Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8044215

Unable to initiate SpNego using a S4U2Proxy GSSCredential (Krb5ProxyCredential)

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: P4
    • Resolution: Fixed
    • Affects Version/s: 8u5
    • Fix Version/s: 9
    • Component/s: security-libs
    • Labels:
    • Subcomponent:
    • Resolved In Build:
      b36
    • CPU:
      x86
    • OS:
      windows_2008

      Backports

        Description

        FULL PRODUCT VERSION :
        java version "1.8.0_05"
        Java(TM) SE Runtime Environment (build 1.8.0_05-b13)
        Java HotSpot(TM) 64-Bit Server VM (build 25.5-b02, mixed mode)

        ADDITIONAL OS VERSION INFORMATION :
        Microsoft Windows [Version 6.1.7601]

        A DESCRIPTION OF THE PROBLEM :
        Server account has constrained delegation.
        After SpNego is established with the client, GSSContext.getDelegCred() returns a GSSCredential that is wrapping a Krb5ProxyCredential
        Then, trying to that GSSCredential to create another GSSContext, and call GSSContext.initSecContext. Receives the following exception:
        ...
        Caused by: GSSException: No valid credentials provided (Mechanism level: Failure unspecified at GSS-API level (Mechanism level: Generic error (description in e-text) (60) - Client principal does not match))
          at sun.security.jgss.spnego.SpNegoContext.initSecContext(Unknown Source)
          at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
          at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
          at com.mellmo.roambi.http.auth.spnego.SPNEGOAuthScheme.authenticate(SPNEGOAuthScheme.java:368)
          ... 404 more
        Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Generic error (description in e-text) (60) - Client principal does not match)
          at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
          at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
          at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
          at sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(Unknown Source)
          ... 408 more
        Caused by: KrbException: Generic error (description in e-text) (60) - Client principal does not match
          at sun.security.krb5.KrbCred.<init>(Unknown Source)
          at sun.security.jgss.krb5.InitialToken$OverloadedChecksum.<init>(Unknown Source)
          at sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
          ... 412 more

        STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
        Server account has constrained delegation.
        After SpNego is established with the client, GSSContext.getDelegCred() returns a GSSCredential that is wrapping a Krb5ProxyCredential
        Then, trying to that GSSCredential to create another GSSContext, and call GSSContext.initSecContext.

        EXPECTED VERSUS ACTUAL BEHAVIOR :
        EXPECTED -
        expected GSSContext.initSecContext to be successful.
        ACTUAL -
        saw an exception
        ...
        Caused by: GSSException: No valid credentials provided (Mechanism level: Failure unspecified at GSS-API level (Mechanism level: Generic error (description in e-text) (60) - Client principal does not match))
          at sun.security.jgss.spnego.SpNegoContext.initSecContext(Unknown Source)
          at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
          at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
          at com.mellmo.roambi.http.auth.spnego.SPNEGOAuthScheme.authenticate(SPNEGOAuthScheme.java:368)
          ... 404 more
        Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Generic error (description in e-text) (60) - Client principal does not match)
          at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
          at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
          at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
          at sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(Unknown Source)
          ... 408 more
        Caused by: KrbException: Generic error (description in e-text) (60) - Client principal does not match
          at sun.security.krb5.KrbCred.<init>(Unknown Source)
          at sun.security.jgss.krb5.InitialToken$OverloadedChecksum.<init>(Unknown Source)
          at sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
          ... 412 more

        REPRODUCIBILITY :
        This bug can be reproduced always.

        CUSTOMER SUBMITTED WORKAROUND :
        I patched KrbCred.java but removing the following check:
         /*
                if (!serviceTicket.getClient().equals(client))
                    throw new KrbException(Krb5.KRB_ERR_GENERIC,
                                        "Client principal does not match");
                */

        and I was able to proceed.

          Attachments

            Issue Links

              Activity

                People

                Assignee:
                weijun Weijun Wang
                Reporter:
                webbuggrp Webbug Group
                Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved: