Single Sign On using Kerberos and Active Directory
I am attempting to write a proof of concept of Single Sign On using Kerberos and Active Directory.
I have searched through these forums and found several suggestions which I have attempted to use, in fact my code snippet below comes from these forums.
I have set the registry setting (allowtgtsessionkey) on (both of) our Windows 2000 SP4 Active Directory Servers.
As an aside there seems to be a difference of opinion as to whether this is a REG_DWORD or REG_SZ see (but I have tried both):
http://support.microsoft.com/kb/308339 and
http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/Troubleshooting.html
I have ticked the check box "Use DES Encryption" against my test user and reset the password in Active Directory.
I still get the error message "KDC has no support for encryption type (14)", what have I missed? Has anyone got this working?
I am using Java version 1.5.0_11
This is the configuration file I used:
JaasSample{
com.sun.security.auth.module.Krb5LoginModule required client=true debug=true useTicketCache=true doNotPrompt=true;
};
com.sun.security.jgss.initiate{
com.sun.security.auth.module.Krb5LoginModule required client=true debug=true useTicketCache=true doNotPrompt=true;
};
This is the code I am using:
publicclass KerberosExample{
publicstaticvoid main(String[] args){
java.util.Properties p =new java.util.Properties(System.getProperties());
//p.setProperty("java.security.krb5.conf", KRB5_CONF);
p.setProperty("java.security.krb5.realm", REALM);
p.setProperty("java.security.krb5.kdc", KDC);
p.setProperty("java.security.auth.login.config", LOGIN_CONFIG);
p.setProperty("javax.security.auth.useSubjectCredsOnly","false");
p.setProperty("sun.security.krb5.debug","true");
System.setProperties(p);
LoginContext lc =null;
try{
lc =new LoginContext("JaasSample",new TextCallbackHandler());
lc.login();
}catch (LoginException le){
System.err.println("Authentication attempt failed" + le);
System.exit(-1);
}
Subject.doAs(lc.getSubject(),new LDAPAction());
}
}
class LDAPActionimplements java.security.PrivilegedAction{
public Object run(){
Hashtable env =new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, KerberosExample.LDAP_URL);
env.put(Context.SECURITY_AUTHENTICATION,"GSSAPI");
env.put("javax.security.sasl.server.authentication","true");
try{
DirContext ctx =new InitialDirContext(env);
Attributes aAnswer = ctx.getAttributes(KerberosExample.USER_ACCOUNT);
NamingEnumeration enumUserInfo = aAnswer.getAll();
while (enumUserInfo.hasMoreElements()){
System.out.println(enumUserInfo.nextElement().toString());
}
ctx.close();
}catch (NamingException e){
e.printStackTrace();
}
returnnull;
}
}
Any help would be gratefully received.
# 6
Hi Seema,
When I run the Klist tool I get (where xxxxx is my user name):
C:\Program Files\Java\jre1.6.0\bin>klist
Credentials cache C:\Documents and Settings\xxxxx\krb5cc_xxxxx not found.
The stack trace from my test program is:
Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt true ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
>>>KinitOptions cache name is C:\Documents and Settings\xxxxx\krb5cc_xxxxx
>> Acquire default native Credentials
>>> Obtained TGT from LSA: Credentials:
client=xxxxx@DOMAINNAME.CO.UK
server=krbtgt/DOMAINNAME.CO.UK@DOMAINNAME.CO.UK
authTime=20070420065929Z
startTime=20070420065929Z
endTime=20070420165929Z
renewTill=20070427065929Z
flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT
EType (int): 0
Principal is xxxxx@DOMAINNAME.CO.UK
Commit Succeeded
Found ticket for xxxxx@DOMAINNAME.CO.UK to go to krbtgt/DOMAINNAME.CO.UK@DOMAINNAME.CO.UK expiring on Fri Apr 20 17:59:29 BST 2007
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 3 1 23 16 17.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.NullEType
>>> KrbKdcReq send: kdc=KDC.DOMAINNAME.CO.UK UDP:88, timeout=30000, number of retries =3, #bytes=1370
>>> KDCCommunication: kdc=KDC.DOMAINNAME.CO.UK UDP:88, timeout=30000,Attempt =1, #bytes=1370
>>> KrbKdcReq send: #bytes read=114
>>> KrbKdcReq send: #bytes read=114
>>> KDCRep: init() encoding tag is 126 req type is 13
>>>KRBError:
sTime is Fri Apr 20 11:51:12 BST 2007 1177066272000
suSec is 755889
error code is 14
error Message is KDC has no support for encryption type
realm is DOMAINNAME.CO.UK
sname is krbtgt/DOMAINNAME.CO.UK
msgType is 30
KrbException: KDC has no support for encryption type (14)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:61)
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106)
at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:562)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:175)
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:105)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2658)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:287)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.InitialContext.<init>(InitialContext.java:197)
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
at LDAPAction.run(KerberosExample.java:59)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:337)
at KerberosExample.main(KerberosExample.java:46)
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58)
at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46)
... 25 more
javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: KDC has no support for encryption type (14))]]
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:150)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2658)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:287)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.InitialContext.<init>(InitialContext.java:197)
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
at LDAPAction.run(KerberosExample.java:59)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:337)
at KerberosExample.main(KerberosExample.java:46)
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: KDC has no support for encryption type (14))]
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:194)
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:105)
... 16 more
Caused by: GSSException: No valid credentials provided (Mechanism level: KDC has no support for encryption type (14))
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:663)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:175)
... 17 more
Caused by: KrbException: KDC has no support for encryption type (14)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:61)
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106)
at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:562)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594)
... 20 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58)
at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46)
... 25 more
Again - thanks for your help
Michael
