-
Enhancement
-
Resolution: Duplicate
-
P4
-
None
-
5.0
-
sparc
-
solaris_9
A DESCRIPTION OF THE REQUEST :
SUN's implementation of the GSSContext interface does not (as of J2SE 5.0) support the RC4-HMAC-MD5 encryption type which is used by Microsoft's Active Directory.
This is etype 23 as defined by IANA: http://www.iana.org/assignments/kerberos-parameters
An IETF internet draft describing this encryption type can be found here:
ftp://ftp.saix.net/pub/rfc/ftp.ietf.org/internet-drafts-back/draft-brezak-win2k-krb-rc4-hmac-04.txt
JUSTIFICATION :
Probably the most widely used Kerberos KDC today is Microsfts Active Directory which only has support for DES and RC4-HMAC-MD5 encryption types. The only way to get single sign-on to work from a Java application (against Active Directory) today, is to use DES keys which means much weaker security.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
AcceptToken should decrypt the token given without an exception being thrown.
ACTUAL -
When given a kerberos ticket encrypted with RC4-HMAC-MD5 (etype 23), acceptSecContext (from org.ietf.jgss.GSSContext) throws a GSSException:
GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
---------- BEGIN SOURCE ----------
import org.ietf.jgss.*;
import java.io.*;
public class AcceptToken
{
byte[] inToken = new byte[1024];
int tokenLen = 0;
public AcceptToken () throws IOException, GSSException {
// file apreq.bin contains token extracted from HTTP header
FileInputStream file = new FileInputStream ("apreq.bin");
tokenLen = file.read (inToken, 0, 1024);
file.close();
System.out.println ("Read " + tokenLen + " bytes");
byte outToken[];
Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2");
Oid krb5PrincipalNameType = new Oid("1.2.840.113554.1.2.2.1");
GSSManager manager = GSSManager.getInstance();
GSSName serverName = manager.createName(
"HTTP/###@###.###",
krb5PrincipalNameType);
GSSCredential serverCreds = manager.createCredential(
serverName,
GSSCredential.DEFAULT_LIFETIME,
krb5Mechanism,
GSSCredential.ACCEPT_ONLY);
GSSContext ctx = manager.createContext(serverCreds);
outToken = ctx.acceptSecContext (inToken, 0, tokenLen);
}
public static void main (String[] args) throws IOException, GSSException {
AcceptToken at = new AcceptToken();
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Using DES keys - not really an option if you take security seriously.
###@###.### 2004-12-10 16:49:21 GMT
SUN's implementation of the GSSContext interface does not (as of J2SE 5.0) support the RC4-HMAC-MD5 encryption type which is used by Microsoft's Active Directory.
This is etype 23 as defined by IANA: http://www.iana.org/assignments/kerberos-parameters
An IETF internet draft describing this encryption type can be found here:
ftp://ftp.saix.net/pub/rfc/ftp.ietf.org/internet-drafts-back/draft-brezak-win2k-krb-rc4-hmac-04.txt
JUSTIFICATION :
Probably the most widely used Kerberos KDC today is Microsfts Active Directory which only has support for DES and RC4-HMAC-MD5 encryption types. The only way to get single sign-on to work from a Java application (against Active Directory) today, is to use DES keys which means much weaker security.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
AcceptToken should decrypt the token given without an exception being thrown.
ACTUAL -
When given a kerberos ticket encrypted with RC4-HMAC-MD5 (etype 23), acceptSecContext (from org.ietf.jgss.GSSContext) throws a GSSException:
GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
---------- BEGIN SOURCE ----------
import org.ietf.jgss.*;
import java.io.*;
public class AcceptToken
{
byte[] inToken = new byte[1024];
int tokenLen = 0;
public AcceptToken () throws IOException, GSSException {
// file apreq.bin contains token extracted from HTTP header
FileInputStream file = new FileInputStream ("apreq.bin");
tokenLen = file.read (inToken, 0, 1024);
file.close();
System.out.println ("Read " + tokenLen + " bytes");
byte outToken[];
Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2");
Oid krb5PrincipalNameType = new Oid("1.2.840.113554.1.2.2.1");
GSSManager manager = GSSManager.getInstance();
GSSName serverName = manager.createName(
"HTTP/###@###.###",
krb5PrincipalNameType);
GSSCredential serverCreds = manager.createCredential(
serverName,
GSSCredential.DEFAULT_LIFETIME,
krb5Mechanism,
GSSCredential.ACCEPT_ONLY);
GSSContext ctx = manager.createContext(serverCreds);
outToken = ctx.acceptSecContext (inToken, 0, tokenLen);
}
public static void main (String[] args) throws IOException, GSSException {
AcceptToken at = new AcceptToken();
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Using DES keys - not really an option if you take security seriously.
###@###.### 2004-12-10 16:49:21 GMT
- duplicates
-
-
- Resolved
-