Home.... | log in.... | Pub my question! | Sign-up....
Java-index >> Security >> Kerberos & Java GSS (JGSS)

Checksum failed and some newbie questiions

Hi people,

I have tried the GSS-API without JAAS tutorial for java 1.5 at http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/BasicClientServer.html with that config:

1) Environment config:

- JKD 1.5.0 update 11

- Windows XP pro against Active Directory on a Windows Server

2) The bcsLogin.conf jaas config file exactly as it appears in the tutorial

3) My krb5.conf file:

[libdefaults]

default_realm = MYCOMPANY.COM

default_tkt_enctypes = rc4-hmac

default_tgs_enctypes = rc4-hmac

[realms]

MYCOMPANY.COM ={

kdc = MYCOMPANY.COM

admin_server = MYCOMPANY.COM

default_domain = MYCOMPANY.COM

}

[domain_realm]

MYCOMPANY = MYCOMPANY.COM

4) Parameters for the SampleServer program:

Program arguments

4444

VM arguments

-Djavax.security.auth.useSubjectCredsOnly=false

-Djava.security.krb5.conf=krb5.conf

-Djava.security.auth.login.config=bcsLogin.conf

5) Parameters for the SampleClient program:

Program arguments

krbtgt localhost 4444

VM arguments

-Djavax.security.auth.useSubjectCredsOnly=false

-Djava.security.krb5.conf=krb5.conf

-Djava.security.auth.login.config=bcsLogin.conf

After executing it I obtained the below checksum exception:

Checksum failed !

Exception in thread"main" java.lang.RuntimeException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)

at SampleServer.main(SampleServer.java:121)

Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)

at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:730)

at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:300)

at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246)

at SampleServer.main(SampleServer.java:118)

Caused by: KrbException: Checksum failed

at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:85)

at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:77)

at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:167)

at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:267)

at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)

at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)

at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:715)

... 3 more

Caused by: java.security.GeneralSecurityException: Checksum failed

at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCrypto.java:387)

at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(ArcFourHmac.java:74)

at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:83)

... 9 more

Apart from help for the exception itselft I have some questions:

1-For the SampleClient program I use krbtgt as the server name but I don抰 know exactly why this works. Other values don抰 work and I don抰 know exactly what this server name is, who creates it, etc. I would be grateful for some explanation about it

2-I use the same username-password (mine) for authentication in the SampleServer and in the SampleClient, is that correct?

Thank you very much in advance.

[3540 byte] By [joseDeva] at [2007-11-26 20:54:34]
«« deploying EJB into WAS
»» No network connectivity for program started using Runtime.exec()
# 1
1. krbtgt is the built-in account for "KeRBeros Ticket Granting (Ticket) service". How about trying the username you used for ServerClient?2. That's OK.
wangwja at 2007-7-10 2:21:38 > top of Java-index,Security,Kerberos & Java GSS (JGSS)...
# 2

Hello wangwj,

I don抰 know what you want to say exactly with 搕rying the username you used for ServerClient?

In the SampleServer code (I believe that you refer it as ServerClient) there is no place where I can give a username (apart from my credentials when I do a login).

Debugging SampleClient the program generates the next error when I use a server name different from krbtgt:

>>>KRBError:

sTime is Fri Mar 09 09:32:16 CET 2007 1173429136000

suSec is 407323

error code is 7

error Message is Server not found in Kerberos database

realm is ADGBS.COM

sname is V442596

eData provided.

msgType is 30

When I use krbtgt as the server name all goes ok for the client (well, it shows an error but is expected):

>>>KRBError:

sTime is Fri Mar 09 09:42:33 CET 2007 1173429753000

suSec is 711423

error code is 52

error Message is Response too big for UDP, retry with TCP

realm is ADGBS.COM

sname is krbtgt

msgType is 30

After that:

1) It抯 possible that I have to create a new server account in Kerberos and pass his username to the client parameter?

2) In the first post I wrote it shows a checksum exception. I have read that It抯 needed that Active Directoy configures to DES encryption for interoperability. Someone knows something about that?

Thanks in advance,

joseDeva at 2007-7-10 2:21:38 > top of Java-index,Security,Kerberos & Java GSS (JGSS)...
# 3

Yes, SampleServer, and you should use the username for your "apart from my credentials when I do a login" as the server argument in SampleClient. The client side need to authenticate itself to use a service that's started by an account named by this argument. If you provide ABC when starting SampleServer, this argument must be still ABC.

Starting from 5.0u8 (or 7?), Java should support RC4-HMAC. So it's not necessary to configure AD to use DES now. If you can go with DES but fail with RC4-MAC, there must be something wrong.

wangwja at 2007-7-10 2:21:38 > top of Java-index,Security,Kerberos & Java GSS (JGSS)...
Security
Kerberos & Java GSS (JGSS)

Security New Topic

Security Hot Topic

Security

All Classified