-
Bug
-
Resolution: Not an Issue
-
P4
-
None
-
6
-
x86
-
windows_2000
FULL PRODUCT VERSION :
java version "1.6.0_03"
Java(TM) SE Runtime Environment (build 1.6.0_03-b05)
Java HotSpot(TM) Client VM (build 1.6.0_03-b05, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows 2000 [Version 5.00.2195]
A DESCRIPTION OF THE PROBLEM :
Problems happens with kerberos authentication.
We have a JEE server and a Java client.
The server is protected with SPNEGO/KERBEROS security.
The client accesses the server over HTTP.
The server runs in SSO.EPO.ORG domain and authenticates to the domain with appropriate keytab file. The client runs in INTERNAL.EPO.ORG domain.
There is trust relationship between INTERNAL.EPO.ORG and SSO.EPO.ORG domains.
Use Case:
The client accesses the server over HTTP. During authentication the following error happens:
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbException: Message stream modified (41)
at sun.security.krb5.KrbKdcRep.check(Unknown Source)
at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(Unknown Source)
at sun.security.jgss.spnego.SpNegoContext.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.net.www.protocol.http.NegotiatorImpl.init(Unknown Source)
at sun.net.www.protocol.http.NegotiatorImpl.<init>(Unknown Source)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at sun.net.www.protocol.http.Negotiator.getSupported(Unknown Source)
at sun.net.www.protocol.http.NegotiateAuthentication.isSupported(Unknown Source)
at sun.net.www.protocol.http.AuthenticationHeader.parse(Unknown Source)
at sun.net.www.protocol.http.AuthenticationHeader.<init>(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
..........
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Configure dummy JEE application to use SPNEGO/Kerberos authentication.
In web.xml file secure some url, for example, http://yourserver.com/securesite
2. Use dummy Java client to do HTTP GET request to url http://yourserver.com/securesite
for example:
URL url = new URL("http://yourserver.com/securesite");
HttpURLConnection c = (HttpURLConnection) url.openConnection();
BufferedReader reader = new BufferedReader(new InputStreamReader(c.getInputStream(), "UTF-8"));
c.disconnect();
3. Configure client to use kerberos:
3.1. Specify system properties:
set JAVA_OPT= -Djava.security.auth.login.config=krb-client.login
set JAVA_OPT=%JAVA_OPT% -Djava.security.krb5.conf=krb5.conf
set JAVA_OPT=%JAVA_OPT% -Djavax.security.auth.useSubjectCredsOnly=false
set JAVA_OPT=%JAVA_OPT% -Djava.security.debug=true
set JAVA_OPT=%JAVA_OPT% -Dsun.security.krb5.debug=true
3.2. provide proper config files
krb-client.login content:
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
debug=true
useTicketCache=true
;
};
krb5.conf we use:
[libdefaults]
default_realm = INTERNAL.EPO.ORG
default_tkt_enctypes = des-cbc-md5 des-cbc-crc
default_tgs_enctypes = des-cbc-md5 des-cbc-crc
kdc_timesync = 0
kdc_default_options = 0x40000010
clockskew = 30000
check_delegate = 0
ccache_type = 3
kdc_timeout = 60000
[domain_realm]
sso.epo.org = SSO.EPO.ORG
.sso.epo.org = SSO.EPO.ORG
internal.epo.org = INTERNAL.EPO.ORG
.internal.epo.org = INTERNAL.EPO.ORG
[realms]
SSO.EPO.ORG = {
admin_server = GVW009.sso.epo.org
kdc = GVW009.sso.epo.org
}
INTERNAL.EPO.ORG = {
admin_server = GVW001.internal.epo.org
kdc = GVW001.internal.epo.org
}
[capaths]
INTERNAL.EPO.ORG = {
SSO.EPO.ORG = .
}
SSO.EPO.ORG = {
INTERNAL.EPO.ORG = .
}
in our test the server runs in SSO.EPO.ORG, the client runs in INTERNAL.EPO.ORG
4. Run the client
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Expecetd result - successful authentication and the server returns 200 OK
ACTUAL -
Actual result:
Client side crashes with the error specified below.
Using Wireshark I see that the client successfuly gets TGT for SSO.EPO.ORG domain but fails to send AS-REQ message to SSO.EPO.ORG KDC.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
CLIENT SIDE system output:
Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt false ticketCache is null isInitiator true
KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is fa
lse clearPass is false
Acquire TGT from Cache
>>>KinitOptions cache name is C:\Documents and Settings\sb82058\krb5cc_sb82058
>> Acquire default native Credentials
>>> Obtained TGT from LSA: Credentials:
client=###@###.###
server=krbtgt/###@###.###
authTime=20080702140345Z
startTime=20080702140345Z
endTime=20080703030345Z
renewTill=20080709140345Z
flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT
EType (int): 23
Principal is ###@###.###
Commit Succeeded
Found ticket for ###@###.### to go to krbtgt/###@###.### expiring on Thu Jul 03 05:0
:45 CEST 2008
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
default etypes for default_tgs_enctypes: 3 1.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbKdcReq send: kdc=GVW001.internal.epo.org UDP:88, timeout=60000, number of retries =3, #bytes=1363
>>> KDCCommunication: kdc=GVW001.internal.epo.org UDP:88, timeout=60000,Attempt =1, #bytes=1363
>>> KrbKdcReq send: #bytes read=1279
>>> KrbKdcReq send: #bytes read=1279
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbException: Message stream modified (41)
at sun.security.krb5.KrbKdcRep.check(Unknown Source)
at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(Unknown Source)
at sun.security.jgss.spnego.SpNegoContext.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.net.www.protocol.http.NegotiatorImpl.init(Unknown Source)
at sun.net.www.protocol.http.NegotiatorImpl.<init>(Unknown Source)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at sun.net.www.protocol.http.Negotiator.getSupported(Unknown Source)
at sun.net.www.protocol.http.NegotiateAuthentication.isSupported(Unknown Source)
at sun.net.www.protocol.http.AuthenticationHeader.parse(Unknown Source)
at sun.net.www.protocol.http.AuthenticationHeader.<init>(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at org.epo.security.testsuite.httpclient.GdsUpdTest.doPost(GdsUpdTest.java:96)
at org.epo.security.testsuite.httpclient.AbstractLoadTest.doTask(AbstractLoadTest.java:105)
at org.epo.security.testsuite.httpclient.AbstractLoadTest.access$100(AbstractLoadTest.java:22)
at org.epo.security.testsuite.httpclient.AbstractLoadTest$Runner.run(AbstractLoadTest.java:206)
at org.epo.security.testsuite.httpclient.ThreadPool.run(ThreadPool.java:103)
at java.lang.Thread.run(Unknown Source)
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
client side:
URL url = new URL("http://yourserver.com/securesite");
HttpURLConnection c = (HttpURLConnection) url.openConnection();
BufferedReader reader = new BufferedReader(new InputStreamReader(c.getInputStream(), "UTF-8"));
c.disconnect();
server side:
actually ANY HTTP server/application server that is secured with SPNEGO/Kerberos
(JEE compliant , MS IIS, Apache with mod_kerb module, etc.)
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
no found
java version "1.6.0_03"
Java(TM) SE Runtime Environment (build 1.6.0_03-b05)
Java HotSpot(TM) Client VM (build 1.6.0_03-b05, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows 2000 [Version 5.00.2195]
A DESCRIPTION OF THE PROBLEM :
Problems happens with kerberos authentication.
We have a JEE server and a Java client.
The server is protected with SPNEGO/KERBEROS security.
The client accesses the server over HTTP.
The server runs in SSO.EPO.ORG domain and authenticates to the domain with appropriate keytab file. The client runs in INTERNAL.EPO.ORG domain.
There is trust relationship between INTERNAL.EPO.ORG and SSO.EPO.ORG domains.
Use Case:
The client accesses the server over HTTP. During authentication the following error happens:
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbException: Message stream modified (41)
at sun.security.krb5.KrbKdcRep.check(Unknown Source)
at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(Unknown Source)
at sun.security.jgss.spnego.SpNegoContext.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.net.www.protocol.http.NegotiatorImpl.init(Unknown Source)
at sun.net.www.protocol.http.NegotiatorImpl.<init>(Unknown Source)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at sun.net.www.protocol.http.Negotiator.getSupported(Unknown Source)
at sun.net.www.protocol.http.NegotiateAuthentication.isSupported(Unknown Source)
at sun.net.www.protocol.http.AuthenticationHeader.parse(Unknown Source)
at sun.net.www.protocol.http.AuthenticationHeader.<init>(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
..........
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Configure dummy JEE application to use SPNEGO/Kerberos authentication.
In web.xml file secure some url, for example, http://yourserver.com/securesite
2. Use dummy Java client to do HTTP GET request to url http://yourserver.com/securesite
for example:
URL url = new URL("http://yourserver.com/securesite");
HttpURLConnection c = (HttpURLConnection) url.openConnection();
BufferedReader reader = new BufferedReader(new InputStreamReader(c.getInputStream(), "UTF-8"));
c.disconnect();
3. Configure client to use kerberos:
3.1. Specify system properties:
set JAVA_OPT= -Djava.security.auth.login.config=krb-client.login
set JAVA_OPT=%JAVA_OPT% -Djava.security.krb5.conf=krb5.conf
set JAVA_OPT=%JAVA_OPT% -Djavax.security.auth.useSubjectCredsOnly=false
set JAVA_OPT=%JAVA_OPT% -Djava.security.debug=true
set JAVA_OPT=%JAVA_OPT% -Dsun.security.krb5.debug=true
3.2. provide proper config files
krb-client.login content:
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
debug=true
useTicketCache=true
;
};
krb5.conf we use:
[libdefaults]
default_realm = INTERNAL.EPO.ORG
default_tkt_enctypes = des-cbc-md5 des-cbc-crc
default_tgs_enctypes = des-cbc-md5 des-cbc-crc
kdc_timesync = 0
kdc_default_options = 0x40000010
clockskew = 30000
check_delegate = 0
ccache_type = 3
kdc_timeout = 60000
[domain_realm]
sso.epo.org = SSO.EPO.ORG
.sso.epo.org = SSO.EPO.ORG
internal.epo.org = INTERNAL.EPO.ORG
.internal.epo.org = INTERNAL.EPO.ORG
[realms]
SSO.EPO.ORG = {
admin_server = GVW009.sso.epo.org
kdc = GVW009.sso.epo.org
}
INTERNAL.EPO.ORG = {
admin_server = GVW001.internal.epo.org
kdc = GVW001.internal.epo.org
}
[capaths]
INTERNAL.EPO.ORG = {
SSO.EPO.ORG = .
}
SSO.EPO.ORG = {
INTERNAL.EPO.ORG = .
}
in our test the server runs in SSO.EPO.ORG, the client runs in INTERNAL.EPO.ORG
4. Run the client
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Expecetd result - successful authentication and the server returns 200 OK
ACTUAL -
Actual result:
Client side crashes with the error specified below.
Using Wireshark I see that the client successfuly gets TGT for SSO.EPO.ORG domain but fails to send AS-REQ message to SSO.EPO.ORG KDC.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
CLIENT SIDE system output:
Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt false ticketCache is null isInitiator true
KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is fa
lse clearPass is false
Acquire TGT from Cache
>>>KinitOptions cache name is C:\Documents and Settings\sb82058\krb5cc_sb82058
>> Acquire default native Credentials
>>> Obtained TGT from LSA: Credentials:
client=###@###.###
server=krbtgt/###@###.###
authTime=20080702140345Z
startTime=20080702140345Z
endTime=20080703030345Z
renewTill=20080709140345Z
flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT
EType (int): 23
Principal is ###@###.###
Commit Succeeded
Found ticket for ###@###.### to go to krbtgt/###@###.### expiring on Thu Jul 03 05:0
:45 CEST 2008
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
default etypes for default_tgs_enctypes: 3 1.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbKdcReq send: kdc=GVW001.internal.epo.org UDP:88, timeout=60000, number of retries =3, #bytes=1363
>>> KDCCommunication: kdc=GVW001.internal.epo.org UDP:88, timeout=60000,Attempt =1, #bytes=1363
>>> KrbKdcReq send: #bytes read=1279
>>> KrbKdcReq send: #bytes read=1279
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbException: Message stream modified (41)
at sun.security.krb5.KrbKdcRep.check(Unknown Source)
at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(Unknown Source)
at sun.security.jgss.spnego.SpNegoContext.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.net.www.protocol.http.NegotiatorImpl.init(Unknown Source)
at sun.net.www.protocol.http.NegotiatorImpl.<init>(Unknown Source)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at sun.net.www.protocol.http.Negotiator.getSupported(Unknown Source)
at sun.net.www.protocol.http.NegotiateAuthentication.isSupported(Unknown Source)
at sun.net.www.protocol.http.AuthenticationHeader.parse(Unknown Source)
at sun.net.www.protocol.http.AuthenticationHeader.<init>(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at org.epo.security.testsuite.httpclient.GdsUpdTest.doPost(GdsUpdTest.java:96)
at org.epo.security.testsuite.httpclient.AbstractLoadTest.doTask(AbstractLoadTest.java:105)
at org.epo.security.testsuite.httpclient.AbstractLoadTest.access$100(AbstractLoadTest.java:22)
at org.epo.security.testsuite.httpclient.AbstractLoadTest$Runner.run(AbstractLoadTest.java:206)
at org.epo.security.testsuite.httpclient.ThreadPool.run(ThreadPool.java:103)
at java.lang.Thread.run(Unknown Source)
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
client side:
URL url = new URL("http://yourserver.com/securesite");
HttpURLConnection c = (HttpURLConnection) url.openConnection();
BufferedReader reader = new BufferedReader(new InputStreamReader(c.getInputStream(), "UTF-8"));
c.disconnect();
server side:
actually ANY HTTP server/application server that is secured with SPNEGO/Kerberos
(JEE compliant , MS IIS, Apache with mod_kerb module, etc.)
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
no found