I have an EE application that I am working on and I am trying to implement SSO with the windows network using SPNEGO provider connected to the Windows Active Directory through a Multitenancy WebLogic Server (12.2.1.2). The SPNEGO provider is configured and appears to be working correctly with the Active Directory. I have created a small application that consists of one servlet in the WAR that should display login information to the screen if the authentication succeeds.
The problem that I am having is that looking at the log files from the server the authentication is succeeding but the server is not sending me forward once I have been authenticated through SPNEGO. I can see where the SPNEGO token is being passed and used to authenticate my identity and even all of the groups that I am a member of from the Active Directory.
Here is the Web.xml for the test application
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Development</param-value>
</context-param>
<servlet>
<servlet-name>AuthSimpleTestServlet</servlet-name>
<servlet-class>functional.test.SimpleTestServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>AuthSimpleTestServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<security-role>
<description>Admin Role</description>
<role-name>DEV_ADMIN</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>secured pages</web-resource-name>
<url-pattern>/*</url-pattern>
<url-pattern>/</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>DEV_ADMIN</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>myrealm</realm-name>
</login-config>
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>/AuthSimpleTestServlet</welcome-file>
</welcome-file-list>
The weblogic.xml
<security-role-assignment>
<role-name>DEV_ADMIN</role-name>
<principal-name>@APP_DEV_ADMIN</principal-name>
<principal-name>APP_DEV_ADMIN</principal-name>
</security-role-assignment>
I can see where it looks like the Principals are being added to the Subject. Not a JS Snippet used for formatting purposes.
<Aug 6, 2018, 1:48:15,491 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <login succeeded for username DCConway>
<Aug 6, 2018, 1:48:15,491 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login delegated, returning true>
<Aug 6, 2018, 1:48:15,491 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.commit>
<Aug 6, 2018, 1:48:15,491 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <LDAP Atn Commit>
<Aug 6, 2018, 1:48:15,491 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <LDAP Atn Principals Added>
<Aug 6, 2018, 1:48:15,491 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.commit delegated, returning true>
<Aug 6, 2018, 1:48:15,491 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login logged in>
<Aug 6, 2018, 1:48:15,492 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login subject=Subject:
Principal: DCConway
Principal: @APP_DEV_ADMIN
Principal: APP_DEV_ADMIN
Even though it looks like everything is working correctly I am receiving a 403 Forbidden Error when trying to access the servlet.
The request header appears to have the correct token.
I'm hoping that someone can help me to determine what the problem is and how to solve it.
Below is some copied sections of the log files for review and it's a large amount of log information. The names of servers, etc has been altered.
<Aug 6, 2018, 1:48:15,327 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <PrincipalAuthenticator.assertIdentity using common security>
<Aug 6, 2018, 1:48:15,327 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <weblogic.security.service.WLSIdentityAssertionServiceWrapper.assertIdentity>
<Aug 6, 2018, 1:48:15,327 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.IdentityAssertionServiceImpl.assertIdentity(Authorization)>
<Aug 6, 2018, 1:48:15,327 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.IdentityAssertionTokenServiceImpl.assertIdentity(Authorization)>
<Aug 6, 2018, 1:48:15,327 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.IdentityAssertionTokenServiceImpl.assertIdentity - IdentityAssertionException>
<Aug 6, 2018, 1:48:15,327 PM EDT> <Debug> <WebAppIdentityAssertion> <BEA-000000> <Permission check failed for weblogic.servlet.internal.ServletRequestImpl@11524151[
GET /STIP_Ken/SPNEGO_TEST HTTP/1.1
Accept: text/html, application/xhtml+xml, image/jxr, */*
Referer: http://os-serv-li-env800.os.comapny.com:7005/console/console.portal?_nfpb=true&_pageLabel=WebAppApplicationTestingPage&handle=com.bea.console.handles.AppDeploymentHandle%28%22com.bea%3AName%3DSPNEGO_TEST%2CType%3DAppDeployment%2CPartition%3Dken_partition%2CResourceGroup%3DPartitionResourceGroup-ken%22%29
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate, peerdist
DNT: 1
Connection: Keep-Alive
Authorization: *
X-P2P-PeerDist: Version=1.1
X-P2P-PeerDistEx: MinContentInformation=1.0, MaxContentInformation=2.0
]>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <NegotiateIdentityAsserterServiceImpl.process() called>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <CERT auth type found for webapp>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <All request headers:>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: Accept : text/html, application/xhtml+xml, image/jxr, */*>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: Referer : http://os-serv-li-env800.os.comapny.com:7005/console/console.portal?_nfpb=true&_pageLabel=WebAppApplicationTestingPage&handle=com.bea.console.handles.AppDeploymentHandle%28%22com.bea%3AName%3DSPNEGO_TEST%2CType%3DAppDeployment%2CPartition%3Dken_partition%2CResourceGroup%3DPartitionResourceGroup-ken%22%29>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: Accept-Language : en-US>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: User-Agent : Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: Accept-Encoding : gzip, deflate, peerdist>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: Host : os-serv-li-env800.os.comapny.com:7027>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: DNT : 1>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: Connection : Keep-Alive>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: Cookie : JSESSIONID=bVMQKy4C_QQlGvaTKZUwkiEsW2tVrTRkQ_A4yU_vGb22z85hWfEV!1153673829; ADMINCONSOLESESSION=F2UQTg7hP-Xz-h9kpjTkEPLp4hdHnKSKLqnupTfTl4HxVZ9eEIAi!-803667715>
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: Authorization : Negotiate YIILBAYGKwYBBQUCoIIK+DCCCvS...
<Aug 6, 2018, 1:48:15,328 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: X-P2P-PeerDist : Version=1.1>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < Header: X-P2P-PeerDistEx : MinContentInformation=1.0, MaxContentInformation=2.0>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> < processing header: Negotiate YIILBAYGKwYBBQUCoIIK+DCCCvSgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCCr4Eggq6YIIKtgYJKoZIhvcSAQICAQBuggqlMIIKoaADAgEFoQMCAQ6iBwMFACAAAACjggi1YYIIsTCCCK2gAwIBBaETGxFNQUlOLkFEUy5VU0NHLk1JTKIvMC2gAwIBAqEmMCQbBEhUVFAbHG9zYy1zLWxpbS1hcDgwMC5vc2MudXNjZy5taWyjggheMIIIWqADAgESoQMCAQeigghMBIIISOIHiNd0PhKH07ahpwtToHkw3cO1MILaInEboKRe9r5MeR4xBpHwK8qMRsgM3vZfozvwRrskv4tftg7ZjKBbBDzNKFBbqAUNPJ9NWc8eq6p9gBcvzzuacRPVn1O80Q1Y+XEIAqQpbEY+LkdWTjcDy8xM/OdXTldBoYFmrmpnxEPe3J0vY1CdEoCefPfp0B+xN7lQ3dS4XQQvww2BYzF55wUXUxRYCfogZnxhkUARyT9M1S4xwFog6Ap+wAe1UextvB9R9IW7nE3eT3EJbcLgCFpXh502KcFwt7ht7O2L93tU6SjaLl2ogq2d+m24bgobnPD+YRPk4873REkTFmXrTAkkgw+mXmga2iP9ML7X+hiXGraJQmj6GbwfpSc0sITOnIktm25UwNrQXjabh0XfN5XoMeQW6x0cWW0j4plpgH+kGGSuj0fFe7zrBu+IgV0XkC/dbcYaTkVWVfs+oAGUWHcpGWxNduXFqm78rlAg915/eHvEXuZgP9PLCCpC3fXGqaxlO4oF81Ly/3NLWBybWQs7S2NVbmDfTg+puVkBL7vYZR8jkOo7cmtijpCgA0kHAS/5sV8pZCabpTh+UkiI4QgiwdBSEVhIxnhKAByewYU4D0wpmT5ebSqhnrJzZufMr0Fz3PvVx/F0f+nH/bLj+VWURyNu3SsQ5tz+JwV1lG+9MRwiPIe/SFbiOV8KvqBJFzJ3RgzUWVk7L8CzGQg88ahKUdO9jHV+XiclVpL5qCX9TRD960bEJGYgvemeI172tOnQXQEm0H9i4x02gLarvmlb18fwycaj4OJV6wRFUUbWXs1OnfMBH9PKeh6sAmow2Knh2+noSwHceizjDY4HarD/bnUXQ9TNIqu0onJYfQsWLYXwOyl5IVBaRxhBLBodJCv8mJMJuM7sWBwXuGJft7HbIJgcpaECQk28zBtD5EYS/LkX46zFJlGEoQFV1qrARMH3rtf4RMG3kaWkpmEIVj6DT3ZvtTWy52gcFNrJNeWRgKJuatSahm8tWjDfEgPs1quyKds/j1cMAyEYZVkpZLlXKRTe4tQ8nW1atVL/ZyFKPJi/gFj9yIp1gghc1VHevRglxoUQCvMLrXbcx71+oc07EyAN1wfd9Gc0Tyz9PRiblhpV7+Akqt3PQcpGtlgBmuiMS1JmT1BsjUpyi8Zr46KKwnBYLqlUqDaHaxmExG5H40vVF0UqIvL3tw80o6R0qZiyoWK5tJ7Y/IioETWdxobNevKUZDQDojrxVVynVefgqEbjGBZ2pRkEKpcCzgm6PY3xv6EenscDaDaOeRSBVLl0bBtP6w+TSvdAFtjm2GF61+c1+ug/bi5g7feoiB2ahhlhsUp37N59FLC50Jk7nhOzKLY1+IdXN5C8/vtbWA4xe2m0pCrwvtucgWBO/3L49TsQIE8HokI5cBXGQSj1ZKOLgdvMoAiKP9HEHyCS7zkSM04PZYH93h9OfDnv8hf0GnSjcw5Tq8bY0AKruC+aysPo00BEHMlxHie9bAMcT3/mL5i4kAHzZVwt9yjbpGeSiWzXh2j3CHJeB3n9MNN5tn7pus7xii+zNV1MA4l3RoRKL4inyt6U18elY02FvhbzYDfkfcEqKudZ9H/TyiZbzB/EcIfPbth1l1UOsQVcAF9fNrNyPG0ezlnkIUNBGRBuX23F7Y6rZfkXQys2pv3FlPjTK7f3EtwX7xunrvtVR1chSfZEfz6xsiVC3YPpUk3NUpTlg4DNbFUnhfEeLbZBKI3I1cYKPeftFiqygjxbyFEnzTPLY1UP63wCmdNip6PppJZHY8lS6cDOkEWjj/6pbiHpH2yoJQXR+bh2P3TdqV55vXt1gItG+aufuE1unh1GqAY7DwgRRdMd8pVHZ/FkOIIwGLCnVVUsVkNxjkTMW5KMfms7VM4EgiW4VkpyV/yM90ArMN0BDYluIP5rlw9hL2MLsUDfNQa1yX2RY9DTKPjMU3TqqCbD7YZ2t7FwRdGDXH9qOyXsbxqrudGpqL44NrpDgHEtCxzh0Eyz0CctAAQoGt5DkAbNv8KbraQNwFnIPxCXQ0R+jyQVAqoBlTMYajtmpr9oYlWyAozZ0wYbKMM0a/eFBJe2FQtbSVBLTY2D8h/laX/dMW4siAiSUvBr+Fys99W28Y0O9qcNZXf3sARNrcANIy2EZ6n2XYMPZ5LW96TaWLq6Y5KUHmhz9i1yO3QXk4KF7if99QI0qicMnnUJ99MaLA5VPQavbm77jCkW3cpVubBWfDUeMbGoxEMdUxjC7p3JM7duptr8t2GteZgSSj81gdxTqoGAM2eLZhH/spzSDfO7/mNmymF81/It4aXrTx9PQjcvH8t5xz7MDKuaucJSvu3rrgc35bbBz94UlrubZLAdiS348XVlTdsMvWmVZu5EPHPCUUgSx1riTkmVxHbgVbR/pSvKsmvNCIqwOfHK3QlLWJQqLB//8jLBjlv0u7h4tYo6bLEmAp21hkorzMlEMDSKKZH/b+1fWJipK6MVRW1OIRGiPMEUcK6Rw5bf2WfofhG8OW7NtGewIsG1K9dYPAIlZOHiVoFyZbCI6boplgVGqhiab57qs8Z0Zibos9dCYY52UQMEGUmgI/b0hu2IPDl1+wEOGLLO2A+lT+TmQNu1X/09yFduJmb+r3Dw9s9cCrTjO4r5GNenjrq7NjeK6Q4WpBaW5I8aSn6P3Q6cyJaPHKjudlfM/N9sPFBc3ylj2BZRrNWLYaLywDJD5UlMMM2Cv6R95Ft9i/yb+q1vs/3uhpeoKk6Ny7jjyp5xu0Xmb392SlCQZzfBMCuCGEaAH41whgZeOX5HZJr/vyyrwrFQlRCNpIIB0TCCAc2gAwIBEqKCAcQEggHA4fZXLJsGEn1cx6r3wF0FiTLJLX2Fu/GwlmidzC7/7VfGMDDWTCuSKasFwi9lC5QkV74etXYMa3ndwr+aPM4aPwaEIIFQe8r4bW7jol00FB4SavtHfhonKBBZVw1Y8RbDE+TnGQUb5R11TPbi+wfomKcQM4Fhew3dueNfhFT/sQ6eKQQ6UmqSTzZKjmQhjOpaBLyqV+ciZM52ctC49wPc+xN3SbAPCI4m3H5b/C8VTTbOwtE+vMnlj3sjQYQR82bCLKRoJXTWP8ImerWYSlD7MlUXWdQH+msG2RHE8U8XCwhPRUQuyNgdUzvt1cYndfuz7jPR8YzFj/e7NWSLfDKbJiskuK8W+gLGfCMuROVMoyp3+bXaTjY1/tNhgcu0NAtzh+uT/UOmksLdbosNlhQ5nEoRbu1b5sB58HlmooJeK7TVxxjmStYtua/+blmUo+pn/OHMIJly9T9+KQ9hXeh9i7Eivy2VZR08/OuFK63k/6Nej/I+aogo7bpLJGrhKJLNE2Hgi3yevKTKIN168ES5j/KHt+jeZyQrHyMu2Y6Pa1UBoZj2BKeksyA59y8LyuuicCA2rWqBATpfZOH0NcL0bA==>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: SPNEGO static oid 0: 0606 2b06 0105 0502 ..+.....
>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: SPNEGO in oid 0: 0606 2b06 0105 0502 ..+.....
>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: Neg token found>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: len of neg token 2808>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: sequence found>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: len of sequence token 2804>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: choice is 160>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: len of mech type 48>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: len of mech type seq 46>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: mech type offset 24>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <mech type token
16: 0609 2a86 4882 f712 ..*.H...
more lines...
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: Mech list oid 1.2.840.48018.1.2.2>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: Mech list oid 1.2.840.113554.1.2.2>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: Mech list oid 1.3.6.1.4.1.311.2.2.30>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: Mech list oid 1.3.6.1.4.1.311.2.2.10>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: Mech token len 2750>
<Aug 6, 2018, 1:48:15,329 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <SPNEGONegotiateToken.discriminate: Mech token
0: 6082 0ab6 0609 2a86 4886 f712 0102 0201 `.....*.H.......
16: 006e 820a a530 820a a1a0 0302 0105 a103 .n...0..........
more lines..
<Aug 6, 2018, 1:48:15,330 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <Found Negotiate with SPNEGO token>
<Aug 6, 2018, 1:48:15,330 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <Negotiate filter: new session, no negotiation has started>
<Aug 6, 2018, 1:48:15,330 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.ChallengeIdentityAssertionServiceImpl.assertChallengeIdentity(Authorization.Negotiate)>
<Aug 6, 2018, 1:48:15,330 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.ChallengeIdentityAssertionTokenServiceImpl.assertChallengeIdentity(Authorization.Negotiate)>
<Aug 6, 2018, 1:48:15,330 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ChallengeIdentityAsserterV2Adapter.assertChallengeIdentity(Authorization.Negotiate)>
<Aug 6, 2018, 1:48:15,330 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.JAASIdentityAssertionConfigurationServiceImpl.getAppConfigurationEntry(com.sun.security.jgss.krb5.accept)>
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is cglims_mt_dev.keytab refreshKrb5Config is false principal is HTTP/ [email protected] tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Looking for keys for: HTTP/ [email protected]
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ [email protected]
Found unsupported keytype (1) for HTTP/ [email protected]
Looking for keys for: HTTP/ [email protected]
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ [email protected]
Found unsupported keytype (1) for HTTP/ [email protected]
default etypes for default_tkt_enctypes: 18.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=os-vd-m-009.main.ads.comapny.com UDP:88, timeout=30000, number of retries =3, #bytes=175
>>> KDCCommunication: kdc=os-vd-m-009.main.ads.comapny.com UDP:88, timeout=30000,Attempt =1, #bytes=175
>>> KrbKdcReq send: #bytes read=220
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18, salt = MAIN.ADS.COMAPNY.COMHTTPos-serv-li-env800.os.comapny.com, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove os-vd-m-009
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Mon Aug 06 13:48:15 EDT 2018 1533577695000
suSec is 67734
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/ [email protected]
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18, salt = MAIN.ADS.COMAPNY.COMHTTPos-serv-li-env800.os.comapny.com, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 18.
Looking for keys for: HTTP/ [email protected]
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ [email protected]
Found unsupported keytype (1) for HTTP/ [email protected]
Looking for keys for: HTTP/ [email protected]
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ [email protected]
Found unsupported keytype (1) for HTTP/ [email protected]
default etypes for default_tkt_enctypes: 18.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=os-vd-m-009.main.ads.comapny.com UDP:88, timeout=30000, number of retries =3, #bytes=264
>>> KDCCommunication: kdc=os-vd-m-009.main.ads.comapny.com UDP:88, timeout=30000,Attempt =1, #bytes=264
>>> KrbKdcReq send: #bytes read=106
>>> KrbKdcReq send: kdc=os-vd-m-009.main.ads.comapny.com TCP:88, timeout=30000, number of retries =3, #bytes=264
>>> KDCCommunication: kdc=os-vd-m-009.main.ads.comapny.com TCP:88, timeout=30000,Attempt =1, #bytes=264
>>>DEBUG: TCPClient reading 1923 bytes
>>> KrbKdcReq send: #bytes read=1923
>>> KdcAccessibility: remove os-vd-m-009
Looking for keys for: HTTP/ [email protected]
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ [email protected]
Found unsupported keytype (1) for HTTP/ [email protected]
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/os-serv-li-env800.os.comapny.com
principal is HTTP/ [email protected]
Will use keytab
Commit Succeeded
Found KeyTab cglims_mt_dev.keytab for HTTP/ [email protected]
Found ticket for HTTP/ [email protected] to go to krbtgt/ [email protected] expiring on Mon Aug 06 23:48:15 EDT 2018
Entered Krb5Context.acceptSecContext with state=STATE_NEW
Looking for keys for: HTTP/ [email protected]
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ [email protected]
Found unsupported keytype (1) for HTTP/ [email protected]
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Using builtin default etypes for permitted_enctypes
default etypes for permitted_enctypes: 18 17 16 23.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
MemoryCache: add 1533577695/003265/F340CA7D6DD3AB5499310326FEBE8EA9/[email protected] to [email protected]|HTTP/ [email protected]
MemoryCache: Existing AuthList:
#1: 1533574589/003195/3E34B0B548DBF2570B1E8140F1C0CBCD/[email protected]
>>> KrbApReq: authenticate succeed.
Krb5Context setting peerSeqNumber to: 1542758160
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Krb5Context setting mySeqNumber to: 241351631
<Aug 6, 2018, 1:48:15,346 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <gssContext isEstablished true>
<Aug 6, 2018, 1:48:15,346 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <Out token
.................
<Aug 6, 2018, 1:48:15,346 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <GSS name is [email protected]>
<Aug 6, 2018, 1:48:15,346 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <User name is DCConway>
>>> Constrained deleg from GSSCaller{UNKNOWN}
<Aug 6, 2018, 1:48:15,346 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <com.bea.common.security.internal.service.JAASIdentityAssertionConfigurationServiceImpl.getAppConfigurationEntry(com.sun.security.jgss.krb5.accept)>
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is cglims_mt_dev.keytab refreshKrb5Config is false principal is HTTP/ [email protected] tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Looking for keys for: HTTP/ [email protected]
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ [email protected]
Found unsupported keytype (1) for HTTP/ [email protected]
Looking for keys for: HTTP/ [email protected]
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ [email protected]
Found unsupported keytype (1) for HTTP/ [email protected]
default etypes for default_tkt_enctypes: 18.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=os-vd-m-009.main.ads.comapny.com UDP:88, timeout=30000, number of retries =3, #bytes=175
>>> KDCCommunication: kdc=os-vd-m-009.main.ads.comapny.com UDP:88, timeout=30000,Attempt =1, #bytes=175
>>> KrbKdcReq send: #bytes read=220
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18, salt = MAIN.ADS.COMAPNY.COMHTTPos-serv-li-env800.os.comapny.com, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove os-vd-m-009
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Mon Aug 06 13:48:15 EDT 2018 1533577695000
suSec is 67734
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/ [email protected]
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18, salt = MAIN.ADS.COMAPNY.COMHTTPos-serv-li-env800.os.comapny.com, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 18.
Looking for keys for: HTTP/ [email protected]
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ [email protected]
Found unsupported keytype (1) for HTTP/ [email protected]
Looking for keys for: HTTP/ [email protected]
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ [email protected]
Found unsupported keytype (1) for HTTP/ [email protected]
default etypes for default_tkt_enctypes: 18.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=os-vd-m-009.main.ads.comapny.com UDP:88, timeout=30000, number of retries =3, #bytes=264
>>> KDCCommunication: kdc=os-vd-m-009.main.ads.comapny.com UDP:88, timeout=30000,Attempt =1, #bytes=264
>>> KrbKdcReq send: #bytes read=106
>>> KrbKdcReq send: kdc=os-vd-m-009.main.ads.comapny.com TCP:88, timeout=30000, number of retries =3, #bytes=264
>>> KDCCommunication: kdc=os-vd-m-009.main.ads.comapny.com TCP:88, timeout=30000,Attempt =1, #bytes=264
>>>DEBUG: TCPClient reading 1923 bytes
>>> KrbKdcReq send: #bytes read=1923
>>> KdcAccessibility: remove os-vd-m-009
Looking for keys for: HTTP/ [email protected]
Added key: 17version: 4
Added key: 18version: 4
Added key: 23version: 4
Found unsupported keytype (3) for HTTP/ [email protected]
Found unsupported keytype (1) for HTTP/ [email protected]
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/os-serv-li-env800.os.comapny.com
principal is HTTP/ [email protected]
Will use keytab
Commit Succeeded
Found ticket for HTTP/ [email protected] to go to krbtgt/ [email protected] expiring on Mon Aug 06 23:48:15 EDT 2018
<Aug 6, 2018, 1:48:15,359 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <delegate state is true, acquire delegated credential...>
<Aug 6, 2018, 1:48:15,359 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <Username was found, setting up callbackhandler>
...........
<Aug 6, 2018, 1:48:15,503 PM EDT> <Debug> <SecurityAtn> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate authenticate succeeded for user DCConway, Identity=Subject: 46