0
votes

I'm trying to implement SPNEGO Kerberose based SSO, followed the instructions from http://spnego.sourceforge.net/pre_flight.html. While deploying the sample application in tomcat i'm getting the following error.

javax.servlet.ServletException: javax.security.auth.login.LoginException: Cannot locate default realm
    at net.sourceforge.spnego.SpnegoHttpFilter.init(SpnegoHttpFilter.java:198)
    at org.apache.catalina.core.ApplicationFilterConfig.initFilter(ApplicationFilterConfig.java:273)
    at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:254)
    at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:372)
    at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:98)
    at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:4542)
    at org.apache.catalina.core.StandardContext$2.call(StandardContext.java:5220)
    at org.apache.catalina.core.StandardContext$2.call(StandardContext.java:5215)
    at java.util.concurrent.FutureTask.run(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)
Caused by: javax.security.auth.login.LoginException: Cannot locate default realm
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)
    at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at javax.security.auth.login.LoginContext.invoke(Unknown Source)
    at javax.security.auth.login.LoginContext.access$000(Unknown Source)
    at javax.security.auth.login.LoginContext$4.run(Unknown Source)
    at javax.security.auth.login.LoginContext$4.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
    at javax.security.auth.login.LoginContext.login(Unknown Source)
    at net.sourceforge.spnego.SpnegoAuthenticator.<init>(SpnegoAuthenticator.java:161)
    at net.sourceforge.spnego.SpnegoHttpFilter.init(SpnegoHttpFilter.java:196)
    ... 11 more
Caused by: KrbException: Cannot locate default realm
    at sun.security.krb5.PrincipalName.<init>(Unknown Source)
    ... 26 more
Caused by: KrbException: Cannot locate default realm
    at sun.security.krb5.Config.getDefaultRealm(Unknown Source)
    ... 27 more
Caused by: KrbException: Generic error (description in e-text) (60) - Unable to locate Kerberos realm
    at sun.security.krb5.Config.getRealmFromDNS(Unknown Source)

Following is the content of my krb5.conf file

[libdefaults]
default_realm = VSSO.LOCAL
default_tkt_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
permitted_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
[realms]
VSSO.LOCAL = {
kdc = adsrv.vsso.local
default_domain = VSSO.LOCAL
}

Following is the login.conf file

spnego-client {
com.sun.security.auth.module.Krb5LoginModule required;
};

spnego-server {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
isInitiator=false;
};
[domain_realm]
.VSSO.LOCAL = VSSO.LOCAL

Any idea about this issue ?

My 2 cents: force JAAS in verbose mode with -Djava.security.debug=gssloginconfig,configfile,configparser,logincontext on command line (or via Java code), plus debug=true in both client and server JAAS configs. Then you may get some insights about what happens under the covers.Samson Scharfrichter
thanks samson for the commentShain
Ah, I just stumbled on that one: -Dsun.security.spnego.debug=true (courtesy of the-man-who-wants-to-outstare-Kerberos) steveloughran.gitbooks.io/kerberos_and_hadoop/content/sections/…Samson Scharfrichter