Jetty SPNEGO/SSO gives NPE. Expected cause krn5.ini? - cross-domain

We're facing an issue where Jetty SPNEGO gives an NPE inside SpnegoLoginService.login()
The gssContext.getSrcName() call returns null.
The SPN is: HTTP/machine.dd.aa.net#EE.AA.NET
Must there be a special setup in the KRB5.INI file when dd.aa.net != EE.AA.NET ?
The only clue i found with Google is this warning message from some online source code:
if (gssContext.isEstablished()) {
if (gssContext.getSrcName() == null) {
log.warn("GSS Context accepted, but no context initiator recognized. Check your kerberos configuration and reverse DNS lookup configuration");
return false;
}
Our client-setup is
Internet-explorer browser, setup for negotiate/spnego
login using Windows SmartCard
Our server-setup is
Java 8u45
Jetty 9
using org.eclipse.jetty.security.SpnegoLoginService
We used java kinit on the server to validate against the keytab and also against the DC. which went ok. Also the reverse DNS zones are working.
is there a possibility that the 'service request token' generated by the client browser (logged in with smartcard) doesn't supply the context initiator / client principle name ?
Thanks

The nullpointer was gone when we went from Java 1.8u45 to Java 1.8u60
Turns out the server side didn't check all tickets provided by the client, so didn't find the correct one.
Below the bug entry:
[JDK-8078439] SPNEGO auth fails if client proposes MS krb5 OID

Related

Window Authentication in Linux .net core

I'm trying to make work window authentication in Linux/Debian server with Kerberos. I'm using .net core 3.1 and IdentityServer4. For now I had joined Linux to the Windows AD like docs say:
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/windowsauth?view=aspnetcore-3.1&tabs=visual-studio#kestrel-1
I have managet to work kerberos from bash with -kinit command. I also made work Apache2 with kerberos.
But in .net core it's always returns in logs
[17:39:53 Information] Microsoft.AspNetCore.Authentication.Negotiate.NegotiateHandler AuthenticationScheme: Negotiate was challenged.
[17:39:54 Information] Microsoft.AspNetCore.Authentication.Negotiate.NegotiateHandler None
if I set in krb5.conf wrong encript type I have error like:
Interop+NetSecurityNative+GssApiException: GSSAPI operation failed with error - Unspecified GSS failure. Minor code may provide more information(Request ticket server **** kvno 4 enctype aes256-cts found in keytab but cannot decrypt ticket).
at System.Net.Security.NegotiateStreamPal.GssAcceptSecurityContext(SafeGssContextHandle& context, Byte[] buffer, Byte[]& outputBuffer, UInt32& outFlags)
at System.Net.Security.NegotiateStreamPal.AcceptSecurityContext(SafeFreeCredentials credentialsHandle, SafeDeleteContext& securityContext, ContextFlagsPal requestedContextFlags, Byte[] incomingBlob, ChannelBinding channelBinding, Byte[]& resultBlob, ContextFlagsPal& contextFlags)
So the token is passing GSSAPI in normal mode and trying to validate user, but there is alwayse None in anwser. Can somebody help me get what I'm doing wrong?
I got it by using [Authorize] attribute instead of HttpContext.ChallengeAsync().

Response as undefined after an API call

I am using the request library to fetch a response from an API, everything was working fine but as of recent, I have started to get local issuer certificate error from the API although the same code is working on my colleague's system.
I have already tried updating the node version and all the version changes regarding the request package of node
The exact error is:
unable to get local issuer certificate node
Here is the error snippet in the console
Could u please console only response..After that u can easily see that there is statusCode is available or not.
Or if u get the statusCode then check its defined or not.
Ex: if(res.statusCode)
console.log("print status code", this.res.statusCode);
This is an SSL error and yo need to make sure that your server's certificate is valid.
With your claim that it used to work - but it stopped working recently with the SSL error message, the possibilities are that either your servers certificate is expired in between or the Sectigo AddTrust External CA Root Expiring May 30, 2020.
https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l00000117LT
Updating the certificate is outside the scope of this answer. You may have to do it yourself or contact the admin.

Liberty login error in trace log for wim model message - ClassCastException Entity and LoginAccount

I have configured Websphere Liberty to use LDAP to authenticate user. I have enabled security trace -
com.ibm.ws.security.=all:com.ibm.ws.webcontainer.security.=all:com.ibm.oauth.=all:com.ibm.wsspi.security.oauth20.=all:com.ibm.ws.transport.http.=all:org.apache.http.client.=all
I have following feature list enabled in WebSphere Liberty v17.0.0.3,
webProfile-7.0, javaMail-1.5, ldapRegistry-3.0 and localConnector-1.0.
However, secure content is failing with error HTTP 401 (Unauthenticated).
In trace file, I can see that LDAP is able to return logged in user data. But WebSphere Liberty is failing with error -
com.ibm.wsspi.security.wim.model.Entity incompatible with com.ibm.wsspi.security.wim.model.LoginAccount
java.lang.ClassCastException: com.ibm.wsspi.security.wim.model.Entity incompatible with com.ibm.wsspi.security.wim.model.LoginAccount
at com.ibm.ws.security.wim.registry.util.SecurityNameBridge.getUserSecurityName(SecurityNameBridge.java:203)
at com.ibm.ws.security.wim.registry.WIMUserRegistry.getUserSecurityName(WIMUserRegistry.java:316)
at com.ibm.ws.security.authentication.internal.jaas.modules.ServerCommonLoginModule.getSecurityName(ServerCommonLoginModule.java:104)
Please help guide if this error is due to any configuration problem.
The problem was resolved after correcting configuration of registry used. I was using LDAP registry and had mentioned LDAP server type as Tivoli. This was causing the problem in Subject class being returned from LDAP not matching expected class in Liberty. Once I changed LDAP service type to Custom, this error got resolved. Below is the tag for LDAP registry I used in server.xml
<ldapRegistry baseDN="ou=xxxxxxxx,o=xxxxxx" host="xxxxxxxxxxxxxxx" id="xxxxxxxxxxx" ldapType="Custom" port="636" realm="xx" recursiveSearch="true" sslEnabled="true" sslRef="sslrepo1">
<customFilters userFilter="(&(mail=%v)(objectclass=ePerson))" userIdMap="*:mail"/>
</ldapRegistry>

ServiceStack Facebook Authentication NullReference Exception on Vagrant Box (Ubuntu/MySql/Mono/nginx)

Long shot I guess, with the lack of real information that I am offering at this stage. I'll gladly offer up some more details on how to reproduce the issue - but wanted some fast feedback to see if there was a gotcha somewhere I was missing.
I've a simple ServiceStack hello world application, in which I'm playing with the Facebook Auth Provider:
Vanilla ServiceStack
Vanilla Facebook Auth Proivider
Vanilla User Session
Vanilla OrmLite User Repository
Vanilla OrmLite MySql Db Factory
When debugging on my local machine - on Windows 7 (and 8); everything works a treat. The service launches, the database tables are created and I can login via Facebook and records are inserted to the relevant tables.
When running the service on Ubuntu inside a Vagrant Box (running in Virtual Box as the provider for virtualization, hosted on nginx with mono-fastcgi) - the service launches correctly and I can see that the tables are created in the MySql database. When I hit /auth/facebook I am correctly forwarded to Facebook - but I hit an error when the callback to the service occurs.
This is the current output:
[Auth: 07/30/2013 13:02:47]: [REQUEST: {provider:facebook}] System.NullReferenceException: Object reference not set to an instance of an object at
ServiceStack.ServiceInterface.Auth.FacebookAuthProvider.Authenticate (ServiceStack.ServiceInterface.IServiceBase,ServiceStack.ServiceInterface.Auth.IAuthSession,ServiceStack.ServiceInterface.Auth.Auth) <0x0061e> at
ServiceStack.ServiceInterface.Auth.AuthService.Authenticate (ServiceStack.ServiceInterface.Auth.Auth,string,ServiceStack.ServiceInterface.Auth.IAuthSession,ServiceStack.ServiceInterface.Auth.IAuthProvider) <0x000a7> at
ServiceStack.ServiceInterface.Auth.AuthService.Post (ServiceStack.ServiceInterface.Auth.Auth) <0x00303> at
ServiceStack.ServiceInterface.Auth.AuthService.Get (ServiceStack.ServiceInterface.Auth.Auth) <0x00013> at (wrapper dynamic-method) object.lambda_method (System.Runtime.CompilerServices.Closure,object,object) <0x0004f> at
ServiceStack.ServiceHost.ServiceRunner`1<ServiceStack.ServiceInterface.Auth.Auth>.Execute (ServiceStack.ServiceHost.IRequestContext,object,ServiceStack.ServiceInterface.Auth.Auth) <0x00416>
It is clearly reaching the Service (which I'm accessing via localhost:8080 which maps through to the guest machine on port 80); as the error is wrapped nicely in ServiceStack output.
I don't suppose anyone has any clues?
Okay after an evening of investigation - I've found the root cause.
Line 51 of FacebookAuthProvider.cs calls off to Line 28 of WebRequestExtensions.cs - which in turn calls Line 227 of WebRequestExtensions.cs.
This method call fails at line 255-ish - essentially because Mono by default doesn't trust any SSL certificates by default: as explained here..
Instead of figuring out the correct configuration for Mono - I've taken the nasty route (for the time being at least); of using the following line in my AppHostBase.Configure implementation:
F#
System.Net.ServicePointManager.ServerCertificateValidationCallback <- new RemoteCertificateValidationCallback(fun _ _ _ _ -> true)
C#
System.Net.ServicePointManager.ServerCertificateValidationCallback += (a, b, c, d) => { return true; };
I am now up and running (like a fully-operational Death Star).

IIS Application pool identity

I am attempting to obtain a data feed from yahoo finance. I am doing this with the following code:
System.Net.WebRequest request = System.Net.WebRequest.Create(http://download.finance.yahoo.com/download/quotes.csv?format=sl&ext=.csv&symbols=^ftse,^ftmc,^ftas,^ftt1x,^dJA);
request.UseDefaultCredentials = true;
// set properties of the request
using (System.Net.WebResponse response = request.GetResponse())
{
using (System.IO.StreamReader reader = new System.IO.StreamReader(response.GetResponseStream()))
{
return reader.ReadToEnd();
}
}
I have placed this code into a console application and, using Console.WriteLine on the output I receive the information I require. I have used the 'Run as..' command to execute this using a specific domain account.
When I use this code from within a Page load I receive the following error message "No connection could be made because the target machine actively refused it 76.13.114.90:80".
This seems to suggest that the call is reaching yahoo (is this true?) and that there is something missing.
This would suggest there is an identity difference in the calls between the console application and application pool.
Environment is: Windows Server 2003, IIS 6.0, .net 4.0
"Target machine actively refused it" indicates that the TCP connection itself is not succeeding. This could be due to the fact that the Proxy settings when run under IIS are not the same as those that apply when you run in the console.
You can fix this by setting a WebProxy on your request, that points to the proxy server being used in the environment.
Yes, an active refusal is indication that the target machine is receiving the request and the information in the headers is either incorrect or insufficient to process the request. It is entirely possible that if you had to run this call using a "run as" command in console that the application pool's identity user does not have the appropriate permission or username. You can attempt to change the identity user to this specific domain account to see if that alleviates the problem, but you may have to isolate this particular function into its own application pool in order to protect the rest of the website from having this specification.

Resources