SaslException: All available authentication mechanisms Failed to read server challenge in JBoss EAP 7

Environment

• Red Hat JBoss Enterprise Application Platform (EAP)
  • 7

Issue

• We have a remote naming client trying to connect to a JBoss EAP 7.0 instance and is getting this authentication exception.

Exception in thread "main" javax.naming.AuthenticationException: Failed to connect to any server. Servers tried: [http-remoting://127.0.0.1:8080 (Authentication failed: all available authentication mechanisms failed:
   JBOSS-LOCAL-USER: javax.security.sasl.SaslException: Failed to read server challenge [Caused by java.io.FileNotFoundException: C:\jboss-eap-7.0.0\standalone\tmp\auth\local3135071237957063730.challenge (The system cannot find the path specified)]
   DIGEST-MD5: Server rejected authentication)] [Root exception is javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed:
   JBOSS-LOCAL-USER: javax.security.sasl.SaslException: Failed to read server challenge [Caused by java.io.FileNotFoundException: C:\jboss-eap-7.0.0\standalone\tmp\auth\local3135071237957063730.challenge (The system cannot find the path specified)]
   DIGEST-MD5: Server rejected authentication]
        at org.jboss.naming.remote.client.HaRemoteNamingStore.failOverSequence(HaRemoteNamingStore.java:238)
        at org.jboss.naming.remote.client.HaRemoteNamingStore.namingStore(HaRemoteNamingStore.java:149)
        at org.jboss.naming.remote.client.HaRemoteNamingStore.namingOperation(HaRemoteNamingStore.java:130)
        at org.jboss.naming.remote.client.HaRemoteNamingStore.lookup(HaRemoteNamingStore.java:272)
        at org.jboss.naming.remote.client.RemoteContext.lookupInternal(RemoteContext.java:104)
        at org.jboss.naming.remote.client.RemoteContext.lookup(RemoteContext.java:93)
        at org.jboss.naming.remote.client.RemoteContext.lookup(RemoteContext.java:146)
        at javax.naming.InitialContext.lookup(Unknown Source)
        at redhat.QueueSend.init(QueueSend.java:45)
        at redhat.QueueSend.main(QueueSend.java:90)
Caused by: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed:
   JBOSS-LOCAL-USER: javax.security.sasl.SaslException: Failed to read server challenge [Caused by java.io.FileNotFoundException: E:\jboss-eap-7.0.0\standalone\tmp\auth\local7136072237958063451.challenge (The system cannot find the path specified)]
   DIGEST-MD5: Server rejected authentication
        at org.jboss.remoting3.remote.ClientConnectionOpenListener.allMechanismsFailed(ClientConnectionOpenListener.java:114)
        at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:389)
        at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:241)
        at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
        at org.xnio.channels.TranslatingSuspendableChannel.handleReadable(TranslatingSuspendableChannel.java:198)
        at org.xnio.channels.TranslatingSuspendableChannel$1.handleEvent(TranslatingSuspendableChannel.java:112)
        at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
        at org.xnio.ChannelListeners$DelegatingChannelListener.handleEvent(ChannelListeners.java:1092)
        at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
        at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
        at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
        at org.xnio.nio.WorkerThread.run(WorkerThread.java:571)
        at ...asynchronous invocation...(Unknown Source)
        at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:294)
        at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:276)
        at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:393)
        at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:377)
        at org.jboss.naming.remote.client.EndpointCache$EndpointWrapper.connect(EndpointCache.java:111)
        at org.jboss.naming.remote.client.HaRemoteNamingStore.failOverSequence(HaRemoteNamingStore.java:197)
        ... 9 more

• We have a standalone java application that is able to invoke an EJB when it is on the same machine as the server, but when they are on different machines it fails with:

   JBOSS-LOCAL-USER: javax.security.sasl.SaslException: ELY05128: Failed to read challenge file [Caused by java.io.FileNotFoundException: \home\jboss\standalone\tmp\auth\local1211839583212539848.challenge (The system cannot find the path specified)]
   DIGEST-MD5: javax.security.sasl.SaslException: ELY05051: Callback handler does not support credential acquisition [Caused by javax.security.auth.callback.UnsupportedCallbackException]
	at org.jboss.remoting3.remote.ClientConnectionOpenListener.allMechanismsFailed(ClientConnectionOpenListener.java:109)
        ...
	at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:553)
	at org.jboss.ejb.client.remoting.NetworkUtil.connect(NetworkUtil.java:190)
	at org.jboss.ejb.client.remoting.NetworkUtil.connect(NetworkUtil.java:149)
	at org.jboss.ejb.client.remoting.ConnectionPool.getConnection(ConnectionPool.java:82)
	at org.jboss.ejb.client.remoting.RemotingConnectionManager.getConnection(RemotingConnectionManager.java:51)
	at org.jboss.ejb.client.remoting.RemotingConnectionClusterNodeManager.getEJBReceiver(RemotingConnectionClusterNodeManager.java:79)
	at org.jboss.ejb.client.ClusterContext$EJBReceiverAssociationTask.call(ClusterContext.java:506)
	at org.jboss.ejb.client.ClusterContext$EJBReceiverAssociationTask.call(ClusterContext.java:480)
...
	Caused by: java.io.FileNotFoundException: \home\jboss\standalone\tmp\auth\local1211839583212539848.challenge (The system cannot find the path specified)

Resolution

Review the client configuration and server side configuration to ensure the client is specifying valid authentication credentials (username/password) and that it matches up with what the server is configured to accept.

• Check the server side configuration for example the ApplicationRealm which is the default and make sure the user/pass has been added for example with $JBOSS_HOME/bin/add-user.sh to the security realm that is securing the endpoint.
• Check the client side to make sure it is specifying a user/pass that matches what the server is expecting, such as for an EJB in the InitialContext

Related Solutions

• File based authentication challenge and SASL_DISALLOWED_MECHANISMS / JBOSS-LOCAL-USER on JBoss EAP 7 / 6
• How configure an EJB client in EAP 7.1+
• How to configure an EJB client in JBoss EAP 6 / 7.0

Root Cause

• This exception means the $local as shown below in the attached JBoss profile xml is enabled. $local will attempt a file based challenge, if the caller is on the same sever as the server and $local authentication is allowed as it is in the config below, authentication can be checked by seeing if the calling process can create a file under the $JBOSS_HOME/ directory and it if can it will be authenticated without checking the password.

    <management>
        <security-realms>
            ...
            </security-realm>
            <security-realm name="ApplicationRealm">
                <authentication>
                    <local default-user="$local" allowed-users="*" skip-group-loading="true"/>
                    <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
                    ...

If the server is configured to allow the $local it will attempt a file based authentication challenge where if the client can create a file under the $JBOSS_HOME directory then it will be authenticated without checking any further credentials. This file challenge will only work if the client is running on the same machine as the server and as an operating user that has write access to the $JBOSS_HOME directory.

The file based authentication challenge can be disabled by removing the $local configuration from the authentication section in the JBoss profile xml, which will prevent the server from attempting the file based challenge, but this does not fix the root issue when the client is not providing valid authentication credentials.

Diagnostic Steps

• Verify username and password of application realm or management realm with remote client configuration.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.