Hi,
I failed to get Kerberos authentication cross domains. I have User1 in REALMX. I have no problem to get authenticated to access http://machine1.REALMX.COM using use1.REALM.COM. However, if I want to access http service in another domain ( RELAMY.COM), I got KrbException: Message stream modified.
Can someone shed light on it?
Thanks,
Frank Meng
I am running on Windows platform. All servers are windows servers.
This is my config file:
[libdefaults]
default_realm = REALMX.COM
udp_preference_limit =1
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
[realms]
REALMX.COM = {
kdc = dc01.REALMX.COM
}
REALMY.COM = {
kdc = dc02.REALMY.COM
}
[domain_realm]
.REALMX.COM = REALMX.COM
.REALMY.COM = REALMY.COM
[capaths]
REALMY.COM = {
REALMX.COM = .
}
REALMX.COM = {
REALMY.COM = .
}
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule
required
client=TRUE
debug=true;
};
Log:
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
[Krb5LoginModule] user entered username: user1@REALMX.COM
default etypes for default_tkt_enctypes: 1.
Acquire TGT using AS Exchange
default etypes for default_tkt_enctypes: 1.
KrbAsReq calling createMessage
KrbAsReq in createMessage
KrbKdcReq send: kdc=dc01@REALMX.COM TCP:88, timeout=30000, number of retries =3, #bytes=140
DEBUG: TCPClient reading 181 bytes
KrbKdcReq send: #bytes read=181
KrbKdcReq send: #bytes read=181
KDCRep: init() encoding tag is 126 req type is 11
KRBError:
sTime is Mon Mar 23 16:31:53 EDT 2009 1237840313000
suSec is 853386
error code is 25
error Message is Additional pre-authentication required
realm is REALMX.COM
sname is krbtgt/REALMX.COM
eData provided.
msgType is 30
PA-DATA type = 11
PA-ETYPE-INFO etype = 1
PA-DATA type = 2
PA-ENC-TIMESTAMP
PA-DATA type = 15
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
default etypes for default_tkt_enctypes: 1.
Pre-Authentication: Set preferred etype = 1
Updated salt from pre-auth = REALMX.COMUser1
KrbAsReq salt is REALMX.COMUser1
Pre-Authenticaton: find key for etype = 1
AS-REQ: Add PA_ENC_TIMESTAMP now
EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
crc32: 8b192af0
crc32: 10001011000110010010101011110000
KrbAsReq calling createMessage
KrbAsReq in createMessage
KrbKdcReq send: kdc=dc01. REALMX.COM TCP:88, timeout=30000, number of retries =3, #bytes=214
DEBUG: TCPClient reading 1941 bytes
KrbKdcReq send: #bytes read=1941
KrbKdcReq send: #bytes read=1941
EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
crc32: aaa8b968
crc32: 10101010101010001011100101101000
KrbAsRep cons in KrbAsReq.getReply user1
default etypes for default_tkt_enctypes: 1.
principal is user1@REALMX.COM
EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 2A CE 5E 91 CE EF 16 DA
Commit Succeeded
Found ticket for user1@REALMX.COM to go to krbtgt/COM@REALMX.COM expiring on Tue Mar 24 02:31:53 EDT 2009
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
Credentials acquireServiceCreds: same realm
default etypes for default_tgs_enctypes: 1.
CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
crc32: 18f0044
crc32: 1100011110000000001000100
KrbKdcReq send: kdc=torgdcw01.PROD.QUEST.CORP TCP:88, timeout=30000, number of retries =3, #bytes=1919
DEBUG: TCPClient reading 1866 bytes
KrbKdcReq send: #bytes read=1866
KrbKdcReq send: #bytes read=1866
EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
crc32: 4b85af36
crc32: 1001011100001011010111100110110
KrbException: Message stream modified (41)
at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:48)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:79)
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185)