Home.... | log in.... | Pub my question! | Sign-up....
Java-index >> Security >> Kerberos & Java GSS (JGSS)

Problem obtaining credentials from native ticket cache

Hello dear colleagues,

I met with very strange behaviour using SSO. My test environment works on WinXP SP2, JDK 1.5.0_04-b05.

Kerberos configuration file is located in<JRE_HOME>\lib\security\krb5.conf and contains following:

[libdefaults]

default_realm = <MY_REALM>

clockskew = 10000

[realms]

<MY_REALM> ={

kdc = <MY_KDC>

default_domain = <MY_DOMAIN>

}

[appdefaults]

kinit ={

renewable =true

forwardable =true

}

Login configuration:

SSOClient{

com.sun.security.auth.module.Krb5LoginModule Required

debug=true

doNotPrompt=false

useTicketCache=true

useDefaultCcache=true

renewTGT=true;

};

KerbTray tool outputs following information:

Client name: <MY_PRINCIPAL_NAME>@<MY_REALM>

Service name: krbtgt/<MY_REALM>@<MY_REALM>

Start time: 08/18/2006 10:30

End time: 08/18/2006 11:30

Renew Until: 08/25/2006 10:30

BUT! When application tries to process login, Kerberos outputs following:

>>>KinitOptions cache name is C:\Documents and Settings\yurtsevich\krb5cc_<MY_PRINCIPAL_NAME>

>> Acquiredefaultnative Credentials

Credentials:

client=<MY_PRINCIPAL_NAME>@<MY_REALM>

server=krbtgt/<MY_REALM>@<MY_REALM>

authTime=20060818073024Z

startTime=20060818073024Z

endTime=20060818083024Z

renewTill=20060825073024Z

flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT

EType (int): 3

Debug istrue storeKeyfalse useTicketCachetrue useKeyTabfalse doNotPromptfalse ticketCache isnull

KeyTab isnull refreshKrb5Config isfalse principal isnull tryFirstPass isfalse useFirstPass isfalse

storePass isfalse clearPass isfalse

Acquire TGT from Cache

>>>KinitOptions cache name is C:\Documents and Settings\yurtsevich\krb5cc_<MY_PRINCIPAL_NAME>

>> Acquiredefaultnative Credentials

>>> Obtained TGT from LSA: Credentials:

client=<MY_PRINCIPAL_NAME>@<MY_REALM>

server=krbtgt/<MY_REALM>@<MY_REALM>

authTime=20060818073024Z

startTime=20060818073024Z

endTime=20060818083024Z

renewTill=20060825073024Z

flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT

EType (int): 3

Using builtindefault etypesfor default_tgs_enctypes

default etypesfor default_tgs_enctypes: 3 1 16.

>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType

>>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType

>>> KrbKdcReq send: kdc=<MY_KDC> UDP:88, timeout=30000, number of retries =3, #bytes=1344

>>> KDCCommunication: kdc=<MY_KDC> UDP:88, timeout=30000,Attempt =1, #bytes=1344

>>> KrbKdcReq send: #bytes read=1324

>>> KrbKdcReq send: #bytes read=1324

>>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType

Ticket could not be renewed : Message stream modified (41)

Principal isnull

null credentials from Ticket Cache

[Krb5LoginModule] user entered username: <MY_PRINCIPAL_NAME>

Using builtindefault etypesfor default_tkt_enctypes

default etypesfor default_tkt_enctypes: 3 1 16.

principal is <MY_PRINCIPAL_NAME>@<MY_REALM>

Acquire TGT using AS Exchange

EncryptionKey: keyType=3 keyBytes (hex dump)=0000: 54 B6 20 A7 64 04 1C 97

EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 54 B6 20 A7 64 04 1C 97

EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 8A DF 43 D6 29 20 F2 805E 29 85 E9 B9 4F 19 3E ..C.) ..^)...O.>

0010: 32 0E 2C 76 AE 91 25 AB

Using builtindefault etypesfor default_tkt_enctypes

default etypesfor default_tkt_enctypes: 3 1 16.

>>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType

>>> KrbAsReq calling createMessage

>>> KrbAsReq in createMessage

>>> KrbKdcReq send: kdc=<MY_KDC>UDP:88, timeout=30000, number of retries =3, #bytes=245

>>> KDCCommunication: kdc=<MY_KDC> UDP:88, timeout=30000,Attempt =1, #bytes=245

>>> KrbKdcReq send: #bytes read=215

>>> KrbKdcReq send: #bytes read=215

>>> KDCRep: init() encoding tag is 126 req type is 11

>>>KRBError:

sTime is Fri Aug 18 11:11:55 CEST 2006 1155892315000

suSec is 310136

error code is 24

error Message is Pre-authentication information was invalid

realm is <MY_REALM>

sname is krbtgt/<MY_REALM>

eData provided.

[Krb5LoginModule] authentication failed

Pre-authentication information was invalid (24)

Remark. File C:\Documents and Settings\yurtsevich\krb5cc_<MY_PRINCIPAL_NAME> does not exist, so I use native ticket cache.

Registry keyallowtgtsessionkey exists in HKLM\System\CurrentControlSet\Control\Lsa\Kerberos section.

As you may see, in Kerberos output start time and end time differes from what KerbTray outputs (3 hours earlier). It IS very strange. I can not understand this. May anybody help me?

Second thing is why TGT is not renewed? What this means?:

Ticket could not be renewed : Message stream modified (41)

I appreciate any help. Thanks in advance.

[7025 byte] By [yurtsevicha] at [2007-10-3 3:00:29]
«« GP On-Card Key Info - Key Versions
»» JFrame getting hanged for a while
# 1

Seems to be the issue with case insensitivity on Windows.

Are you using mixed-case Kerberos principal or Kerberos realm.

By convention Kerberos principal names are case-sensitive. However, on Windows,

due to case-insensitivity, mixed-case Kerberos principal names are not accepted

by the Active Directory. In order to use mixed-case Kerberos principal names on

Windows, you'll need support of the new Pre-Authentication mechanisms, which is

available in Java SE 6 and J2SE 5.0 Update 8.

Please upgrade to J2SE 5.0 Update 8.

In reference to the Kerberos time in the Kerberos ticket, which is different from

what you see in KerbTray, this is a known issue and has been fixed in Java SE 6.

Seema

Seema-1a at 2007-7-14 20:50:04 > top of Java-index,Security,Kerberos & Java GSS (JGSS)...
# 2

Thanks, Seema, for your reply.

In spite of upgrading to J2SE 5.0 Update 8, problem was not solved. By the way in our configuration no mixed-case names are used, neither for principal names nor for realms.

But what solved problem - to increase "Maximum lifetime for user ticket"/"...for service ticket" at KDC configuration (at least not less than 3 hours - value on which times are not synchronized comparing what is in OS native ticket cache and what Java Kerberos obtains/calculates). Now even if ticket is expired it may be successfully renewed.

I am curious if there is any report in BugParad for this problem. I need to refer to something when reporting solution to our client.

One more point. As I found out krb5.conf is not really needed for proper work of Java Kerberos implementation on client side. It is enough to specify JVM arguments:

-Djava.security.krb5.realm

-Djava.security.krb5.kdc

Am I right?

yurtsevicha at 2007-7-14 20:50:04 > top of Java-index,Security,Kerberos & Java GSS (JGSS)...
# 3

If you use the system properties to specify KDC/realm i.e.

java.security.krb5.realm and java.security.krb5.kdc, it will work.

However specific Kerberos configuration options are not read, such as

enctypes. When using these 2 system properties, Java GSS will default to

use DES encryption type. If you do need to use other Kerberos encryption

types such as RC4-HMAC, you will need to specify these enctypes in

krb5.conf and use the system property java.security.krb5.conf="krb5.conf".

Alternatively, you can install the Kerberos configuration file in the default

location, and don't use any of these system properties.

The bug that fixes the native Kerberos time is 6450331.

Seema

Seema-1a at 2007-7-14 20:50:04 > top of Java-index,Security,Kerberos & Java GSS (JGSS)...
# 4
Thanks a lot!
yurtsevicha at 2007-7-14 20:50:04 > top of Java-index,Security,Kerberos & Java GSS (JGSS)...
# 5
By any reason I do not see the issue with ID 6450331 in Bug Database. You gave me wrong number or it not yet released?
yurtsevicha at 2007-7-14 20:50:04 > top of Java-index,Security,Kerberos & Java GSS (JGSS)...
Security
Kerberos & Java GSS (JGSS)

Security New Topic

Security Hot Topic

Security

All Classified