Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-6587676

Krb5LoginModule failure if useTicketCache=true on Vista

XMLWordPrintable

    • b57
    • x86
    • windows, windows_vista

      FULL PRODUCT VERSION :
      Any Java version >= 1.5, 1.6 update 2 included

      ADDITIONAL OS VERSION INFORMATION :
      Windows Vista 6.0.6000

      EXTRA RELEVANT SYSTEM CONFIGURATION :
      KDC = Windows 2003 Server


      A DESCRIPTION OF THE PROBLEM :
        Description
      =========
      Get a KRB5KRB_AP_ERR_BAD_INTEGRITY (31) on Vista (GSS client) while running totorial http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/tutorials/BasicClientServer.html.

      with the following JAAS configuration:

      com.sun.security.jgss.initiate {
        com.sun.security.auth.module.Krb5LoginModule required debug=true useTicketCache=true doNotPrompt=true renewTGT=true;
      };

      com.sun.security.jgss.accept {
        com.sun.security.auth.module.Krb5LoginModule required storeKey=true debug=true doNotPrompt=true useKeyTab=true keyTab=s-j-wcbz0115.keytab principal="HTTP/###@###.###" useTicketCache=true isInitiator=false;
      };

      Other infos
      =========
      1) On Vista, allowtgtsessionkey has been set.
      2) SampleClient on Vista, SampleServer on W2K. Bringing the SampleClient on W2K with the same config WORKS!
      3) Happen with and Java version >= 1.5
      4) Initializing the cache with kinit makes the SampleClient on Vista to work as expected!!!!!

      The Krb5LoginModule when configured with useTicketCache=true uses the Windows LSA API to get the Kerberos TGT.
      In Vindows Vista introduces some more restrictions on LSA API, here is the mail from Microsoft support:

        To answer your question, in looking at the Vista source I can see that the AllowTgtSessionKey registry key is still read from under Lsa\Kerberos\Parameters. It should be a DWORD value.

      However comparing the XP and Vista Sources where AllowTgtSessionKey is used I can see that in the case of Vista additional checking is done which relate to whether the caller (user) is using an LUA (Least User Access) security token which would be the case if the operation was triggered by a "normal" logged on user. This would prevent access.


      It seams that using Windows SSPI instead on LSA should work


      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      Run the SampleClient and SampleServer with the following bcsLogin.conf (configured for your Kerberos SPN)

      /**
      * Used by the client
      */
      com.sun.security.jgss.initiate {
        com.sun.security.auth.module.Krb5LoginModule required debug=true useTicketCache=true doNotPrompt=true renewTGT=true;
      };

      /**
      * Used by the server
      */
      com.sun.security.jgss.accept {
        com.sun.security.auth.module.Krb5LoginModule required storeKey=true debug=true doNotPrompt=true useKeyTab=true keyTab=s-j-wcbz0115.keytab principal="HTTP/###@###.###" useTicketCache=true isInitiator=false;
      };

      SampleClient on Vista!


      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      Leam less SSO Authentication
      ACTUAL -
      client:
           [java] Connected to server wcbz0115/10.168.24.84
           [java] Debug is true storeKey false useTicketCache true useKeyTab false do
      NotPrompt true ticketCache is null KeyTab is null refreshKrb5Config is false pri
      ncipal is null tryFirstPass is false useFirstPass is false storePass is false cl
      earPass is false
           [java] Acquire TGT from Cache
           [java] Ticket could not be renewed : This ticket is not renewable
           [java] Principal is null
           [java] null credentials from Ticket Cache
           [java] [Krb5LoginModule] authentication failed
           [java] Unable to obtain Princpal Name for authentication
           [java] GSSException: No valid credentials provided (Mechanism level: Attemp
      t to obtain new INITIATE credentials failed! (null))
           [java] at sun.security.jgss.krb5.Krb5InitCredential.getTgtFromSubject(K
      rb5InitCredential.java:336)
           [java] at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5Ini
      tCredential.java:131)
           [java] at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(K
      rb5MechFactory.java:72)
           [java] at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSMana
      gerImpl.java:149)
           [java] at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.jav
      a:389)
           [java] at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.
      java:60)
           [java] at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.
      java:37)
           [java] at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerI
      mpl.java:96)
           [java] at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImp
      l.java:178)
           [java] at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImp
      l.java:158)
           [java] at SampleClient.main(Unknown Source)
           [java] Caused by: javax.security.auth.login.LoginException: Unable to obtai
      n Princpal Name for authentication
           [java] at com.sun.security.auth.module.Krb5LoginModule.promptForName(Kr
      b5LoginModule.java:689)
           [java] at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentic
      ation(Krb5LoginModule.java:599)
           [java] at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginM
      odule.java:512)
           [java] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
           [java] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcces
      sorImpl.java:39)
           [java] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMet
      hodAccessorImpl.java:25)
           [java] at java.lang.reflect.Method.invoke(Method.java:585)
           [java] at javax.security.auth.login.LoginContext.invoke(LoginContext.ja
      va:769)
           [java] at javax.security.auth.login.LoginContext.access$000(LoginContex
      t.java:186)
           [java] at javax.security.auth.login.LoginContext$4.run(LoginContext.jav
      a:683)
           [java] at java.security.AccessController.doPrivileged(Native Method)
           [java] at javax.security.auth.login.LoginContext.invokePriv(LoginContex
      t.java:680)
           [java] at javax.security.auth.login.LoginContext.login(LoginContext.jav
      a:579)
           [java] at sun.security.jgss.LoginUtility.login(LoginUtility.java:74)
           [java] at sun.security.jgss.krb5.Krb5Util.getTicketFromSubject(Krb5Util
      .java:137)
           [java] at sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCrede
      ntial.java:331)
           [java] at java.security.AccessController.doPrivileged(Native Method)
           [java] at sun.security.jgss.krb5.Krb5InitCredential.getTgtFromSubject(K
      rb5InitCredential.java:328)
           [java] ... 10 more
           [java] Exception in thread "main" GSSException: No valid credentials provid
      ed
           [java] at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.
      java:69)
           [java] at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.
      java:37)
           [java] at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerI
      mpl.java:96)
           [java] at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImp
      l.java:178)
           [java] at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImp
      l.java:158)
           [java] at SampleClient.main(Unknown Source)

      BUILD FAILED
      C:\WORK\GSS-API\build.xml:38: Java returned: 1

      ERROR MESSAGES/STACK TRACES THAT OCCUR :
      See actual result. With ethereal on the vista client:

      No. Time Source Destination Protocol Info
         1713 6.357615 138.191.82.26 10.168.24.44 KRB5 KRB Error: KRB5KRB_AP_ERR_BAD_INTEGRITY

      Frame 1713 (151 bytes on wire, 151 bytes captured)
      Ethernet II, Src: Cisco_94:db:ff (00:0a:41:94:db:ff), Dst: 10.168.24.44 (00:14:c2:0c:41:09)
      Internet Protocol, Src: 138.191.82.26 (138.191.82.26), Dst: 10.168.24.44 (10.168.24.44)
      Transmission Control Protocol, Src Port: kerberos (88), Dst Port: 49289 (49289), Seq: 1, Ack: 4091, Len: 97
      Kerberos KRB-ERROR
          Record Mark: 93 bytes
              0... .... .... .... .... .... .... .... = Reserved: Not set
              .000 0000 0000 0000 0000 0000 0101 1101 = Record Length: 93
          Pvno: 5
          MSG Type: KRB-ERROR (30)
          stime: 2007-06-19 09:25:27 (Z)
          susec: 856008
          error_code: KRB5KRB_AP_ERR_BAD_INTEGRITY (31)
          Realm: PNET.CH
          Server Name (Principal): HTTP/wcbz0115.pnet.ch
              Name-type: Principal (1)
              Name: HTTP
              Name: wcbz0115.pnet.ch


      REPRODUCIBILITY :
      This bug can be reproduced always.

            weijun Weijun Wang
            ryeung Roger Yeung (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved:
              Imported:
              Indexed: