Kerberos generated principal with two realms (win 2003/XP, Java6)
I am trying to use my Windows Active Directory logon in my application. I create a login context as defined below:
VicadsKerberos
{
com.sun.security.auth.module.Krb5LoginModule required storeKey=true useTicketCache=true debug=true;
};
I start my program with the following defines:
-Djava.security.krb5.realm=DEVEL.OPENROADSCONSULTING.COM
-Djava.security.krb5.kdc=192.168.100.101
When I run the program, I get the following debug from the Java Security Login:
Debug is true storeKey true useTicketCache true useKeyTab false doNotPrompt false ticketCache is null KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
Principal is orci@devel.openroadsconsulting.com@DEVEL.OPENROADSCONSULTING.COM
Notice that the realm is listed twice for the principal. Once lower case and once upper case. I believe that my Windows Active Directory name is lower case. Is this the problem? Is there anyway around this?
Thanks, David Robison
[1120 byte] By [
kc7bfia] at [2007-10-3 3:29:21]
Your JAAS configuration is configured to use the native ticket cache.
The JAAS Kerberos LoginModule will attempt to acquire the Kerberos ticket
from your native ticket cache.
Check on the native Kerberos ticket used. You probably have a file-based
ticket cache in your home directory. You should be able to list the ticket
cache contents via klist tool. What does it display ?
If you want to use the in-memory native Kerberos ticket on Windows,
you'll need to remove the file-based ticket cache, if you have it.
Check if you have a krb5cc* in your home dir. Please remove this file.
Now the JAAS Kerberbos LoginModule will attempt to obtain the native
Kerberos ticket from the in-memory LSA ticket cache.
The JAAS login is for the client-end, you don't need the "storeKey" option in
the JAAS configuration file. Please remove this option.
VicadsKerberos
{
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
debug=true;
};
Seema
I looked and I do not have a file based ticket. I also think I need the StoreKey because I am going to authenticate against another kerberos server. One more piece of info, the final error I get is:
Login error: javax.security.auth.login.LoginException: Null Server Key
Does this help identify the problem? Do you know what the specific error means?
Thanks, David
I've found some more information. It seems the problem comes when I try to create a context to send to the server. When I try to iniSecContext I get the error:
GSSException: No valid credentials provided (Mechenism level: Ticket and authenticator don't match (3))
This only happens when I try to use the ticket from the cache. If I do a JAAS login and then iniSecContext, all works well. Does anyone know what this error means?
Thanks, David
The error "Null Server key" is seen because you have no encryption keys at the client-end.
Again, you don't need the "storeKey" option at the client-end, to authenticate to the server.
This option is used only by the server to store keys in the JAAS subject. Please remove this
option from the client JAAS configuration.
In addition, please check your native Kerberos ticket using MS tools such as kerbtray.
Seema
Kerberos error 36 indicates that the Kerberos principal in the authenticator and the Kerberos Ticket don't match.
Please check the Kerberos ticket in the native ticket cache. The Kerberos principal in the native ticket does not match. Have you tried to use Klist or Kerbtray tool from MS ? What does that display ?
Please ensure you are using latest version of the JDK release. If you are using JDK 1.4.2, please download latest version 1.4.2_12. If you are using JDK 5.0, please download latest version JDK 5.0 Update 8. If you are using Java SE 6, please download the latest build.
Seema
