-
Bug
-
Resolution: Fixed
-
P1
-
5.0
-
b85
-
x86
-
windows_2000
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-2138153 | 5.0u8 | Seema Malkani | P1 | Resolved | Fixed | b02 |
| JDK-2138152 | 1.4.2_13 | Abhijit Saha | P1 | Resolved | Fixed | b01 |
When a SSPI client talks to a Java GSS-API server, if the delegation is enabled, acceptSecContext will raise an exception "java.lang.IllegalArgumentException: Authentication time of ticket cannot be null".
The cause of the problem is that the the authtime of the forwarded ticket generated from Windows KDC is null and Sun's Kerberos implementation doesn't allow this.
According to RFC4120(http://www.ietf.org/rfc/rfc4120.txt?number=4120), for KRB_CRED message (which is the message used to foward credentials), the authtime is really optional:
KrbCredInfo ::= SEQUENCE {
key [0] EncryptionKey,
prealm [1] Realm OPTIONAL,
pname [2] PrincipalName OPTIONAL,
flags [3] TicketFlags OPTIONAL,
authtime [4] KerberosTime OPTIONAL,
starttime [5] KerberosTime OPTIONAL,
endtime [6] KerberosTime OPTIONAL,
renew-till [7] KerberosTime OPTIONAL,
srealm [8] Realm OPTIONAL,
sname [9] PrincipalName OPTIONAL,
caddr [10] HostAddresses OPTIONAL
}
Other Kerberos implementations, such as MSFT, IBM, MIT, they all accept the null authtime in the forwarded ticket.
Some other people on the web also encountered the same problem: http://archives.java.sun.com/cgi-bin/wa?A2=ind0210&L=java-security&P=R655&I=-3. Note that RFC1510 mentioned in the above link has been obsoleted by RFC4120.
The cause of the problem is that the the authtime of the forwarded ticket generated from Windows KDC is null and Sun's Kerberos implementation doesn't allow this.
According to RFC4120(http://www.ietf.org/rfc/rfc4120.txt?number=4120), for KRB_CRED message (which is the message used to foward credentials), the authtime is really optional:
KrbCredInfo ::= SEQUENCE {
key [0] EncryptionKey,
prealm [1] Realm OPTIONAL,
pname [2] PrincipalName OPTIONAL,
flags [3] TicketFlags OPTIONAL,
authtime [4] KerberosTime OPTIONAL,
starttime [5] KerberosTime OPTIONAL,
endtime [6] KerberosTime OPTIONAL,
renew-till [7] KerberosTime OPTIONAL,
srealm [8] Realm OPTIONAL,
sname [9] PrincipalName OPTIONAL,
caddr [10] HostAddresses OPTIONAL
}
Other Kerberos implementations, such as MSFT, IBM, MIT, they all accept the null authtime in the forwarded ticket.
Some other people on the web also encountered the same problem: http://archives.java.sun.com/cgi-bin/wa?A2=ind0210&L=java-security&P=R655&I=-3. Note that RFC1510 mentioned in the above link has been obsoleted by RFC4120.
- backported by
-
JDK-2138152 KerberosTicket throws exception when authtime field in KrbCredInfo is null
-
- Resolved
-
-
-
- Resolved
-