonarQube plugin for Eclipse to SonarLint. I regret that upgrade because my project quality profile contains 494 rules and only 12 are from Squid, so we have a massive project to make SonarLint in Eclipse at all useful. But I'm trying to install SonarLint 2.0.2 on my PC anyway. When I try to test the connection to the SQ server I get an error in the SonarLint Console. What's the problem?
No storage for server 'sonar'. Please update.
Fail to request https://sonar.forge.mycompany.com:9000/api/system/status
java.lang.IllegalStateException: Fail to request https://sonar.forge.mycompany.com:9000/api/system/status
at org.sonarqube.ws.client.HttpConnector.doCall(HttpConnector.java:202)
at org.sonarqube.ws.client.HttpConnector.get(HttpConnector.java:144)
at org.sonarqube.ws.client.HttpConnector.call(HttpConnector.java:133)
at org.sonarsource.sonarlint.core.container.connected.SonarLintWsClient.rawGet(SonarLintWsClient.java:98)
at org.sonarsource.sonarlint.core.container.connected.validate.ServerVersionAndStatusChecker.fetchServerInfos(ServerVersionAndStatusChecker.java:97)
at org.sonarsource.sonarlint.core.container.connected.validate.ServerVersionAndStatusChecker.checkVersionAndStatus(ServerVersionAndStatusChecker.java:61)
at org.sonarsource.sonarlint.core.container.connected.validate.ServerVersionAndStatusChecker.checkVersionAndStatus(ServerVersionAndStatusChecker.java:51)
at org.sonarsource.sonarlint.core.WsHelperImpl.validateConnection(WsHelperImpl.java:50)
at org.sonarsource.sonarlint.core.WsHelperImpl.validateConnection(WsHelperImpl.java:45)
at org.sonarlint.eclipse.core.internal.server.Server.testConnection(Server.java:244)
at org.sonarlint.eclipse.ui.internal.server.wizard.ServerConnectionTestJob.run(ServerConnectionTestJob.java:44)
at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:122)
Caused by: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
at sun.security.ssl.InputRecord.handleUnknownRecord(Unknown Source)
at sun.security.ssl.InputRecord.read(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at com.squareup.okhttp.internal.io.RealConnection.connectTls(RealConnection.java:192)
at com.squareup.okhttp.internal.io.RealConnection.connectSocket(RealConnection.java:149)
at com.squareup.okhttp.internal.io.RealConnection.connect(RealConnection.java:112)
at com.squareup.okhttp.internal.http.StreamAllocation.findConnection(StreamAllocation.java:184)
at com.squareup.okhttp.internal.http.StreamAllocation.findHealthyConnection(StreamAllocation.java:126)
at com.squareup.okhttp.internal.http.StreamAllocation.newStream(StreamAllocation.java:95)
at com.squareup.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:281)
at com.squareup.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:224)
at com.squareup.okhttp.Call.getResponse(Call.java:286)
at com.squareup.okhttp.Call$ApplicationInterceptorChain.proceed(Call.java:243)
at com.squareup.okhttp.Call.getResponseWithInterceptorChain(Call.java:205)
at com.squareup.okhttp.Call.execute(Call.java:80)
at org.sonarqube.ws.client.HttpConnector.doCall(HttpConnector.java:199)
... 11 more
Port 9000 is the default HTTP-Port for SonarQube. SonarLint proposes https:// when configuring a new server connection.
So, if you just change
https://sonar.forge.mycompany.com:9000
to
http://sonar.forge.mycompany.com:9000
and you probably can connect SonarLint with SonarQube.
You're focused on the wrong thing. The "No Storage..." message won't stop it from working, I get that all the time with the latest sonar/sonar lint.
Have a look at your server configuration. It looks like there's a protocol mismatch...
java.lang.IllegalStateException: Fail to request https://sonar.forge.mycompany.com:9000/api/system/status
.
.
.
Caused by: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?