GSSException for Kerberos on OpenAM13.5, Ubuntu 16.04

Tagged: #OpenAM, gss, kerberos

This topic has 4 replies, 2 voices, and was last updated 5 years, 1 month ago by Peter Major.

Author

Posts
April 6, 2017 at 2:24 pm #16758
Gertjan_Al
Participant
Hi everyone,

We currently want to upgrade from OpenAM 11 to OpenAM 13.5.
In our current production cluster Kerberos authentication on OpenAM 11 works,
but I’m unable to configure the same Kerberos authn on OpenAM 13.

The debug log shows:
```
amAuthWindowsDesktopSSO:04/03/2017 12:51:28:384 PM CEST: Thread[http-nio-127.0.0.1-8443-exec-2,5,main]: TransactionId[009ce092-e6f7-47c6-8a3d-ca36b73cc531-3020]
ERROR: kerberos token is not valid.
amAuthWindowsDesktopSSO:04/06/2017 01:07:09:752 PM CEST: Thread[http-nio-127.0.0.1-8443-exec-6,5,main]: TransactionId[009ce092-e6f7-47c6-8a3d-ca36b73cc531-3190]
ERROR: Authentication failed with PrivilegedActionException wrapped GSSException. Stack Trace
GSSException: Unsupported mechanism requested: 1.3.6.1.5.2.5
	at sun.security.jgss.ProviderList.getMechFactory(ProviderList.java:204)
	at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:234)
	at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:320)
	at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
	at com.sun.identity.authentication.modules.windowsdesktopsso.WindowsDesktopSSO$1.run(WindowsDesktopSSO.java:265)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAs(Subject.java:422)
	at com.sun.identity.authentication.modules.windowsdesktopsso.WindowsDesktopSSO.authenticateToken(WindowsDesktopSSO.java:257)
	at com.sun.identity.authentication.modules.windowsdesktopsso.WindowsDesktopSSO.process(WindowsDesktopSSO.java:192)
	at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:1056)
	at com.sun.identity.authentication.spi.AMLoginModule.login(AMLoginModule.java:1224)
```
It says both “kerberos token is not valid” and “Unsupported mechanism requested: 1.3.6.1.5.2.5”. As the Kerberos authn works on OpenAM 11, I doubt that my token is invalid…

The only difference I can think of is in the machines:
Old:
Ubuntu 14.04.3 LTS
Java(TM) SE Runtime Environment (build 1.7.0_67-b01)
Tomcat 7
libgssapi-krb5-2: 1.12+dfsg-2ubuntu5.2

New:
Ubuntu 16.04.2 LTS
Java(TM) SE Runtime Environment (build 1.8.0_121-b13)
Tomcat 8
libgssapi-krb5-2: 1.13.2+dfsg-5ubuntu2

Does anyone have Kerberos working on OpenAM 13.5 and if so, what is your server configuration?
- This topic was modified 5 years, 1 month ago by Gertjan_Al.
April 10, 2017 at 10:03 am #16817

Peter Major
Moderator

Since the WindowsDesktopSSO authentication module relies on the JDK’s kerberos implementation, you may want to test your 13.5 instance by running it with the same JDK7 version first.

April 12, 2017 at 12:51 pm #16892

Gertjan_Al
Participant

Thanks for your response, but we still get the same Exception with the “unsupported mechanism”. Any other hints we might want to check?

April 12, 2017 at 2:54 pm #16894

Gertjan_Al
Participant

We noticed that the message
“ERROR: kerberos token is not valid.” is shown when using NTLM (via Windows), but “GSSException: Unsupported mechanism requested: 1.3.6.1.5.2.5” only shown when using Kerberos via Linux

April 12, 2017 at 4:06 pm #16897

Peter Major
Moderator

The WindowsDesktopSSO authentication module only supports Kerberos, it does not support NTLM. You should focus on the Kerberos related error.
Author

Posts