Troubleshooting SPNEGO/Kerberos in JBoss EAP

Environment

• Red Hat JBoss Enterprise Application Platform (EAP)
  • 5
  • 6
  • 7
• SPNEGO/Kerberos authentication (using legacy security in JBoss EAP 7)

Issue

• What are some methods for troubleshooting?

• How can I enable debug logging

• Getting following authentication error:

    JBWEB000065: HTTP Status 401 - 
  
    --------------------------------------------------------------------------------
  
    JBWEB000309: type JBWEB000067: Status report
  
    JBWEB000068: message 
  
    JBWEB000069: description JBWEB000121: This request requires HTTP authentication.
  
  
    --------------------------------------------------------------------------------
  
    JBoss Web/7.2.2.Final-redhat-1
  

Resolution

• Enable debug logging for the JVM's kerberos code by setting the following system properties:

    sun.security.krb5.debug=true
  
    sun.security.spnego.debug=true"
  

  See setting System properties in JBoss EAP 6/7

• Enable TRACE level logging on org.jboss.security and org.wildfly.security:

  • JBoss EAP 6 or 7

    See Enabling security Debug/Trace logging in JBoss EAP 6 or 7 and Change logging levels using the CLI command in JBoss EAP 6 or 7

  • JBoss EAP 5

    Add the following lines to server/$PROFILE/conf/jboss-log4j.xml

      <category name="org.jboss.security">
          <priority value="TRACE"/>
      </category>
    

• Provide the output from the test provided in the This content is not included.Negotiation Toolkit. Here are links to the toolkit for JBoss EAP 6 and JBoss EAP 7

• General SPNEGO Troubleshooting

  • Download the kerblist tool (in the Windows 2003 Server Resource Kit) and use it to verify that the client machine can get a Kerberos ticket for the SPN:

      kerblist get HTTP/fqdn
    

  • Check the DNS entries for the fqdn name by running the following commands (attach the output to the ticket):

      nslookup
      > set type=ANY
      > ima.fqdn.com
    

  • Capture the network traffic between the client and server

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.