SPNEGO GSSCaller {UNKNOWN} No Delegated Creds

Thu, 02 May 2024 12:21:23 -0700 

Hi All,

Sorry for the duplicate requests. The first one was accidentally flagged
for Google's new Confidential Mode which happened to be flagged.
I have a red hat 9.2 server hosting a web application on a single instance
of Apache Tomcat. This instance is behind an apache HTTP server on version
2.4.57.The application is hosted on Tomcat 9.0.54.

Domain: subdomain.domain.com
Site: devexample.domain.com

URL hit: https://example.subdomain.domain.com/webclient/
<https://devexample.domain.com/webclient_devex/exclient.jsp>exclient.jsp

*I keep getting this in the Tomcat Logs when accessing the application:*
*>>> Constrained deleg from GSSCaller{UNKNOWN}*

*The site outputs: No Delegated Creds*

==> /usr/local/tomcat.base1/logs/catalina.out <==
Entered SpNegoContext.acceptSecContext with state=STATE_NEW
SpNegoContext.acceptSecContext: receiving token = a0 82 07 9c 30 82 07 98
a0 30 30 2e 06 09 2a 86 48 82 f7 12 01 02 02 06 09 2a 86 48 86 f7 12 01 02
02 06 0a 2b 06 01 04 01 82 37 02 02 1e 06 0a 2b 06 01 04 01 82 37 02 02 0a
a2 82 07 62 04 82 07 5e 60 82 07 5a 06 09 2a 86 48 86 f7 12 01 02 02 01 00
6e 82 07 49 30 82 07 45 a0 03 02 01 05 a1 03 02 01 0e a2 07 03 05 00 20 00
00 00 a3 82 05 5c 61 82 05 58 30 82 05 54 a0 03 02 01 05 a1 15 1b 13 46 55
54 55 52 45 54 45 43 48 2e 46 54 45 49 2e 43 4f 4d a2 2a 30 28 a0 03 02 01
02 a1 21 30 1f 1b 04 48 54 54 50 1b 17 73 32 6b 2e 66 75 74 75 72 65 74 65
63 68 2e 66 74 65 69 2e 63 6f 6d a3 82 05 08 30 82 05 04 a0 03 02 01 12 a1
03 02 01 08 a2 82 04 f6 04 82 04 f2 6f c8 bd c5 94 ec a6 05 e6 36 6e 51 f4
ef c5 06 64 3d ba b8 01 c0 f3 0b 61 7f da 55 bc ba ae 8b dd d1 d0 f8 f0 b1
be 99 36 ae 6b 60 c2 31 88 af 4e f2 de a4 ce 6e e7 56 58 62 15 76 fc 41 e9
38 99 bc 3c 83 5a d7 b3 41 fa 65 0e 14 ae 6e f8 ea 23 3a d4 d8 61 37 bf 22
db 0f 48 e1 31 42 59 e9 08 55 cd 6f 50 fc 8e f7 11 76 3a 7f 69 a4 1e 3d 36
9d c8 98 00 e1 43 d0 fc cd 66 97 4a ac 41 d9 76 a4 a1 31 c8 df 11 10 dc f8
74 c4 56 1e cc f9 bc 72 41 e4 ab d6 d4 a0 79 1d 47 4a d0 61 f5 9b 72 9d fb
8a 9a 6b ec 7e d4 72 45 67 66 ff 35 3c b0 42 c1 07 38 c1 4c 90 77 c3 d8 98
64 04 fa 29 d1 37 aa be 32 03 43 5c 1e 31 ce c0 dc 42 1d 51 8f d9 bb 53 35
3c 85 42 ba e9 84 e5 c6 bd b2 e0 1b cb b0 79 00 39 4d b2 71 9d 8d 4a d9 03
35 38 d0 2c f0 1c 2b 61 29 b4 9e 73 15 f2 8a 94 cd 2a ff 61 09 0d 9f 91 2f
3f af d3 99 da 67 1e e0 14 01 fe 60 24 23 40 a0 17 b3 6f 8d 22 19 a7 59 4b
1b b3 86 94 4a 2b 55 e0 b8 77 84 19 fe 25 34 ca 7e 08 a9 f1 39 87 5c f8 bb
33 53 aa 21 48 53 f6 dc 33 39 77 87 cc 20 8b a9 33 d4 bd c6 43 17 a3 0b 0b
bd fd b3 02 a8 32 ad ee c3 35 4d 89 0a 33 de 04 7a 0a cb 6b 6d dc db dd 4f
65 23 4a 1d ba af eb 33 4a 9a e0 87 c3 14 44 bf 6a 1c 5d a3 9c 8b 32 fc e7
e1 ad df 67 cf 49 2e 18 f7 f7 1c de e1 60 6d d0 e9 47 33 d2 19 a4 6c da 49
03 d8 b5 d9 0f 1e d3 81 1b 51 f5 d7 56 a0 f7 48 fa aa 9a ba f6 11 6c c9 64
43 77 8e d6 fe 5d 56 d4 77 34 c0 28 db 22 23 5b 52 97 10 5d 42 ed 67 ad 01
75 a3 ac fe da a4 e6 46 7d c1 b7 3a 8a 07 87 fb 79 3a a1 c0 79 c4 35 7a 2a
53 2d 8f 88 8a 85 73 c4 8e 12 34 1d c4 d9 f6 10 f5 ce f5 9e 35 2f 12 fd 00
84 d4 9e 8c 39 8c 5b ee bd 79 8a 1b f1 7b af 41 3e ec 57 71 2b a7 8c 47 7c
fe ff 88 ff f9 b4 e1 86 0b 6f 05 5b 58 36 d9 85 d8 6c 18 77 de b2 d4 16 91
d5 74 d2 8a 45 bd 4a c7 a1 99 1b bd f2 9a d3 53 2d 6b 45 47 9b e0 31 80 d7
63 b4 f1 c7 a9 64 6d 68 45 56 14 85 02 16 26 df 64 47 77 5e 35 13 55 10 a3
f5 70 3d 9c 4a c7 9f c8 a5 65 e1 63 ed 20 49 39 65 a0 ce 2a d8 c3 f0 06 7f
b1 df 89 f8 29 b5 21 90 ae 32 8a 1e d4 f5 d6 38 87 5b 5a e6 2f c3 ab c1 ed
cb 22 ca 1d 80 29 c6 c7 c4 c1 df b3 e8 02 9f b2 eb ec 49 d3 e6 90 2a b2 05
24 8b e5 ac 73 94 ba 9d 9f 6e 7b 4b fb 66 ae 73 27 30 0d 32 9d a8 07 63 4b
fa 53 44 9e 29 ae ec 7f 15 16 82 12 18 7a a4 31 90 0f 43 3c b1 c7 7f 66 4d
e1 3d 6e b6 c1 13 23 a5 6b 56 09 dd a5 df 27 4e fd 4c ec 93 48 2b d5 b0 d4
91 87 39 e9 e9 53 b9 84 7a 64 f3 e7 11 02 ba b3 7d 7a 92 86 82 c9 bd 48 03
dc cc 60 a1 ad 5f 15 96 a8 88 79 92 1c c5 6a 33 1e c4 0b 5e 3a 12 36 fd bb
d9 c7 dd 77 56 73 ae e6 d5 d9 7d b5 a3 66 75 8a 51 9b 65 ff e3 42 c3 8f dd
5a bf 65 33 96 d2 81 75 ff c4 0c 41 91 10 83 ea 78 f8 1e 3c 65 ab 42 ba 19
57 a5 a7 6d ba 3e 3a f3 01 67 eb 60 7d 5a 30 94 e7 60 9a bd 16 47 f6 21 d2
68 c1 63 30 f5 3b 4e f6 1c fe 99 a1 ea c1 c2 8b 17 b6 bb b3 13 20 73 69 99
9b fb d6 8c d4 21 90 b7 b1 dd 30 5d f2 7b 56 59 ea aa 7e ec b8 62 a3 32 c3
c0 40 4e 88 f9 95 54 85 17 83 06 1a 37 8c f4 21 07 d5 44 c2 ed 3c 8a 76 58
2b 73 2f 0d 7e 57 3c 2d 72 b8 03 e6 46 fa 80 8e 3e 45 93 65 6a 59 77 b4 b0
d2 20 95 1d fd 95 fb e5 e0 b0 40 91 e1 16 b9 4d 9c 4e bc c8 97 15 f2 9c e8
0a fa a4 14 27 42 ad da 03 54 72 c3 f2 b4 5b 69 ce 14 68 ed fe 20 67 3f ad
95 f6 05 4f 30 e3 62 ae a9 eb 46 7e 54 31 47 9e 08 e8 90 54 17 19 80 73 99
6d a6 c2 f3 47 b2 59 84 18 24 fb a0 60 ec ec cf ce 6a f6 3c 9d 99 53 34 c9
de e2 96 00 76 51 9e a3 fa 4d 3f fd 28 69 02 ce 9d 4e 7e 18 5b 22 58 cb 21
24 63 fd 05 0a 1c d7 ff f9 d8 15 3a f4 d5 33 59 00 7e 84 43 87 27 ab 05 b3
d9 5d ba 6b 39 4f 80 f3 47 7d eb 98 44 f7 46 24 f9 a5 00 df 47 24 f8 29 cc
c9 ad d2 37 b9 d0 60 ec 49 84 78 4f c4 cd 90 54 cf 85 15 83 eb 79 76 88 29
63 e4 dc 75 24 3c cb 3a 1e 75 f8 95 e4 3e 0f 40 cb fb c2 d2 79 00 81 7d f7
44 f0 4c 4c c1 62 df 53 b0 31 a8 9c cb b2 99 e8 fd f4 72 ae 67 a7 36 97 26
e9 3b 61 af 92 f7 97 f6 dc 2c 84 e3 3f b0 ac 3a 63 f0 e6 77 ac 53 12 08 57
a1 33 62 a4 82 01 ce 30 82 01 ca a0 03 02 01 12 a2 82 01 c1 04 82 01 bd 17
a3 39 f0 34 77 f3 ff 8b ea 32 a2 ee 6a d9 cf 00 1c fb e7 78 ba 3b dd 53 83
95 d1 2a 0a a5 34 ad a3 1a 62 44 6b 22 a4 b7 e7 80 c7 66 15 7d 36 8f ec d9
b6 74 30 00 a8 e3 c0 33 d3 38 19 d0 55 63 2f 6b 84 f3 8d 44 aa 2c 14 61 87
d5 52 34 33 02 82 6b fc 6a 49 00 4f ff 27 06 6b bf f7 eb b1 ba ef 68 17 cb
dd 7e e2 c0 46 f8 5a 71 b2 75 a5 b9 3c 4e 24 99 a1 c9 6d 6d 29 97 8d 5f 5a
13 cc 43 49 f3 72 cf 16 a9 f0 88 76 54 64 93 8d 4b 69 df 89 c2 d7 60 e3 23
65 07 a0 6c 80 3d 62 4f e9 97 73 fa 34 e6 e2 ee 19 33 0c b2 18 04 7e bf f3
25 7e 31 7b b5 4d a2 f2 e0 fc 91 70 07 e1 24 8b c8 e3 80 98 9a 30 ba 85 cf
61 be ca 9b 8f 9e 88 d4 9a c5 3b 77 99 7d 3a 6b 76 61 99 09 4d 2d a1 ec 6d
d5 00 80 eb 60 fe ea 61 2f 9e 71 f7 71 98 23 40 ca a2 fb 98 63 c5 fd c8 c2
84 cf 22 2a ba 56 b4 d2 61 d7 1a 6c 55 fd f1 7d 16 ba 3f 75 e5 b7 fc 38 17
f4 51 91 56 78 ee 5b a8 e6 40 83 e1 2e 22 e8 b0 65 03 6a 53 c6 a0 94 bf 6b
5e dc e9 2b 00 f2 90 98 1e 2c 93 ba d5 35 8c d7 e2 64 cc e9 74 b6 69 86 d8
cc 0f b8 70 04 33 4c 0f 14 5a 98 e0 19 3e 2f 92 c0 c6 c9 37 9a 13 b3 cf 62
e3 ac bb 94 99 4a 01 5f fa 21 2a fe 45 e0 98 ef f5 27 18 1e e5 05 fb 67 f7
16 29 c6 01 31 3a 15 95 3e 81 16 eb 1b ed 9e f6 f1 09 85 d2 83 16 15 1b 48
f5 bf b0 0f 94 e5 e0 1a 56 65 32 c1 05 e6 e8 26 d6 1f 3b 23 77 3e 2c 8e ca
0d 62 24 4c 7b ed ae 98 47 7e 37 5d 0d 43 e0 3c 00 d2 65
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.48018.1.2.2
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.113554.1.2.2
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.30
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.10
SpNegoToken NegTokenInit: reading Mech Token
SpNegoContext.acceptSecContext: received token of type = SPNEGO NegTokenInit
SpNegoContext: negotiated mechanism = 1.2.840.113554.1.2.2
SpNegoContext.acceptSecContext: negotiated mech adjusted to
1.2.840.48018.1.2.2
Entered Krb5Context.acceptSecContext with state=STATE_NEW
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
default etypes for permitted_enctypes: 18.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
MemoryCache: add 1714581339/110759/3E7E144B703BC0DDF45376543A10D97E/
tdela...@subdomain.domain.com to tdela...@subdomain.domain.com|HTTP/
example.subdomain.domain....@subdomain.domain.com
MemoryCache: Existing AuthList:
#2: 1714581051/110713/284BD5E74E7044E9E66B22C52BF079DA/
tdela...@subdomain.domain.com
#1: 1714581074/110755/52760F4857C60255439E4F92BC0DC866/
tdela...@subdomain.domain.com

>>> KrbApReq: authenticate succeed.
Krb5Context setting peerSeqNumber to: 599648764
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Krb5Context setting mySeqNumber to: 268372232
*>>> Constrained deleg from GSSCaller{UNKNOWN}*
SPNEGO Negotiated Mechanism = 1.2.840.113554.1.2.2 Kerberos V5
SpNegoContext.acceptSecContext: mechanism wanted = 1.2.840.48018.1.2.2
SpNegoContext.acceptSecContext: negotiated result = ACCEPT_COMPLETE
SpNegoContext.acceptSecContext: sending token of type = SPNEGO NegTokenTarg
SpNegoToken NegTokenTarg: sending additional token for MS Interop
SpNegoContext.acceptSecContext: sending token = a1 81 f5 30 81 f2 a0 03 0a
01 00 a1 0b 06 09 2a 86 48 82 f7 12 01 02 02 a2 6e 04 6c 60 6a 06 09 2a 86
48 86 f7 12 01 02 02 02 00 6f 5b 30 59 a0 03 02 01 05 a1 03 02 01 0f a2 4d
30 4b a0 03 02 01 12 a2 44 04 42 5a 8f 04 ab 95 ac 87 37 c1 1d 9b 94 43 f3
0b ce 21 b5 ad 42 51 7b 9a 68 f8 29 49 86 f9 5f 85 fb de 39 8a 9b 1c cd 18
b5 cc 0c 10 40 ab 41 90 22 aa b6 17 20 cb 8f 9c 19 2f af e5 73 b4 8d b4 f2
bc 0f a3 6e 04 6c 60 6a 06 09 2a 86 48 86 f7 12 01 02 02 02 00 6f 5b 30 59
a0 03 02 01 05 a1 03 02 01 0f a2 4d 30 4b a0 03 02 01 12 a2 44 04 42 5a 8f
04 ab 95 ac 87 37 c1 1d 9b 94 43 f3 0b ce 21 b5 ad 42 51 7b 9a 68 f8 29 49
86 f9 5f 85 fb de 39 8a 9b 1c cd 18 b5 cc 0c 10 40 ab 41 90 22 aa b6 17 20
cb 8f 9c 19 2f af e5 73 b4 8d b4 f2 bc 0f

==> /usr/local/tomcat.base1/logs/catalina.2024-05-01.log <==
01-May-2024 12:35:39.870 FINE [ajp-nio-127.0.0.1-8109-exec-8]
net.sourceforge.spnego.SpnegoHttpFilter.doFilter principal=
tdela...@subdomain.domain.com


*Here is my setup:*

Tomcat bin/lib directory exist in /usr/local/tomcat/
/usr/local/tomcat.base1/


*SPNEGO Filter =====*
/usr/local/tomcat.base5/conf/web.xml

<filter>
<filter-name>SpnegoHttpFilter_devexample</filter-name>
<filter-class>net.sourceforge.spnego.SpnegoHttpFilter</filter-class>
<init-param>
 <param-name>spnego.allow.delegation</param-name>
 <param-value>true</param-value>
</init-param>
<init-param>
 <param-name>spnego.allow.basic</param-name>
 <param-value>true</param-value>
</init-param>
<init-param>
 <param-name>spnego.allow.localhost</param-name>
 <param-value>true</param-value>
</init-param>
<init-param>
 <param-name>spnego.allow.unsecure.basic</param-name>
 <param-value>true</param-value>
</init-param>
<init-param>
 <param-name>spnego.login.client.module</param-name>
 <param-value>spnego-client</param-value>
</init-param>
<init-param>
 <param-name>spnego.krb5.conf</param-name>
 <param-value>/usr/local/tomcat/spnego.krb5.conf</param-value>
</init-param>
<init-param>
 <param-name>spnego.login.conf</param-name>
 <param-value>/usr/local/tomcat/login.conf</param-value>
</init-param>
<init-param>
 <param-name>spnego.login.server.module</param-name>
 <param-value>spnego-server</param-value>
</init-param>
<init-param>
 <param-name>spnego.prompt.ntlm</param-name>
 <param-value>true</param-value>
</init-param>
<init-param>
 <param-name>spnego.logger.level</param-name>
 <param-value>1</param-value>
</init-param>
</filter>
<filter-mapping>
 <filter-name>SpnegoHttpFilter</filter-name>
 <url-pattern>*.jsp</url-pattern>
</filter-mapping>
<Connector port="8585" protocol="HTTP/1.1" connectionTimeout="2000"
redirectPort="8443" maxHttpHeaderSize="1048576"/>

*Server XML =====*
/usr/local/tomcat.base5/conf/server.xml
<Connector port="8085" protocol="HTTP/1.1" relaxedQueryChars="^{}[]|&quot;"
               connectionTimeout="20000"
               redirectPort="8443" />


  <!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8509" protocol="AJP/1.3" redirectPort="8509"
address="127.0.0.1" secretRequired="" tomcatAuthentication="false"/>

*Login Configuration =====*
login.conf


spnego-client {
com.sun.security.auth.module.Krb5LoginModule required;
};
spnego-server {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/usr/local/tomcat/krb5.keytab"
storeKey=true
principal="HTTP/example.subdomain.domain....@subdomain.domain.com
<devexample.domain....@domain.com>"
isInitiator=false
forwardable=true
debug=true;
};

*KRB5.conf File =====*

spnego.krb.conf
[libdefaults]
  default_realm = SUBDOMAIN.DOMAIN.COM <http://subdomain.domain.com/>
  default_tkt_enctypes = aes256-cts-hmac-sha1-96
  default_tgs_enctypes = aes256-cts-hmac-sha1-96
  permitted_enctypes = aes256-cts-hmac-sha1-96
kdc_use_tcp = 1
[realms]
  SUBDOMAIN.DOMAIN.COM <http://subdomain.domain.com/> = {
  kdc = DOMAIN-DC-01.SUBDOMAIN.DOMAIN.COM:88
<http://domain-dc-01.subdomain.domain.com:88/>
kdc = DOMAIN-DC-02.SUBDOMAIN.DOMAIN.COM:88
<http://domain-dc-02.subdomain.domain.com:88/>
kdc = DOMAIN-DC-03.SUBDOMAIN.DOMAIN.COM:88
<http://domain-dc-03.subdomain.domain.com:88/>
  default_domain = SUBDOMAIN.DOMAIN.COM <http://subdomain.domain.com/>
}
[domain_realm]
  .SUBDOMAIN.DOMAIN.COM <http://subdomain.domain.com/> =
SUBDOMAIN.DOMAIN.COM <http://subdomain.domain.com/>
   subdomain.domain.com = SUBDOMAIN.DOMAIN.COM
<http://subdomain.domain.com/>

*Keytab was generated on AD domain Controller*

DSADD user "cn=SA_EX_VAISSO",cn=users,dc=SUBDOMAIN,dc=DOMAIN,dc=COM" -pwd
password -display SA_EX_VAISSO -pwdneverexpires yes "SSO-EXAMPLE EX SSO"

Went into AD manager and assigned AES256 Bit Encryption on user and checked
"Do not require pre-authentication" applied changes. this doesn't seem to
change the result.

SETSPN -A HTTP/example.subdomain.domain....@domain.com
<devexample.domain....@domain.com>
ktpass  -PRINC HTTP/example.subdomain.domain....@domain.com
<devexample.domain....@domain.com> -ptype KRB5_NT_PRINCIPAL -mapuser
SA_EX_SSO -mapOp set -pass <password> -out C:\SSO\krb5.keytab -crypto All
+DumpSalt

Went into AD manager and selected "Trust this user for delegation
(Kerberos)"

*EX Client.jsp code:*

%@ page import="java.net.*" %>
<%@ page import="org.ietf.jgss.*" %>
<%@ page import="net.sourceforge.spnego.*" %>
<%@ page import="org.apache.commons.codec.binary.Base64" %>
<%
  // Set the settings for this session, that do not need to go to the client
  java.util.Map<String, String> values = new java.util.HashMap<String,
String>();
  String base64_ticket = null;
  if (request instanceof DelegateServletRequest) {
  DelegateServletRequest dsr = (DelegateServletRequest) request;
  out.println("DSR: " +dsr);
  out.println("Auth Type: "+request.getAuthType());
  out.println("Remote User: "+request.getRemoteUser());
  out.println("Remote User Principal: "+request.getUserPrincipal());
  //out.println("User Info: "+request.getUserInfo());

GSSCredential creds = dsr.getDelegatedCredential();
  if (null == creds) {
  out.println("No delegated creds.");
  } else {
  out.print(creds.getName().toString());
Oid kerberos5Oid = new Oid("1.2.840.113554.1.2.2");
// create a GSSManager, which will do the work
GSSManager gssManager = GSSManager.getInstance();
//replace the name with the appropriate Kerberos Service Name
GSSName serviceName = gssManager.createName("
krbsvr...@as400.subdomain.domain.com",
GSSName.NT_HOSTBASED_SERVICE);
serviceName = serviceName.canonicalize(kerberos5Oid);
// create a security context between the client and the service
GSSContext gssContext = gssManager.createContext(serviceName, kerberos5Oid,
creds, GSSContext.DEFAULT_LIFETIME);
// initialize the security context
// this operation will cause a Kerberos request of Active Directory,
// to create a service ticket for the client to use the service
byte[] serviceTicket = gssContext.initSecContext(new byte[0], 0, 0);
  gssContext.dispose();
if(serviceTicket == null){
  out.print("No Service Ticket");
  }
else {
  // out.println("Service Ticket Found " + serviceTicket.toString());
base64_ticket = Base64.encodeBase64String(serviceTicket);
  base64_ticket = base64_ticket.replaceAll("\\\r|\\\n","");
  }
  }
 }
%>

I've looked all over the web for this error but It's not very clear as to
how to resolve it or troubleshoot it. I've checked over the configuration
too many times to count. Is there a solution to this or a tool to help me
further figure out why this is occuring for my setup/configuration? If this
is not the correct place to leave this type of ticket, then please direct
me to where I can look for further support on this.

Thanks,

Tom

Reply via email to