Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-6413153

KerberosTicket throws exception when authtime field in KrbCredInfo is null

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved
    • P1
    • Resolution: Fixed
    • 5.0
    • 6
    • security-libs
    • b85
    • x86
    • windows_2000

    Backports

      Description

        When a SSPI client talks to a Java GSS-API server, if the delegation is enabled, acceptSecContext will raise an exception "java.lang.IllegalArgumentException: Authentication time of ticket cannot be null".

        The cause of the problem is that the the authtime of the forwarded ticket generated from Windows KDC is null and Sun's Kerberos implementation doesn't allow this.

        According to RFC4120(http://www.ietf.org/rfc/rfc4120.txt?number=4120), for KRB_CRED message (which is the message used to foward credentials), the authtime is really optional:
           KrbCredInfo ::= SEQUENCE {
                   key [0] EncryptionKey,
                   prealm [1] Realm OPTIONAL,
                   pname [2] PrincipalName OPTIONAL,
                   flags [3] TicketFlags OPTIONAL,
                   authtime [4] KerberosTime OPTIONAL,
                   starttime [5] KerberosTime OPTIONAL,
                   endtime [6] KerberosTime OPTIONAL,
                   renew-till [7] KerberosTime OPTIONAL,
                   srealm [8] Realm OPTIONAL,
                   sname [9] PrincipalName OPTIONAL,
                   caddr [10] HostAddresses OPTIONAL
           }

        Other Kerberos implementations, such as MSFT, IBM, MIT, they all accept the null authtime in the forwarded ticket.

        Some other people on the web also encountered the same problem: http://archives.java.sun.com/cgi-bin/wa?A2=ind0210&L=java-security&P=R655&I=-3. Note that RFC1510 mentioned in the above link has been obsoleted by RFC4120.

        Attachments

          Issue Links

            Activity

              People

                smalkanisunw Seema Malkani (Inactive)
                duke J. Duke (Inactive)
                Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:
                  Imported:
                  Indexed: