Home.... | log in.... | Pub my question! | Sign-up....
Java-index >> Security >> Other Security APIs, Tools, and Issues

Jaas authorization via KeyTab file is failing....!!!!

Hi all,

i have a simple problem with the Jaas authorization via generated keyTab file. Used encryption was des-cbc-crc and associated SPN kerberos user has "Use Des Only encryption" checked. Preauthentication is disabled.

My Jaas config file looks like:

Jaas {

com.sun.security.auth.module.Krb5LoginModule

required

debug=true

useKeyTab=true

keyTab="C:/srv-p286.keytab"

principal="HTTP/f.q.d.n:8080@REALM:COM"

storeKey=true;

};

// PART OF THE CODE WHICH DO AN OWN AUTHENTICATION

.

.

LoginContext serverLC = new LoginContext("jaas");

serverLC.login();

Subject.doAs(serverLC.getSubject(), this);

Problem is that when i run this part of the code to get the TGT+session key via keyTab i receive this Exception:

Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt fal

se ticketCache is null isInitiator true KeyTab is C:/srv-p286.keytab refreshKrb5

Config is false principal is HTTP/srv-p286.berit.cz:8080@BERIT.CZ tryFirstPass i

s false useFirstPass is false storePass is false clearPass is false

principal's key obtained from the keytab

Acquire TGT using AS Exchange

[Krb5LoginModule] authentication failed

Pre-authentication information was invalid (24)

GSSException: No valid credentials provided (Mechanism level: Attempt to obtain

new ACCEPT credentials failed!)

at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCre

dential.java:87)

at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechF

actory.java:111)

at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.

java:178)

at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:383)

at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:43)

at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java

:139)

at GSSAuthFilter.run(GSSAuthFilter.java:1598)

at GSSAuthFilter.doFilter(GSSAuthFilter.java:1728)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl

icationFilterChain.java:186)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF

ilterChain.java:157)

at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperV

alve.java:214)

at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValv

eContext.java:104)

at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.jav

a:520)

at org.apache.catalina.core.StandardContextValve.invokeInternal(Standard

ContextValve.java:198)

at org.apache.catalina.core.StandardContextValve.invoke(StandardContextV

alve.java:152)

at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValv

eContext.java:104)

at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.jav

a:520)

at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j

ava:137)

at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValv

eContext.java:104)

at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j

ava:117)

at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValv

eContext.java:102)

at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.jav

a:520)

at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal

ve.java:109)

at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValv

eContext.java:104)

at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.jav

a:520)

at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:929)

at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:16

0)

at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java

:799)

at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.proce

ssConnection(Http11Protocol.java:705)

at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java

:577)

at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadP

ool.java:683)

at java.lang.Thread.run(Thread.java:619)

Caused by: javax.security.auth.login.LoginException: Pre-authentication informat

ion was invalid (24)

at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Kr

b5LoginModule.java:696)

at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.ja

va:542)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.

java:39)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces

sorImpl.java:25)

at java.lang.reflect.Method.invoke(Method.java:589)

at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)

at javax.security.auth.login.LoginContext.access$000(LoginContext.java:1

86)

at javax.security.auth.login.LoginContext$5.run(LoginContext.java:706)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext

.java:703)

at javax.security.auth.login.LoginContext.login(LoginContext.java:575)

at sun.security.jgss.GSSUtil.login(GSSUtil.java:246)

at sun.security.jgss.krb5.Krb5Util.getKeys(Krb5Util.java:185)

at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Krb5AcceptCredentia

l.java:82)

at java.security.AccessController.doPrivileged(Native Method)

at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCre

dential.java:79)

... 31 more

Caused by: KrbException: Pre-authentication information was invalid (24)

at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:66)

at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:488)

at sun.security.krb5.Credentials.sendASRequest(Credentials.java:407)

at sun.security.krb5.Credentials.acquireTGT(Credentials.java:379)

at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Kr

b5LoginModule.java:672)

... 47 more

Caused by: KrbException: Identifier doesn't match expected value (906)

at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)

at sun.security.krb5.internal.ASRep.init(ASRep.java:58)

at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53)

at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50)

... 51 more

Major:13

MajorCode: No valid credentials provided

Minor:-1

MinorCode: Attempt to obtain new ACCEPT credentials failed!

Please what i have to do to be able to authenticate SPN principal via the previous mentioned keyTab? Or does someone have an experiences with this stuff? I only need to get the TGT for the SPN which has generated key in the keyTab....

[7221 byte] By [JCDentona] at [2007-10-3 0:44:31]
«« J2ME HELP
»» Check All JCheckBoxes
# 1

****,

If i enter the principal name into the Jaas configuration as

.

.

principal="HTTP/f.q.d.n:8080@REALM:COM"

.

and create the keyTab as ktab -a HTTP/f.q.d.n:8080@REALM:COM password -k FILEPATH

Jaas is crashing due to the Pre-authentication failed (24) error....

BUT If i use, to SPN, associated account as the principal name, instead of SPN it works....:-(((((((

BUT PLEASE I NEED TO RUN MY SERVER VIA AUTHENTICATED SPN....NOT VIA THE ASSOCIATED ACCOUNT....

Please how can i do that?

JCDentona at 2007-7-14 17:39:05 > top of Java-index,Security,Other Security APIs, Tools, and Issues...
Security
Other Security APIs, Tools, and Issues

Security New Topic

Security Hot Topic

Security

All Classified