-
Bug
-
Resolution: Duplicate
-
P4
-
None
-
6u13
-
x86
-
windows_xp
FULL PRODUCT VERSION :
java version "1.6.0_13"
Java(TM) SE Runtime Environment (build 1.6.0_13-b03)
Java HotSpot(TM) Client VM (build 11.3-b02, mixed mode, sharing)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows XP [Version 5.1.2600]
Microsoft Windows [Version 5.2.3790]
EXTRA RELEVANT SYSTEM CONFIGURATION :
Kerberos authentication with Windows 2003 server Active Directory.
A DESCRIPTION OF THE PROBLEM :
JAAS implementation of Kerberos authentication does not support encoding of non-ASCII characters in Principal Name
I am using JAAS (jdk 1.6 update 13) Krb5LoginModule to authenticate a Windows 2003 Active Directory user in Japanese Locale.
Authentication fails with the following Kerberose error at the client side:
(06/04 11:35:20:331):{http-127.0.0.1-443-2} [STDOUT] [INFO] Refreshing Kerberos configuration
(06/04 11:35:34:472):{http-127.0.0.1-443-2} [STDOUT] [INFO] [Krb5LoginModule] user entered username: ŽR“c‰ÔŽq
(06/04 11:35:34:503):{http-127.0.0.1-443-2} [STDOUT] [INFO] Acquire TGT using AS Exchange
(06/04 11:35:34:519):{http-127.0.0.1-443-2} [STDOUT] [INFO] [Krb5LoginModule] authentication failed
Client not found in Kerberos database (6)
I investigated further using WireShark to look at the AS-REQ packet being sent over the network and found out packet data contains characters ???? in place of the the user name.
Looking at the code (With limited debugging) it appears sun.security.krb5.PrincipalName.asn1Encode() can not encode principal name with the Japanese character set and putting these ???? character into the OUT stream instead.
However password with Unicode characters seems to be supported
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Write a JAAS client for Keberos authentication
2. Specify following login module in JAAS.conf:
com.sun.security.auth.module.Krb5LoginModule
3. Run the client to authenticate a kerberos principal name in Japanese locale
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Authentication should succeed after successful AS-Exchange with KDC
ACTUAL -
Authentication fails during AS-Exchange with following error:
[Krb5LoginModule] authentication failed
Client not found in Kerberos database (6)
ERROR MESSAGES/STACK TRACES THAT OCCUR :
(06/04 11:35:20:331):{http-127.0.0.1-443-2} [STDOUT] [INFO] Refreshing Kerberos configuration
(06/04 11:35:34:472):{http-127.0.0.1-443-2} [STDOUT] [INFO] [Krb5LoginModule] user entered username: ŽR“c‰ÔŽq
(06/04 11:35:34:503):{http-127.0.0.1-443-2} [STDOUT] [INFO] Acquire TGT using AS Exchange
(06/04 11:35:34:519):{http-127.0.0.1-443-2} [STDOUT] [INFO] [Krb5LoginModule] authentication failed
Client not found in Kerberos database (6)
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
JAAAS client main program:
=======================
Properties p = new java.util.Properties(System.getProperties());
p.setProperty("java.security.krb5.realm", kerberosRealm);
p.setProperty("java.security.krb5.kdc", kerberosKdc);
System.setProperties(p);
try {
// the callback handler will present the user credentials to the authentication package
AuthCallbackHandler auth = new AuthCallbackHandler(userName, password);
// create login context
lc = new LoginContext(MainProgram.class.getName(), auth);
// Attempt authentication
lc.login();
}
catch (LoginException le) {
System.err.println("Authentication attempt failed " + le);
System.exit(-1);
}
JAAS.conf file:
================
/**
* Login Configuration for JAAS.
*
*/
samples.MainProgram{
com.dstc.security.kerberos.jaas.KerberosLoginModule required client=true debug=true refreshKrb5Config=true;
};
/////////////////////////////
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
I could not find any working around using sun's libraries.
However other proprietary solutions which I have tried and which support Unicode are:
1. Quest's JAAS implementation for Kerberos (http://www.quest.com/)
2. Microsoft Windows native library
java version "1.6.0_13"
Java(TM) SE Runtime Environment (build 1.6.0_13-b03)
Java HotSpot(TM) Client VM (build 11.3-b02, mixed mode, sharing)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows XP [Version 5.1.2600]
Microsoft Windows [Version 5.2.3790]
EXTRA RELEVANT SYSTEM CONFIGURATION :
Kerberos authentication with Windows 2003 server Active Directory.
A DESCRIPTION OF THE PROBLEM :
JAAS implementation of Kerberos authentication does not support encoding of non-ASCII characters in Principal Name
I am using JAAS (jdk 1.6 update 13) Krb5LoginModule to authenticate a Windows 2003 Active Directory user in Japanese Locale.
Authentication fails with the following Kerberose error at the client side:
(06/04 11:35:20:331):{http-127.0.0.1-443-2} [STDOUT] [INFO] Refreshing Kerberos configuration
(06/04 11:35:34:472):{http-127.0.0.1-443-2} [STDOUT] [INFO] [Krb5LoginModule] user entered username: ŽR“c‰ÔŽq
(06/04 11:35:34:503):{http-127.0.0.1-443-2} [STDOUT] [INFO] Acquire TGT using AS Exchange
(06/04 11:35:34:519):{http-127.0.0.1-443-2} [STDOUT] [INFO] [Krb5LoginModule] authentication failed
Client not found in Kerberos database (6)
I investigated further using WireShark to look at the AS-REQ packet being sent over the network and found out packet data contains characters ???? in place of the the user name.
Looking at the code (With limited debugging) it appears sun.security.krb5.PrincipalName.asn1Encode() can not encode principal name with the Japanese character set and putting these ???? character into the OUT stream instead.
However password with Unicode characters seems to be supported
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Write a JAAS client for Keberos authentication
2. Specify following login module in JAAS.conf:
com.sun.security.auth.module.Krb5LoginModule
3. Run the client to authenticate a kerberos principal name in Japanese locale
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Authentication should succeed after successful AS-Exchange with KDC
ACTUAL -
Authentication fails during AS-Exchange with following error:
[Krb5LoginModule] authentication failed
Client not found in Kerberos database (6)
ERROR MESSAGES/STACK TRACES THAT OCCUR :
(06/04 11:35:20:331):{http-127.0.0.1-443-2} [STDOUT] [INFO] Refreshing Kerberos configuration
(06/04 11:35:34:472):{http-127.0.0.1-443-2} [STDOUT] [INFO] [Krb5LoginModule] user entered username: ŽR“c‰ÔŽq
(06/04 11:35:34:503):{http-127.0.0.1-443-2} [STDOUT] [INFO] Acquire TGT using AS Exchange
(06/04 11:35:34:519):{http-127.0.0.1-443-2} [STDOUT] [INFO] [Krb5LoginModule] authentication failed
Client not found in Kerberos database (6)
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
JAAAS client main program:
=======================
Properties p = new java.util.Properties(System.getProperties());
p.setProperty("java.security.krb5.realm", kerberosRealm);
p.setProperty("java.security.krb5.kdc", kerberosKdc);
System.setProperties(p);
try {
// the callback handler will present the user credentials to the authentication package
AuthCallbackHandler auth = new AuthCallbackHandler(userName, password);
// create login context
lc = new LoginContext(MainProgram.class.getName(), auth);
// Attempt authentication
lc.login();
}
catch (LoginException le) {
System.err.println("Authentication attempt failed " + le);
System.exit(-1);
}
JAAS.conf file:
================
/**
* Login Configuration for JAAS.
*
*/
samples.MainProgram{
com.dstc.security.kerberos.jaas.KerberosLoginModule required client=true debug=true refreshKrb5Config=true;
};
/////////////////////////////
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
I could not find any working around using sun's libraries.
However other proprietary solutions which I have tried and which support Unicode are:
1. Quest's JAAS implementation for Kerberos (http://www.quest.com/)
2. Microsoft Windows native library
- duplicates
-
-
- Closed
-