Skip to Main Content
Forums

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.

GSSException: Failure unspecified at GSS-API level CheckSum Failed.

843810Apr 9 2008 — edited May 19 2009
Dear Listers>

I am following the examples that are there on the JGSS website as below
[http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/lab/part2.html]

I am hitting a raodblock when executing the GssClient program.
The GssServer program works fine and it waits for the connection as follows



C:\Documents and Settings\x_tadoor\Desktop\jaasacn\auth\Ex2>java -Djava.security
.krb5.conf="krb5.conf" -Djava.security.auth.login.config=jaas-krb5.conf GssServer
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt fal
se ticketCache is null isInitiator false KeyTab is sample.keytab refreshKrb5Conf
ig is false principal is x_tadoor tryFirstPass is false useFirstPass is false st
orePass is false clearPass is false
Key for the principal x_tadoor@NET.PLM.EDS.COM not available in sample.keytab
Kerberos password for x_tadoor:
[Krb5LoginModule] user entered username: x_tadoor


principal is x_tadoor@NET.PLM.EDS.COM
EncryptionKey: keyType=17 keyBytes (hex dump)=0000: D8 12 5C F0 4E C0 6F 2E CD
97 5B E5 3B 91 B2 9D ..\.N.o...[.;...


EncryptionKey: keyType=23 keyBytes (hex dump)=0000: E2 21 94 7E F9 30 9D EF E1
E7 45 BC EB 83 5E DC .!...0....E...^.


EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 31 D3 BA 37 DA 40 FD 8F 37
29 F8 46 CE BA FD 3E 1..7.@..7).F...>
0010: 29 45 2F 3B 79 1C 86 FD
EncryptionKey: keyType=3 keyBytes (hex dump)=0000: D3 0D B3 BA 0B 0D 68 25
EncryptionKey: keyType=1 keyBytes (hex dump)=0000: D3 0D B3 BA 0B 0D 68 25
Added server's keyKerberos Principal x_tadoor@NET.PLM.EDS.COMKey Version 0key En
cryptionKey: keyType=17 keyBytes (hex dump)=
0000: D8 12 5C F0 4E C0 6F 2E CD 97 5B E5 3B 91 B2 9D ..\.N.o...[.;...



[Krb5LoginModule] added Krb5Principal x_tadoor@NET.PLM.EDS.COM
to Subject
Added server's keyKerberos Principal x_tadoor@NET.PLM.EDS.COMKey Version 0key En
cryptionKey: keyType=23 keyBytes (hex dump)=
0000: E2 21 94 7E F9 30 9D EF E1 E7 45 BC EB 83 5E DC .!...0....E...^.



[Krb5LoginModule] added Krb5Principal x_tadoor@NET.PLM.EDS.COM
to Subject
Added server's keyKerberos Principal x_tadoor@NET.PLM.EDS.COMKey Version 0key En
cryptionKey: keyType=16 keyBytes (hex dump)=
0000: 31 D3 BA 37 DA 40 FD 8F 37 29 F8 46 CE BA FD 3E 1..7.@..7).F...>
0010: 29 45 2F 3B 79 1C 86 FD


[Krb5LoginModule] added Krb5Principal x_tadoor@NET.PLM.EDS.COM
to Subject
Added server's keyKerberos Principal x_tadoor@NET.PLM.EDS.COMKey Version 0key En
cryptionKey: keyType=3 keyBytes (hex dump)=
0000: D3 0D B3 BA 0B 0D 68 25


[Krb5LoginModule] added Krb5Principal x_tadoor@NET.PLM.EDS.COM
to Subject
Added server's keyKerberos Principal x_tadoor@NET.PLM.EDS.COMKey Version 0key En
cryptionKey: keyType=1 keyBytes (hex dump)=
0000: D3 0D B3 BA 0B 0D 68 25


[Krb5LoginModule] added Krb5Principal x_tadoor@NET.PLM.EDS.COM
to Subject
Commit Succeeded

Authenticated principal: [x_tadoor@NET.PLM.EDS.COM]
{color:#ff0000}Waiting for incoming connection...


{color}{color:#000000}*I launch another command prompt for the same and run the client:*

The client runs and authenticates my login

{color}{color:#000000}

C:\Documents and Settings\x_tadoor\Desktop\jaasacn\auth\Ex2\Client>java -Djava.s
ecurity.krb5.conf="krb5.conf" -Djava.security.auth.login.config=jaas-krb5.conf G
ssClient host hyi3w224
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt f
alse ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is fa
lse principal is x_tadoor tryFirstPass is false useFirstPass is false storePass
is false clearPass is false
Kerberos password for x_tadoor:
[Krb5LoginModule] user entered username: x_tadoor


Acquire TGT using AS Exchange
principal is [x_tadoor@NET.PLM.EDS.COM|mailto:x_tadoor@NET.PLM.EDS.COM]
EncryptionKey: keyType=17 keyBytes (hex dump)=0000: D8 12 5C F0 4E C0 6F 2E CD
97 5B E5 3B 91 B2 9D ..\.N.o...[.;...


EncryptionKey: keyType=23 keyBytes (hex dump)=0000: E2 21 94 7E F9 30 9D EF E1
E7 45 BC EB 83 5E DC .!...0....E...^.


EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 31 D3 BA 37 DA 40 FD 8F 37
29 F8 46 CE BA FD 3E [1..7.@..7).F|mailto:1..7.@..7).F]...>
0010: 29 45 2F 3B 79 1C 86 FD
EncryptionKey: keyType=3 keyBytes (hex dump)=0000: D3 0D B3 BA 0B 0D 68 25
EncryptionKey: keyType=1 keyBytes (hex dump)=0000: D3 0D B3 BA 0B 0D 68 25
Commit Succeeded


Authenticated principal: [x_tadoor@NET.PLM.EDS.COM]
Connected to address hyi3w224/146.122.157.102
Exception in thread "main" java.security.PrivilegedActionException: java.net.Soc
ketException: Connection reset
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:396)
at Jaas.loginAndAction(Jaas.java:94)
at GssClient.main(GssClient.java:97)
Caused by: java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(SocketInputStream.java:168)
at java.net.SocketInputStream.read(SocketInputStream.java:182)
at java.io.DataInputStream.readInt(DataInputStream.java:370)
at GssClient$GssClientAction.run(GssClient.java:190)
... 4 more



on the server side the GssServer get the connection from the client

Got connection from client /146.122.157.102
Checksum failed !
Exception in thread "main" java.security.PrivilegedActionException: GSSException
: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:396)
at Jaas.loginAndAction(Jaas.java:94)
at GssServer.main(GssServer.java:87)
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level:
Checksum failed)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:
741)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java
:323)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java
:267)
at GssServer$GssServerAction.run(GssServer.java:160)
... 4 more
Caused by: KrbException: Checksum failed
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHma
cEType.java:85)
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHma
cEType.java:77)
at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:267)
at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken
.java:79)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:
724)
... 7 more
Caused by: java.security.GeneralSecurityException: Checksum failed
at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCry
pto.java:388)
at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(ArcFourHmac.jav
a:74)
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHma
cEType.java:83)
... 13 morer also fails with the following message

and the connection fails....

I would like to mention that I am on windows xp professional and trying to authenticate the same with the ADS of my domain. I am pasting the KRB5.conf file details as below.



#


# Copyright 2004 Sun Microsystems, Inc. All rights reserved.


# Use is subject to license terms.


#


# ident "@(#)krb5.conf 1.3 04/03/25 SMI"


#


# krb5.conf template


# In order to complete this configuration file


# you will need to replace the __<name>__ placeholders


# with appropriate values for your network.


#


[libdefaults]


default_realm = NET.PLM.EDS.COM


forwardable = true


default_tkt_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc


default_tgs_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc


permitted_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc


[realms]


NET.PLM.EDS.COM = {


kdc = inpndplm002


kdc = ussvdplm001


admin_server = inpndplm002


}


[domain_realm]


.net.plm.eds.com = NET.PLM.EDS.COM


[logging]


default = c:\kdc.log


kdc = c:\kdc.log


kdc_rotate = {


# How often to rotate kdc.log. Logs will get rotated no more


# often than the period, and less often if the KDC is not used


# frequently.


period = 1d


# how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...)


versions = 10


}


[appdefaults]


gkadmin = {


help_url = http://localhost:8888/ab2/coll.384.1/SEAM


}


kinit = {


renewable = true


forwardable= true


}


rlogin = {


forwardable= true


}


rsh = {


forwardable= true


}


telnet = {


autologin = true


forwardable= true


}



I have replaced the same in the KRB5.ini file under c:\windows of my machine.
I have checked the plain configuration of the Part 1 and they work fine, I would really be grateful if anyone from the forum can help me out on the same.

I have also checked the code on the tutorials and they also work fine and I am getting this error only when I am performing this exercise...Please help me on the same!

Best Regards
Vilas



{color}
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Jun 16 2009
Added on Apr 9 2008
#kerberos-java-gss-jgss
9 comments
17,740 views