-
Bug
-
Resolution: Duplicate
-
P3
-
None
-
11.0.6
-
x86_64
-
linux
ADDITIONAL SYSTEM INFORMATION :
Red Hat Enterprise Linux 7 Version 7.7
Exception with:
openjdk version "11.0.6" 2020-01-14
OpenJDK Runtime Environment AdoptOpenJDK (build 11.0.6+10)
OpenJDK 64-Bit Server VM AdoptOpenJDK (build 11.0.6+10, mixed mode)
Works with:
openjdk version "11.0.5" 2019-10-15
OpenJDK Runtime Environment AdoptOpenJDK (build 11.0.5+10)
OpenJDK 64-Bit Server VM AdoptOpenJDK (build 11.0.5+10, mixed mode)
A DESCRIPTION OF THE PROBLEM :
When the username is entered in uppercase, krb5 throws an exception authentication again active directory with OpenJDK 11.0.6+10. Trying it with OpenJDK 11.0.5+10, it works.
Enter the username in lowercase, it works either way
REGRESSION : Last worked in version 11
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Trying to authenticate with krb5 again active directory with uppercase username and password
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
[mseele@bbl2xap1 michael]$ /tmp/jdk/jdk-11.0.5+10/bin/java -Dsun.security.krb5.debug=true -jar adTest.jar jaas.conf krb5.conf
Username:
DEP04801
Password:
Java config name: /nfs/bbitsrv1/public/mseele/guhSync/michael/krb5.conf
Loading krb5 profile at /nfs/bbitsrv1/public/mseele/guhSync/michael/krb5.conf
Loaded from Java config
>>> KdcAccessibility: reset
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 20 19 16 23.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=depbblhps1dc001.bbl.ms.philips.com UDP:88, timeout=30000, number of retries =3, #bytes=172
>>> KDCCommunication: kdc=depbblhps1dc001.bbl.ms.philips.com UDP:88, timeout=30000,Attempt =1, #bytes=172
>>> KrbKdcReq send: #bytes read=220
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18, salt = CODE1.EMI.PHILIPS.COMMichael.Seele, s2kparams = null
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove depbblhps1dc001.bbl.ms.philips.com
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Wed Jan 22 11:03:04 CET 2020 1579687384000
suSec is 470232
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/CODE1.EMI.PHILIPS.COM@CODE1.EMI.PHILIPS.COM
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18, salt = CODE1.EMI.PHILIPS.COMMichael.Seele, s2kparams = null
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 20 19 16 23.
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 20 19 16 23.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=depbblhps1dc001.bbl.ms.philips.com UDP:88, timeout=30000, number of retries =3, #bytes=253
>>> KDCCommunication: kdc=depbblhps1dc001.bbl.ms.philips.com UDP:88, timeout=30000,Attempt =1, #bytes=253
>>> KrbKdcReq send: #bytes read=114
>>> KrbKdcReq send: kdc=depbblhps1dc001.bbl.ms.philips.com TCP:88, timeout=30000, number of retries =3, #bytes=253
>>> KDCCommunication: kdc=depbblhps1dc001.bbl.ms.philips.com TCP:88, timeout=30000,Attempt =1, #bytes=253
>>>DEBUG: TCPClient reading 2888 bytes
>>> KrbKdcReq send: #bytes read=2888
>>> KdcAccessibility: remove depbblhps1dc001.bbl.ms.philips.com
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply DEP04801
Authentication successfull
ACTUAL -
[mseele@bbl2xap1 michael]$ /tmp/jdk/jdk-11.0.6+10/bin/java -Dsun.security.krb5.debug=true -jar adTestRep.jar jaas.conf krb5.conf
Username:
DEP04801
Password:
Java config name: /nfs/bbitsrv1/public/mseele/guhSync/michael/krb5.conf
Loading krb5 profile at /nfs/bbitsrv1/public/mseele/guhSync/michael/krb5.conf
Loaded from Java config
>>> KdcAccessibility: reset
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 20 19 16 23.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=depbblhps1dc001.bbl.ms.philips.com UDP:88, timeout=30000, number of retries =3, #bytes=188
>>> KDCCommunication: kdc=depbblhps1dc001.bbl.ms.philips.com UDP:88, timeout=30000,Attempt =1, #bytes=188
>>> KrbKdcReq send: #bytes read=220
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18, salt = CODE1.EMI.PHILIPS.COMMichael.Seele, s2kparams = null
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove depbblhps1dc001.bbl.ms.philips.com
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Wed Jan 22 11:01:37 CET 2020 1579687297000
suSec is 578081
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/CODE1.EMI.PHILIPS.COM@CODE1.EMI.PHILIPS.COM
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18, salt = CODE1.EMI.PHILIPS.COMMichael.Seele, s2kparams = null
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 20 19 16 23.
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 20 19 16 23.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=depbblhps1dc001.bbl.ms.philips.com UDP:88, timeout=30000, number of retries =3, #bytes=268
>>> KDCCommunication: kdc=depbblhps1dc001.bbl.ms.philips.com UDP:88, timeout=30000,Attempt =1, #bytes=268
>>> KrbKdcReq send: #bytes read=114
>>> KrbKdcReq send: kdc=depbblhps1dc001.bbl.ms.philips.com TCP:88, timeout=30000, number of retries =3, #bytes=268
>>> KDCCommunication: kdc=depbblhps1dc001.bbl.ms.philips.com TCP:88, timeout=30000,Attempt =1, #bytes=268
>>>DEBUG: TCPClient reading 2910 bytes
>>> KrbKdcReq send: #bytes read=2910
>>> KdcAccessibility: remove depbblhps1dc001.bbl.ms.philips.com
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Exception in thread "main" javax.security.auth.login.LoginException: Message stream modified (41)
at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:782)
at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:592)
at java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:726)
at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665)
at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663)
at java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:574)
at de.guhsoft.ad.Test.main(Test.java:29)
Caused by: KrbException: Message stream modified (41)
at java.security.jgss/sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:53)
at java.security.jgss/sun.security.krb5.KrbAsRep.decrypt(KrbAsRep.java:159)
at java.security.jgss/sun.security.krb5.KrbAsRep.decryptUsingPassword(KrbAsRep.java:139)
at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.resolve(KrbAsReqBuilder.java:310)
at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:447)
at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:744)
... 8 more
---------- BEGIN SOURCE ----------
------------------------------------------------------------------------------
--------------------------------- Test Code ---------------------------------
------------------------------------------------------------------------------
package de.guhsoft.ad;
import java.io.File;
import java.io.IOException;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
public class Test {
public static void main(String[] args) throws LoginException {
if (System.getProperty("java.security.auth.login.config") == null) { //$NON-NLS-1$
System.setProperty("java.security.auth.login.config", new File(args[0]).getAbsolutePath()); //$NON-NLS-1$
}
if (System.getProperty("java.security.krb5.conf") == null) { //$NON-NLS-1$
System.setProperty("java.security.krb5.conf", new File(args[1]).getAbsolutePath()); //$NON-NLS-1$
}
System.out.println("Username:"); //$NON-NLS-1$
String login = System.console().readLine();
System.out.println("Password:"); //$NON-NLS-1$
char[] password = System.console().readPassword();
final LoginContext loginContext = new LoginContext("AuthenticationService", new LoginAndPasswordCallbackHandler(login, new String(password))); //$NON-NLS-1$
loginContext.login();
loginContext.logout();
System.out.println("Authentication successfull"); //$NON-NLS-1$
}
private static class LoginAndPasswordCallbackHandler implements CallbackHandler {
private String fLogin;
private String fPassword;
/**
* The standard constructor of the class.
*
* @param login
* The login ...
* @param password
* ... and password which shall be authenticated.
*/
public LoginAndPasswordCallbackHandler(final String login, final String password) {
super();
this.fLogin = login;
this.fPassword = password;
}
@Override
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
if (callbacks[i] instanceof NameCallback) {
final NameCallback nameCallback = (NameCallback) callbacks[i];
nameCallback.setName(this.fLogin);
} else if (callbacks[i] instanceof PasswordCallback) {
final PasswordCallback passwordCallback = (PasswordCallback) callbacks[i];
final String password = this.fPassword;
char[] passwordAsCharArray = new char[password.length()];
password.getChars(0, password.length(), passwordAsCharArray, 0);
passwordCallback.setPassword(passwordAsCharArray);
} else {
throw new UnsupportedCallbackException(callbacks[i]);
}
}
}
}
}
------------------------------------------------------------------------------
--------------------------------- Test Code ---------------------------------
------------------------------------------------------------------------------
-----------------------------------------------------------------------------
--------------------------------- jaas.conf ---------------------------------
-----------------------------------------------------------------------------
AuthenticationService {
com.sun.security.auth.module.Krb5LoginModule required;
};
-----------------------------------------------------------------------------
--------------------------------- jaas.conf ---------------------------------
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
--------------------------------- krb5.conf --------------------------------
-----------------------------------------------------------------------------
[libdefaults]
default_realm = <SERVER_NAME>
default_checksum = rsa-md5
[realms]
<SERVER_NAME> = {
kdc = <SERVER_NAME>
}
[domain_realms]
<SERVER_NAME> = <SERVER_NAME>
-----------------------------------------------------------------------------
--------------------------------- krb5.conf --------------------------------
-----------------------------------------------------------------------------
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Only workaround is to login with lowercase username
FREQUENCY : always
Red Hat Enterprise Linux 7 Version 7.7
Exception with:
openjdk version "11.0.6" 2020-01-14
OpenJDK Runtime Environment AdoptOpenJDK (build 11.0.6+10)
OpenJDK 64-Bit Server VM AdoptOpenJDK (build 11.0.6+10, mixed mode)
Works with:
openjdk version "11.0.5" 2019-10-15
OpenJDK Runtime Environment AdoptOpenJDK (build 11.0.5+10)
OpenJDK 64-Bit Server VM AdoptOpenJDK (build 11.0.5+10, mixed mode)
A DESCRIPTION OF THE PROBLEM :
When the username is entered in uppercase, krb5 throws an exception authentication again active directory with OpenJDK 11.0.6+10. Trying it with OpenJDK 11.0.5+10, it works.
Enter the username in lowercase, it works either way
REGRESSION : Last worked in version 11
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Trying to authenticate with krb5 again active directory with uppercase username and password
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
[mseele@bbl2xap1 michael]$ /tmp/jdk/jdk-11.0.5+10/bin/java -Dsun.security.krb5.debug=true -jar adTest.jar jaas.conf krb5.conf
Username:
DEP04801
Password:
Java config name: /nfs/bbitsrv1/public/mseele/guhSync/michael/krb5.conf
Loading krb5 profile at /nfs/bbitsrv1/public/mseele/guhSync/michael/krb5.conf
Loaded from Java config
>>> KdcAccessibility: reset
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 20 19 16 23.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=depbblhps1dc001.bbl.ms.philips.com UDP:88, timeout=30000, number of retries =3, #bytes=172
>>> KDCCommunication: kdc=depbblhps1dc001.bbl.ms.philips.com UDP:88, timeout=30000,Attempt =1, #bytes=172
>>> KrbKdcReq send: #bytes read=220
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18, salt = CODE1.EMI.PHILIPS.COMMichael.Seele, s2kparams = null
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove depbblhps1dc001.bbl.ms.philips.com
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Wed Jan 22 11:03:04 CET 2020 1579687384000
suSec is 470232
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/CODE1.EMI.PHILIPS.COM@CODE1.EMI.PHILIPS.COM
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18, salt = CODE1.EMI.PHILIPS.COMMichael.Seele, s2kparams = null
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 20 19 16 23.
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 20 19 16 23.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=depbblhps1dc001.bbl.ms.philips.com UDP:88, timeout=30000, number of retries =3, #bytes=253
>>> KDCCommunication: kdc=depbblhps1dc001.bbl.ms.philips.com UDP:88, timeout=30000,Attempt =1, #bytes=253
>>> KrbKdcReq send: #bytes read=114
>>> KrbKdcReq send: kdc=depbblhps1dc001.bbl.ms.philips.com TCP:88, timeout=30000, number of retries =3, #bytes=253
>>> KDCCommunication: kdc=depbblhps1dc001.bbl.ms.philips.com TCP:88, timeout=30000,Attempt =1, #bytes=253
>>>DEBUG: TCPClient reading 2888 bytes
>>> KrbKdcReq send: #bytes read=2888
>>> KdcAccessibility: remove depbblhps1dc001.bbl.ms.philips.com
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply DEP04801
Authentication successfull
ACTUAL -
[mseele@bbl2xap1 michael]$ /tmp/jdk/jdk-11.0.6+10/bin/java -Dsun.security.krb5.debug=true -jar adTestRep.jar jaas.conf krb5.conf
Username:
DEP04801
Password:
Java config name: /nfs/bbitsrv1/public/mseele/guhSync/michael/krb5.conf
Loading krb5 profile at /nfs/bbitsrv1/public/mseele/guhSync/michael/krb5.conf
Loaded from Java config
>>> KdcAccessibility: reset
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 20 19 16 23.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=depbblhps1dc001.bbl.ms.philips.com UDP:88, timeout=30000, number of retries =3, #bytes=188
>>> KDCCommunication: kdc=depbblhps1dc001.bbl.ms.philips.com UDP:88, timeout=30000,Attempt =1, #bytes=188
>>> KrbKdcReq send: #bytes read=220
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18, salt = CODE1.EMI.PHILIPS.COMMichael.Seele, s2kparams = null
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
>>> KdcAccessibility: remove depbblhps1dc001.bbl.ms.philips.com
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Wed Jan 22 11:01:37 CET 2020 1579687297000
suSec is 578081
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/CODE1.EMI.PHILIPS.COM@CODE1.EMI.PHILIPS.COM
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18, salt = CODE1.EMI.PHILIPS.COMMichael.Seele, s2kparams = null
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 20 19 16 23.
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 20 19 16 23.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=depbblhps1dc001.bbl.ms.philips.com UDP:88, timeout=30000, number of retries =3, #bytes=268
>>> KDCCommunication: kdc=depbblhps1dc001.bbl.ms.philips.com UDP:88, timeout=30000,Attempt =1, #bytes=268
>>> KrbKdcReq send: #bytes read=114
>>> KrbKdcReq send: kdc=depbblhps1dc001.bbl.ms.philips.com TCP:88, timeout=30000, number of retries =3, #bytes=268
>>> KDCCommunication: kdc=depbblhps1dc001.bbl.ms.philips.com TCP:88, timeout=30000,Attempt =1, #bytes=268
>>>DEBUG: TCPClient reading 2910 bytes
>>> KrbKdcReq send: #bytes read=2910
>>> KdcAccessibility: remove depbblhps1dc001.bbl.ms.philips.com
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Exception in thread "main" javax.security.auth.login.LoginException: Message stream modified (41)
at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:782)
at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:592)
at java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:726)
at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665)
at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663)
at java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:574)
at de.guhsoft.ad.Test.main(Test.java:29)
Caused by: KrbException: Message stream modified (41)
at java.security.jgss/sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:53)
at java.security.jgss/sun.security.krb5.KrbAsRep.decrypt(KrbAsRep.java:159)
at java.security.jgss/sun.security.krb5.KrbAsRep.decryptUsingPassword(KrbAsRep.java:139)
at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.resolve(KrbAsReqBuilder.java:310)
at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:447)
at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:744)
... 8 more
---------- BEGIN SOURCE ----------
------------------------------------------------------------------------------
--------------------------------- Test Code ---------------------------------
------------------------------------------------------------------------------
package de.guhsoft.ad;
import java.io.File;
import java.io.IOException;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
public class Test {
public static void main(String[] args) throws LoginException {
if (System.getProperty("java.security.auth.login.config") == null) { //$NON-NLS-1$
System.setProperty("java.security.auth.login.config", new File(args[0]).getAbsolutePath()); //$NON-NLS-1$
}
if (System.getProperty("java.security.krb5.conf") == null) { //$NON-NLS-1$
System.setProperty("java.security.krb5.conf", new File(args[1]).getAbsolutePath()); //$NON-NLS-1$
}
System.out.println("Username:"); //$NON-NLS-1$
String login = System.console().readLine();
System.out.println("Password:"); //$NON-NLS-1$
char[] password = System.console().readPassword();
final LoginContext loginContext = new LoginContext("AuthenticationService", new LoginAndPasswordCallbackHandler(login, new String(password))); //$NON-NLS-1$
loginContext.login();
loginContext.logout();
System.out.println("Authentication successfull"); //$NON-NLS-1$
}
private static class LoginAndPasswordCallbackHandler implements CallbackHandler {
private String fLogin;
private String fPassword;
/**
* The standard constructor of the class.
*
* @param login
* The login ...
* @param password
* ... and password which shall be authenticated.
*/
public LoginAndPasswordCallbackHandler(final String login, final String password) {
super();
this.fLogin = login;
this.fPassword = password;
}
@Override
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++) {
if (callbacks[i] instanceof NameCallback) {
final NameCallback nameCallback = (NameCallback) callbacks[i];
nameCallback.setName(this.fLogin);
} else if (callbacks[i] instanceof PasswordCallback) {
final PasswordCallback passwordCallback = (PasswordCallback) callbacks[i];
final String password = this.fPassword;
char[] passwordAsCharArray = new char[password.length()];
password.getChars(0, password.length(), passwordAsCharArray, 0);
passwordCallback.setPassword(passwordAsCharArray);
} else {
throw new UnsupportedCallbackException(callbacks[i]);
}
}
}
}
}
------------------------------------------------------------------------------
--------------------------------- Test Code ---------------------------------
------------------------------------------------------------------------------
-----------------------------------------------------------------------------
--------------------------------- jaas.conf ---------------------------------
-----------------------------------------------------------------------------
AuthenticationService {
com.sun.security.auth.module.Krb5LoginModule required;
};
-----------------------------------------------------------------------------
--------------------------------- jaas.conf ---------------------------------
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
--------------------------------- krb5.conf --------------------------------
-----------------------------------------------------------------------------
[libdefaults]
default_realm = <SERVER_NAME>
default_checksum = rsa-md5
[realms]
<SERVER_NAME> = {
kdc = <SERVER_NAME>
}
[domain_realms]
<SERVER_NAME> = <SERVER_NAME>
-----------------------------------------------------------------------------
--------------------------------- krb5.conf --------------------------------
-----------------------------------------------------------------------------
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Only workaround is to login with lowercase username
FREQUENCY : always
- duplicates
-
JDK-8215032 Support Kerberos cross-realm referrals (RFC 6806)
-
- Resolved
-