Bug 891976

Summary: SSO: Cannot sign in with SPNEGO (kerberos)
Product: [JBoss] JBoss Enterprise Portal Platform 6 Reporter: Tomas Kyjovsky <tkyjovsk>
Component: PortalAssignee: mposolda
Status: CLOSED CURRENTRELEASE QA Contact: Tomas Kyjovsky <tkyjovsk>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.0.0CC: bdawidow, epp-bugs
Target Milestone: ER05   
Target Release: 6.0.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-16 08:55:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Excerpt from server.log showing what happens after click on "Sign in"
none
Excerpt from kdc.log none

Description Tomas Kyjovsky 2013-01-04 17:33:54 UTC 
Created attachment 672496 [details]
Excerpt from server.log showing what happens after click on "Sign in"

Description of problem:
Cannot sign in with SPNEGO/kerberos. Kerberos authentication seems successful but portal doesn't sign the user in.

Version-Release number of selected component (if applicable):
JPP-6.0.0.ER04.2

Steps to Reproduce:
1. configure JPP6 for SPNEGO integration according to: https://docs.jboss.org/author/display/GTNPORTAL35/SPNEGO
a) install, configure & start kerberos service
b) configure firefox
c) configure JPP and enable additional logging

<logger category="org.gatein.sso">
  <level name="TRACE"/>
</logger>
<logger category="org.jboss.security.negotiation">
  <level name="TRACE"/>
</logger>

2. start JPP

./standalone.sh -Djava.security.krb5.realm=LOCAL.NETWORK -Djava.security.krb5.kdc=server.local.network -b server.local.network 
-Dsun.security.krb5.debug=true

3. log in with kerberos: kinit -A root

4. click "Sign in"

Actual results:
Authentication seems to go ok but the portal stays in "non-authenticated" mode - user is not signed in. There are no errors in log, only one warning:

13:04:46,864 WARN  [portal:UIPortalApplication] (http-server.local.network/10.34.26.120:8080-1) Could not load user profile for UwnC9QJulvwSALp0IV+YX2Ur_1357301085349. Using default portal locale.

Expected results:
Portal recognizes the user who authenticated with kerberos (in this case root).
Comment 1 Tomas Kyjovsky 2013-01-04 17:35:23 UTC 
Created attachment 672497 [details]
Excerpt from kdc.log
Comment 2 mposolda 2013-01-09 14:28:59 UTC 
Issue is caused by Negotiation issue https://issues.jboss.org/browse/SECURITY-719 . Actually this bug happens because of changes in jboss-as-web and picketbox, which are causing that negotiation doesn't work as expected. Details in SECURITY-719

Proper fix needs to be done either in negotiation or in JBoss AS security integration layer (jboss-as-web or picketbox libraries). ATM I am not sure, will discuss it with Darran.

Anyway I can workaround it in gatein-sso to have it fixed in ER5 (because it seems that it's too late to have JBoss Negotiation or jboss-as-web fix and release to be available in JPP6 ER5)

This bug can't be reproduced with GateIn master on AS 7.1.3 or AS 7.1.1 but only with JPP6 ER4.2 (seems that changes in EAP 6.0.1.ER4.2 are causing this)
Comment 3 JBoss JIRA Server 2013-01-10 11:03:14 UTC 
Marek Posolda <mposolda> made a comment on jira SECURITY-719

Just a note that issue can be reproduced with latest AS7 master and negotiation 2.2.2.Final.

I needed quick fix available today for JPP6, so I workaround for GateIn with commit https://github.com/mposolda/gatein-sso/commit/630208526f669beb9132172c6f0ff8b8e1f58d76, which simply rewrite the session_systemTime token with real username in the principal returned from jbossweb realm.
Comment 4 mposolda 2013-01-10 14:44:52 UTC 
Fix is available in gatein-sso 1.3.1.Final, which will be available in JPP6 ER5
Comment 5 Tomas Kyjovsky 2013-01-22 14:11:54 UTC 
The problem is no longer present in JPP-6.0.0.ER5.