Solved: spnego with mozilla

Former Member · ‎07-10-2006

Hi all,

I've configured spnego on a J2EE engine and the mechanism works with Internet Explorer. However, on mozilla browsers, eg. firefox I get the "GSSException: Failure unspecified at GSS-API level (Mechanism level: KDC has no support for encryption type (14))" message.

I got this message also with IE, but after a

<a href="http://www.windowsitlibrary.com/Content/617/06/7.html">registry fix</a> on the J2EE server, a JDK update (1.4.2_12) and an adjustment to kerb5.conf:

[libdefaults]

default_tgs_enctypes=des-cbc-md5 des-cbc-cr des3-cbc-sha1

default_tkt_enctypes=des-cbc-md des-cbc-crc des3-cbc-sha1

permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1

it works like a charm.

Any ideas? SAP Note 942111 suggest to create a new keytab, but does this makes sense to do this jusst for Mozilla?

Cheers

Marcel

Former Member · ‎07-11-2006

Hi,

SPNego works with Firefox.

You just have to set 2 options using the following steps:

1. In the address bar type about:config

2. Set these 2 options

network.negotiate-auth.delegation-uris= https://,http://

network.negotiate-auth.trusted-uris= https://,http://

Of course you may set any other values - just search google for firefox configuration options.

koehntopp · ‎07-10-2006

From http://bofriis.dk/spnego/qa.html#i9 :

Q:

ERROR: Mechanism level: KDC has no support for encryption type (14)

A:

This error occurs when the SPN account uses the Active Directory default encryption type RC4-HMAC. However, SUN JDK does not support this encryption type. SUN JDK only supports DES. But if IBM JDK is used, RC4-HMAC is supported.

Check the SPN user account. It must have the "use des..." checked for the user.

Also check the default enctypes in the krb5.conf file They must be set to "des-cbc-md5;des-cbc-crc"

Hope that helps,

Frank.

Former Member · ‎07-11-2006

Hi,

SPNego works with Firefox.

You just have to set 2 options using the following steps:

1. In the address bar type about:config

2. Set these 2 options

network.negotiate-auth.delegation-uris= https://,http://

network.negotiate-auth.trusted-uris= https://,http://

Of course you may set any other values - just search google for firefox configuration options.

Former Member · ‎07-11-2006

Hi Rumen,

Thanks. I forgot to mention that I'd already set those two parameters just like you suggest below. In addition I've also set network.automatic-ntlm-auth.trusted-uris to https://,http://.

I also use Netscape 8, with that brilliant function to swith between IE and Firefox. There I can see that for IE it works and the moment I switch to FireFox the authentication fails.....

Any other ideas?

Marcel

Former Member · ‎07-11-2006

Hi,

Do you have some firefox plugin or something to sniff the traffic and check HTTP headers?

SPNego protocol is pretty simple thing if you do not dig deep to Kerberos:

1. Browser sends a request

2. Server responds 401 Unauthorized and sets header

WWW-Authenticate: Negotiate

3. If browser is properly configured it re-requests the same url but has the Negotiate header set with a Kerberos token.

4. Server checks token and authorizes user.

But IE for example - if not properly configured (i.e - no "Enable windows integrated authentication" set, or the site is not in the trusted list, or "Do not use a proxy for " the domain is not set) then it sends (see 3) a NTLM (instead of Kerberos) token in response to the WWW-Authenticate: Negotiate header.

So check the HTTP requests. You can easily distinguish NTLM tokens from Kerberos tokens - NTLM tokens look like:

Negotiate TlRMTVNTUAADAAAAAAAAAEAAA......

A typical SPNEGO/Kerberos looks like:

Negotiate YIIJUQYGKwYBBQUCoIIJRTCCCU..

Former Member · ‎07-11-2006

I forgot to say that if I were you I'd remove the

network.automatic-ntlm-auth.trusted-uris

and if not working I would then sniff the traffic.

MarcelRabe · ‎07-13-2006

Guys,

thanks for your answers. For some reason the message was posted under a different username so I cannot reward any points. But your help is much appreciated.

Haven't solved the problem yet though

tim_alsop · ‎07-14-2006

Are you using the NetWeaver login module for SPNEGO support ? If you are, then this is not supporting the GSS mech OID which firefox uses (e.g. RFC1964) and is only supporting the mech oid used by MS IE. I think this is the reason for your problem.

If you want a solution to this, please contact me offline. My email address is tim.alsop@cybersafe.com.

Former Member · ‎07-24-2006

Pretty nice statement, Tim! Have you decompiled the SPNegoLoginModule?

I have successfuly logged in using SPNego and Mozilla Firefox.

However I am rolling up my sleeves and will check this with a different Mozilla version.

Marcel, what version of Mozilla do you use?

MarcelRabe · ‎07-25-2006

Hi Rumen

I'm using a couple of different versions such as 1.0.8, 1.5 and 1.5.0.4

Tim makes a very interesting statement and it's the first time i've heard it.

Marcel

tim_alsop · ‎07-25-2006

Hi,

I just checked again, and it appears my last statement was very missleading. In fact, the functionality for IWA in Mozilla is normally the same as IE, but Mozilla also supports RFC1964 when it is configured to use a third-party Kerberos library instead of using SSPI. This would also be used if Mozilla was running on a Unix or Linux workstation and a PAM module was used to obtain Kerberos tickets during workstation logon. I was getting this confused with your problem, so I appologise for any missunderstandings.

In summary - if Firefox/Mozilla is used with SSPI (e.g. using direct access to MS creds obtained at workstation logon) then it will use the same mech oid that IE uses. If however you use a third party Kerberos library which provides a GSS-API library on your workstation (e.g. to support two-factor user authentication via. the Kerberos protocol) then Mozilla/Firefox and the SAP SPnego logon module will not work together.

So, if you do have a need for a SAP NetWeaver logon module which supports RFC1964 tokens as well as SSPI tokens - our product (TrustBroker Adapter) might be worth considering. This product is a commercially supported, SAP Certified, and Powered by NetWeaver product that uses the SPNEGO standard to provide IWA in NetWeaver applications. It does not use the Kerberos implementaion provided in Java JDK so is not constrained by some of its weaknesses and configuration difficulties.

Thanks, and once again sorry to cause any missunderstandings.

Regards,

Tim

Former Member · ‎07-25-2006

Hi,

As promised - I have debugged the SPNegoLoginModule, and as Tim says - IE and Firefox (I have downloaded last firefox version 1.5.0.4) work the same way (send same set of supported mechs), so for the Windows version of Firefox, and no third- party library, I can proove in practice that it works okay. The only thing I have configured on the newly installed Firefox is these two options (network.negotiate-auth.delegation-uris = http://,https:// and network.negotiate-auth.trusted-uris = http://,https://)

I am not at office now but on Monday I'll be back and will post the detailed info.

By the way, Marcel, on what OS is your Firefox running? Is it on Windows, Mac or Linux?

Former Member · ‎07-26-2006

Hi Rumen

both windows and linux (sles)

tim_alsop · ‎07-26-2006

Marcel,

Since you are using Firefox on SLES Linux, hopefully you understood from my earlier posts to this thread that the SAP Login Module will not support this - SAP only coded their Login Module to support SSPI tokens from Windows browsers (IE and Firefox). If you want to support Firefox on Linux, you might want to consider our TrustBroker Adapter product - we have extended our Login Module to support RFC1964 tokens, so we are able to support Firefox on Linux.

Of course, in both cases you need to have authenticate the user using Kerberos during workstation logon. On Linux this might be done using a Kerberos PAM module that is configured to use your Active Directory domain.

Thanks,

Tim

Former Member · ‎08-04-2006

Sorry for the delay!

Here is the text I had prepared for posting it here:

As I promised - I have just downloaded last version of Firefox (1.5.0.4 for Windows) and debugged the SPNego. Of course the initial attempt failed, because I forgot to set the

network.negotiate-auth.delegation-uris = http://,https://

network.negotiate-auth.trusted-uris = http://,https://;

options.

And as expected - after correctly setting these two Firefox options - it worked - Firefox sends 3 supported mechanisms - here is a copy- paste from the debugger:

[

OBJECT ID = 1.2.840.48018.1.2.2,

OBJECT ID = 1.2.840.113554.1.2.2,

OBJECT ID = 1.3.6.1.4.1.311.2.2.10]

Two of them are supported by SPNegoLoginModule

[

OBJECT ID = 1.2.840.48018.1.2.2,

OBJECT ID = 1.2.840.113554.1.2.2]

I did the test for IE too. Internet Explorer supports EXACTLY the same set of mechs as Firefox does:

[

OBJECT ID = 1.2.840.48018.1.2.2,

OBJECT ID = 1.2.840.113554.1.2.2,

OBJECT ID = 1.3.6.1.4.1.311.2.2.10]

So, there are even two mechanisms that both Firefox and SPNegoLoginModule support.

If no supported mechanism is found you will have an error log - "No supported mechanism found." in the defaultTrace.X.trc file of the J2EE Engine.

Also an exception will be thrown (which will also be logged).

If the mechanism is supported you will get an "info" message in the log "Supported mechanism found: " + <the OID of the mech>

Here is the code that generates these log records. (a copy-paste from the source of SPNegoLoginModule)

if ( -1 == mechIdx ) {
          // No supported mechanism available. We
          // must stop the handshake.
          errorT( "No supported mechanism found." );
          throw new SPNegoProtocolException( "No supported mechanisms available." ); 
} else {
          state.mech = spninit.getMechTypeList()[mechIdx];
          infoT( "Supported mechanism found: " + state.mech.getID() );
        }

I think it is obvious now that it is possible to use SPNegoLoginModule with Firefox. I can attach screenshots if needed. However - I would love a challenge concerning the topic.

Now - on Marcel's problem - since all (except one, and it is already fixed) SPNego-related issues in the Java server appear to be a misconfiguration problems(on the AD, browser, or J2EE server),

I suppose you have not configured your Firefox properly. Check the trusted domains, proxies, etc. SPNego DEFINITELY works with Firefox. I am not a Firefox expert and I cannot say which option is wrong, but I would really appreciate if you share your knowledge when you find the solution.

Thanks in advance!

Former Member · ‎08-04-2006

Hi Rumen,

this is why I love SDN! Thanks for the effort. The 10 points are yours for sure, but I'll reward them when I find out what I'm doing wrong.

Have a nice weekend

Marcel

yonko_yonchev · ‎08-04-2006

Hi Marcel,

To further support Rumen's point: by contrast to IE, Firefox doesnot read all of its configuration from the Windows registry. So it is possible that the registry fix you applied configured only IE for SPNego.

Having said this, I would suggest that you apply SAP Note 942111 - note that the suggestion there is to generate a copy of the keytab locally on the J2EE Engine host (as opposed to getting the one generated on the ADS).

if it still doesn't work my next suggestion will be to double check the configuration step by step.

Regards,

Yonko

Former Member · ‎08-04-2006

Thanks Marcel!

Yonko, I get a little bit nervous when it comes to touching a working SPNego/Kerberos solution. So I'll say a few words.

Encryption is made in the KDC. As you remember - one of the installation guide points is to enable "Use DES encyption for this account" on the service user.

So, browser receives encrypted data from the KDC and only wraps it into a Kerberos token. I have to admit I do not remember the structure of the token, but when I stop and think for a while ... I doubt it has someting encrypted by the browser. Who is decrypting then, and with what key?

Also - SPNego works with IE. This means that the J2EE<->KDC negotiation is OK, so there is no need to touch the configuration of the J2EE or KDC. Everything should be in the browser.

Marcel, what JDK is running the J2EE? IBM or SUN? And what KDC do you use - is it the Windows Active Directory or something else? If you use MS Active Directory - you have to have set the "Use DES encyption for this account" on the service user.

Why don't you apply SAP note 958107 - it is a diagnostic tool for Kerberos, does not change anything anywhere.

Then run the diagtool but this time with the following configuration:

go.bat conf\traces_snapshot.conf <configtool_dir>

The tool will start collecting traces until you press ENTER.

Do not pres ENTER yet. Reproduce the problem - try to access the protected area with Firefox.

Get back to the diagnostic tool and press ENTER.

Then you may post here the traces collected.

I will take a look on them.

If you think it is a sensible information - email it to me -

Rumen * Barov @ sap * com

No spaces. Dots instead of asterisks.

My manager is interested in your problem too, so this issue here may help improving the SAP SPNego solution.