EJB Deployment in JBoss EAP return SaslException: Authentication failed: none of the mechanisms presented by the server (DIGEST-MD5) are supported
Environment
- Red Hat JBoss Enterprise Application Platform (EAP)
- 7.x
Issue
Security returns: created SaslClient [null] for mechanisms [DIGEST-MD5], as in:
08:21:09,753 TRACE [org.wildfly.security] (XNIO-1 I/O-1) Created SaslClient [null] for mechanisms [DIGEST-MD5]
08:21:09,753 TRACE [org.jboss.remoting.remote.connection] (XNIO-1 I/O-1) Connection error detail: javax.security.sasl.SaslException: Authentication failed: none of the mechanisms presented by the server (DIGEST-MD5) are supported
at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:443) [jboss-remoting-5.0.18.Final-redhat-00001.jar:5.0.18.Final-redhat-00001]
at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:244) [jboss-remoting-5.0.18.Final-redhat-00001.jar:5.0.18.Final-redhat-00001]
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) [xnio-api-3.7.6.SP3-redhat-00001.jar:3.7.6.SP3-redhat-00001]
at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66) [xnio-api-3.7.6.SP3-redhat-00001.jar:3.7.6.SP3-redhat-00001]
at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
at org.xnio.nio.WorkerThread.run(WorkerThread.java:591)
Resolution
Fixed in EAP 7.3 Update 5+ , when available, apply the latest Update
Root Cause
This content is not included.EJBCLIENT-349 / This content is not included.JBEAP-20583 - ServiceURLs not constructed correctly when using EJB client 4 application with EAP 7 server
Diagnostic Steps
- Verify from the trace logs if the configured rule is matched and the correct user is authenticated, i.e
ejbadminuser.
Possibly, the match rule is not matched and the anonymous user is used. - Then, verify the server side configuration and specifically the
URIused (remote+http://host1.examples.redhat.com:8080 vs the IP address (192.168.1.105) being used directly and if they match.
Enable these debug/trace logging:
<logger category="org.jboss.as.config">
<level name="DEBUG"/>
</logger>
<logger category="org.jboss.remoting.remote">
<level name="TRACE"/>
</logger>
<logger category="org.jboss.security">
<level name="ALL"/>
</logger>
<logger category="org.jboss.as.security">
<level name="ALL"/>
</logger>
<logger category="org.keycloak">
<level name="TRACE"/>
</logger>
<logger category="org.picketbox">
<level name="ALL"/>
</logger>
<logger category="org.wildfly.security">
<level name="ALL"/>
</logger>
<logger category="org.wildfly.elytron">
<level name="ALL"/>
</logger>
<logger category="org.jboss.remoting">
<level name="ALL"/>
</logger>
<logger category="org.jboss.sasl">
<level name="ALL"/>
</logger>
<logger category="org.jboss.ejb">
<level name="ALL"/>
</logger>
<logger category="org.jboss.as.ejb3">
<level name="ALL"/>
</logger>
<logger category="org.wildfly.discovery">
<level name="ALL"/>
</logger>
<logger category="org.wildfly.naming">
<level name="ALL"/>
</logger>
getAuthenticationConfiguration is called several times during a remote EJB invocation, if the hitting the bug This content is not included.JBEAP-20583 , the trace logging will show getAuthenticationConfiguration uri=remote+http://host1:8080 which succeeds and then later on getAuthenticationConfiguration uri=remote+http://192.168.1.101:8080 with an IP instead of hostname and then resulting in an authentication exception SaslException as shown below.
TRACE [org.wildfly.security] (XNIO-1 task-2) getAuthenticationConfiguration uri=remote+http://host1:8080, protocolDefaultPort=-1, abstractType=ejb, abstractTypeAuthority=jboss, MatchRule=[null], AuthenticationConfiguration=[AuthenticationConfiguration:principal=anonymous,set-host=host1,set-protocol=remote+http,set-port=8080,providers-supplier=org.wildfly.security.util.ProviderUtil$1@68d5b28c,mechanism-properties={wildfly.sasl.local-user.quiet-auth=true}]
...
TRACE [org.wildfly.security] (XNIO-1 task-2) getAuthenticationConfiguration uri=remote+http://192.168.1.101:8080, protocolDefaultPort=-1, abstractType=ejb, abstractTypeAuthority=jboss, MatchRule=[null], AuthenticationConfiguration=[AuthenticationConfiguration:principal=anonymous,set-host=192.168.1.101,set-protocol=remote+http,set-port=8080,providers-supplier=org.wildfly.security.util.ProviderUtil$1@68d5b28c,mechanism-properties={wildfly.sasl.local-user.quiet-auth=true}]
...
TRACE [org.wildfly.security] (XNIO-1 I/O-1) Created SaslClient [null] for mechanisms [DIGEST-MD5]
TRACE [org.jboss.remoting.remote.connection] (XNIO-1 I/O-1) Connection error detail: javax.security.sasl.SaslException: Authentication failed: none of the mechanisms presented by the server (DIGEST-MD5) are supported
at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:443) [jboss-remoting-5.0.18.Final-redhat-00001.jar:5.0.18.Final-redhat-00001]
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.