Skip to Main Content
Forums

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Getting started with HTTP Negotiate authentication

843810Jul 1 2009 — edited Oct 18 2009
Hi, spent the better part of today struggling to get HTTP Negotiate authentication working using Java 6 and Windows 2008. Who can help me troubleshooting - The bottom line
is that I get "Client not found in Kerberos database (6)".

This is what I have so far:

Browser configuration:
* requests include the "Authorization: Negotiate [base64data]" header

Server side configuration (the Active Directory and the web server are the same in my test setup)

* I created a user "testuser" and added an SPN like this: 
setspn -A "HTTP/my.example.org:8888@MY.EXAMPLE.COM"
I gave this user a password and unchecked 'must change password at first logon'
* The webserver (jetty) is started with the following system properties: 
-Djava.security.krb5.conf=C:\test\krb5.conf -Djava.security.auth.login.config=C:\test\spnego.conf -Djavax.security.auth.useSubjectCredsOnly=false -Dsun.security.krb5.debug=true
* krb5.conf [contents omitted, lists the realm MY.EXAMPLE.COM with dc my.example.com]
* spnego.conf: 
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required useTicketCqche=true doNotPrompt=true debug=true storeKey=true useKeyTab=true keyTab="C:\test\test.keytab" principal="HTTP/my.example.com:8888@MY.EXAMPLE.COM"
};
* the test.keytab file was created like this: 
ktpass "/princ HTTP/my.example.com:8888@MY.EXAMPLE.COM" /pass "secret" /ptype krb5_nt_principal /mapuser testuser
Output on stdout: 
Targeting domain controller: WIN-C9....my.example.com
Using legacy password setting method
Successfully mapped HTTP/my.example.com:8888 to testuser
Key created.
Server code:
* A bit of code that replies with a "WWW-Authenticate: Negotiate" header if no "Authorization" header is present
* Decoding of the WWW-Authorization header
* When the Authorization header is present, the following code executes:
        Oid spnegoOid = new Oid("1.3.6.1.5.5.2");
        GSSManager manager = GSSManager.getInstance();
        GSSCredential myCred = manager.createCredential(null, GSSCredential.DEFAULT_LIFETIME, spnegoOid, GSSCredential.ACCEPT_ONLY);
        GSSContext context = manager.createContext(myCred);

        //... (following code processes the base64 token from the "Authorization:" header)
When the createCredential method is called, I get an exception: 
No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
Client not found in Kerberos database (6)
Client not found in Kerberos database (6)
Identifier doesn't match expected value (906)

Message: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
Class: org.ietf.jgss.GSSException
Stacktrace:
sun.security.jgss.krb5.Krb5AcceptCredential.getInstance (Krb5AcceptCredential.java:87)
sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement (Krb5MechFactory.java:111)
sun.security.jgss.GSSManagerImpl.getCredentialElement (GSSManagerImpl.java:178)
un.security.jgss.GSSManagerImpl.createCredential (GSSManagerImpl.java:139)
And the following output on stdout: 
Debug is  true storeKey true useTicketCache true useKeyTab true doNotPrompt true
 ticketCache is null isInitiator true KeyTab is C:\test\spnego.keytab refreshKrb5
Config is false principal is HTTP/my.example.com:8888@MY.EXAMPLE.ORG tryFirs
tPass is false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache

KinitOptions cache name is C:\Users\Administrator\krb5cc_Administrator

DEBUG <CCacheInputStream> client principal is Administrator@MY.EXAMPLE.COM


DEBUG <CCacheInputStream> server principal is krbtgt/MY.EXAMPLE.COM@KRB.DAI
SYCMS.ORG

DEBUG <CCacheInputStream> key type: 3

DEBUG <CCacheInputStream> auth time: Wed Jul 01 17:34:26 CEST 2009

DEBUG <CCacheInputStream> start time: Wed Jul 01 17:34:26 CEST 2009

DEBUG <CCacheInputStream> end time: Thu Jul 02 03:34:26 CEST 2009

DEBUG <CCacheInputStream> renew_till time: Thu Jan 01 01:00:00 CET 1970

CCacheInputStream: readFlags() INITIAL; PRE_AUTH;
Host address is /10.0.2.15
Host address is /10.0.1.1
Host address is /fe80:0:0:0:b5cb:9aa2:dcd8:56e1

DEBUG <CCacheInputStream>

KrbCreds found the default ticket granting ticket in credential cache.

LSA contains TGT for Administrator@MY.EXAMPLE.COM not HTTP/my.example.com:8888@MY.EXAMPLE.COM
Principal is HTTP/my.example.com:8888@MY.EXAMPLE.COM
null credentials from Ticket Cache

KeyTabInputStream, readName(): MY.EXAMPLE.COM

KeyTabInputStream, readName(): HTTP

KeyTabInputStream, readName(): my.example.com

KeyTab: load() entry length: 73; type: 23

KeyTabInputStream, readName(): MY.EXAMPLE.COM

KeyTabInputStream, readName(): HTTP

KeyTabInputStream, readName(): my.example.com:8888

KeyTab: load() entry length: 78; type: 17

KeyTabInputStream, readName(): MY.EXAMPLE.COM

KeyTabInputStream, readName(): HTTP

KeyTabInputStream, readName(): my.example.com:8888

KeyTab: load() entry length: 78; type: 23

KeyTabInputStream, readName(): MY.EXAMPLE.COM

KeyTabInputStream, readName(): HTTP

KeyTabInputStream, readName(): my.example.com:8888

KeyTab: load() entry length: 86; type: 16

KeyTabInputStream, readName(): MY.EXAMPLE.COM

KeyTabInputStream, readName(): HTTP

KeyTabInputStream, readName(): my.example.com:8888

KeyTab: load() entry length: 70; type: 3

KeyTabInputStream, readName(): MY.EXAMPLE.COM

KeyTabInputStream, readName(): HTTP

KeyTabInputStream, readName(): my.example.com:8888

KeyTab: load() entry length: 70; type: 1
Added key: 1version: 1
Added key: 3version: 1
Added key: 16version: 1
Added key: 23version: 1
Added key: 17version: 1
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 17 23 16 3 1.
0: EncryptionKey: keyType=17 kvno=1 keyValue (hex dump)=
0000: 71 24 8F 4D 23 41 74 E6   77 20 74 5D E4 73 29 80  q$.M#At.w t].s).


1: EncryptionKey: keyType=23 kvno=1 keyValue (hex dump)=
0000: E3 97 4D 5E C4 48 3A FE   0D AC 92 98 13 61 EB 43  ..M^.H:......a.C


2: EncryptionKey: keyType=16 kvno=1 keyValue (hex dump)=
0000: F1 6D C8 D9 FE AD 3B 49   BC B6 3B 0D CD 97 57 B6  .m....;I..;...W.
0010: 49 4F 1C E6 B0 2F 79 EF

3: EncryptionKey: keyType=3 kvno=1 keyValue (hex dump)=
0000: B9 43 7C 07 B9 A4 4F AD

4: EncryptionKey: keyType=1 kvno=1 keyValue (hex dump)=
0000: B9 43 7C 07 B9 A4 4F AD

principal's key obtained from the keytab
Acquire TGT using AS Exchange
default etypes for default_tkt_enctypes: 17 23 16 3 1.

KrbAsReq calling createMessage

KrbAsReq in createMessage

KrbKdcReq send: kdc=my.example.com UDP:88, timeout=30000, number of retrie
s =3, #bytes=178

KDCCommunication: kdc=my.example.com UDP:88, timeout=30000,Attempt =1, #by
tes=178

KrbKdcReq send: #bytes read=104

KrbKdcReq send: #bytes read=104

KDCRep: init() encoding tag is 126 req type is 11

KRBError:
         sTime is Wed Jul 01 18:36:09 CEST 2009 1246466169000
         suSec is 782414
         error code is 6
         error Message is Client not found in Kerberos database
         realm is MY.EXAMPLE.COM
         sname is krbtgt/MY.EXAMPLE.COM
         msgType is 30
                [Krb5LoginModule] authentication failed
Client not found in Kerberos database (6)
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Nov 15 2009
Added on Jul 1 2009
#kerberos-java-gss-jgss
3 comments
2,265 views