-
Bug
-
Resolution: Fixed
-
P4
-
8u5
-
b36
-
x86
-
windows_2008
Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
---|---|---|---|---|---|---|
JDK-8085073 | emb-9 | Weijun Wang | P4 | Resolved | Fixed | team |
JDK-8063918 | 8u45 | Weijun Wang | P4 | Resolved | Fixed | b01 |
JDK-8060452 | 8u40 | Weijun Wang | P4 | Resolved | Fixed | b12 |
JDK-8070002 | emb-8u47 | Weijun Wang | P4 | Resolved | Fixed | team |
java version "1.8.0_05"
Java(TM) SE Runtime Environment (build 1.8.0_05-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.5-b02, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.1.7601]
A DESCRIPTION OF THE PROBLEM :
Server account has constrained delegation.
After SpNego is established with the client, GSSContext.getDelegCred() returns a GSSCredential that is wrapping a Krb5ProxyCredential
Then, trying to that GSSCredential to create another GSSContext, and call GSSContext.initSecContext. Receives the following exception:
...
Caused by: GSSException: No valid credentials provided (Mechanism level: Failure unspecified at GSS-API level (Mechanism level: Generic error (description in e-text) (60) - Client principal does not match))
at sun.security.jgss.spnego.SpNegoContext.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at com.mellmo.roambi.http.auth.spnego.SPNEGOAuthScheme.authenticate(SPNEGOAuthScheme.java:368)
... 404 more
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Generic error (description in e-text) (60) - Client principal does not match)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(Unknown Source)
... 408 more
Caused by: KrbException: Generic error (description in e-text) (60) - Client principal does not match
at sun.security.krb5.KrbCred.<init>(Unknown Source)
at sun.security.jgss.krb5.InitialToken$OverloadedChecksum.<init>(Unknown Source)
at sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
... 412 more
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Server account has constrained delegation.
After SpNego is established with the client, GSSContext.getDelegCred() returns a GSSCredential that is wrapping a Krb5ProxyCredential
Then, trying to that GSSCredential to create another GSSContext, and call GSSContext.initSecContext.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
expected GSSContext.initSecContext to be successful.
ACTUAL -
saw an exception
...
Caused by: GSSException: No valid credentials provided (Mechanism level: Failure unspecified at GSS-API level (Mechanism level: Generic error (description in e-text) (60) - Client principal does not match))
at sun.security.jgss.spnego.SpNegoContext.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at com.mellmo.roambi.http.auth.spnego.SPNEGOAuthScheme.authenticate(SPNEGOAuthScheme.java:368)
... 404 more
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Generic error (description in e-text) (60) - Client principal does not match)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(Unknown Source)
... 408 more
Caused by: KrbException: Generic error (description in e-text) (60) - Client principal does not match
at sun.security.krb5.KrbCred.<init>(Unknown Source)
at sun.security.jgss.krb5.InitialToken$OverloadedChecksum.<init>(Unknown Source)
at sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
... 412 more
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
I patched KrbCred.java but removing the following check:
/*
if (!serviceTicket.getClient().equals(client))
throw new KrbException(Krb5.KRB_ERR_GENERIC,
"Client principal does not match");
*/
and I was able to proceed.
- backported by
-
JDK-8060452 Unable to initiate SpNego using a S4U2Proxy GSSCredential (Krb5ProxyCredential)
-
- Resolved
-
-
JDK-8063918 Unable to initiate SpNego using a S4U2Proxy GSSCredential (Krb5ProxyCredential)
-
- Resolved
-
-
JDK-8070002 Unable to initiate SpNego using a S4U2Proxy GSSCredential (Krb5ProxyCredential)
-
- Resolved
-
-
JDK-8085073 Unable to initiate SpNego using a S4U2Proxy GSSCredential (Krb5ProxyCredential)
-
- Resolved
-
- duplicates
-
JDK-8044214 Kerberos Constrained delegation
-
- Closed
-
-
JDK-8060122 Kerberos Constrained delegation
-
- Closed
-
- relates to
-
JDK-6355584 introduce constrained Kerberos delegation
-
- Closed
-
-
JDK-8044214 Kerberos Constrained delegation
-
- Closed
-