AnsweredAssumed Answered

GSSException: Failure unspecified at GSS-API level (Mechanis

Question asked by xkahn on Jan 12, 2011
Latest reply on Jul 29, 2015 by joopmartens
I have a development machine I just upgraded to 3.4.c. (from 3.2r2)  Everything appears to be working, so I wanted to try out the SSO patches that have been put into Alfresco since 3.2r2.  (I had SSO working before, but couldn't use it because of some chaining bugs and problems with WebDAV)  I switched to Kerberos auth and set SSO to true.  And i get this error:

17:19:14,849 ERROR [org.alfresco.fileserver] GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)

the full error is:

During startup:
17:17:32,151 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] HTTP Kerberos login successful
17:17:32,152 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] Logged on using principal HTTP/alfresco-xkahn.example.com@EXAMPLE.COM
17:17:32,409 DEBUG [org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter] HTTP Kerberos login successful
17:17:32,409 DEBUG [org.alfresco.repo.webdav.auth.KerberosAuthenticationFilter] Logged on using principal HTTP/alfresco-xkahn.example.com@EXAMPLE.COM

At auth time:
17:19:11,954 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] New Kerberos auth request from 10.3.112.6 (10.3.112.6:0)
17:19:14,849 ERROR [org.alfresco.fileserver] GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
   at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
   at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
   at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
   at org.alfresco.jlan.server.auth.kerberos.SessionSetupPrivilegedAction.run(SessionSetupPrivilegedAction.java:102)
   at java.security.AccessController.doPrivileged(Native Method)
   at javax.security.auth.Subject.doAs(Subject.java:337)
   at org.alfresco.repo.webdav.auth.BaseKerberosAuthenticationFilter.doKerberosLogon(BaseKerberosAuthenticationFilter.java:494)
   at org.alfresco.repo.webdav.auth.BaseKerberosAuthenticationFilter.authenticateRequest(BaseKerberosAuthenticationFilter.java:384)
   at org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter.doFilter(BaseSSOAuthenticationFilter.java:132)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
   at java.lang.reflect.Method.invoke(Method.java:597)
   at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:103)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
   at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
   at $Proxy218.doFilter(Unknown Source)
   at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:82)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
   at org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:58)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
   at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:210)
   at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)
   at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
   at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
   at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
   at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)
   at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:200)
   at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291)
   at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:775)
   at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:704)
   at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:897)
   at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:685)
   at java.lang.Thread.run(Thread.java:662)
Caused by: KrbException: Checksum failed
   at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:85)
   at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:77)
   at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
   at sun.security.krb5.KrbCred.<init>(KrbCred.java:137)
   at sun.security.jgss.krb5.InitialToken$OverloadedChecksum.<init>(InitialToken.java:262)
   at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:102)
   at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
   … 35 more
Caused by: java.security.GeneralSecurityException: Checksum failed
   at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:431)
   at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:254)
   at sun.security.krb5.internal.crypto.Aes256.decrypt(Aes256.java:59)
   at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:83)
   … 41 more
17:19:14,851 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] No SPNEGO response, Kerberos logon failed

I've installed the jce-policy-unlimited file so support for "AES-256 CTS mode with 96-bit SHA-1 HMAC" tickets.  My keytab appears to be in order:

# klist -ket /etc/krb5.keytab 
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
—- —————– ——————————————————–
   3 12/09/09 11:56:54 HTTP/alfresco-xkahn.example.com@EXAMPLE.COM (AES-256 CTS mode with 96-bit SHA-1 HMAC)
   3 12/09/09 11:56:54 HTTP/alfresco-xkahn.example.com@EXAMPLE.COM (AES-128 CTS mode with 96-bit SHA-1 HMAC)
   3 12/09/09 11:56:54 HTTP/alfresco-xkahn.example.com@EXAMPLE.COM (DES cbc mode with CRC-32)
   3 12/09/09 11:56:54 HTTP/alfresco-xkahn.example.com@EXAMPLE.COM (Triple DES cbc mode raw)
   3 12/09/09 11:56:55 HTTP/alfresco-xkahn.example.com@EXAMPLE.COM (ArcFour with HMAC/md5)

I am able to use tickets to authenticate on the same machine through Apache using an identical keytab.  Advice?

Outcomes