Skip to Main Content
Forums

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Kerberos and Pre Windows 2000 login name

843811Sep 6 2004 — edited Oct 26 2006
Hi,

kinit (and Krb5LoginModule) in JDK1.5.0 (and 1.4.2) are not able to get the tgt for
an principal when using the old (pre Windows 2000) login name.

E.g.:

In ActiveDirectory my user is holger.hartmann@MYCOMPANY.NET (ldap attribute userPrincipalName),
the Pre-Win 2000 name is MYCOMPANY\hrhn (ldap attribute sAMAccountname is hrhn)

If i make

kinit holger.hartmann@MYCOMPANY.NET all works fine.

If i do

kinit hrhn@MYCOMPANY.NET i get the following:

Exception: krb_error 24 Pre-authentication information was invalid (24) Pre-authentication information was invalid
KrbException: Pre-authentication information was invalid (24)
at sun.security.krb5.KrbAsRep.<init>(DashoA12275:64)
at sun.security.krb5.KrbAsReq.getReply(DashoA12275:345)
at sun.security.krb5.KrbAsReq.getReply(DashoA12275:303)
at sun.security.krb5.internal.tools.Kinit.<init>(DashoA12275:252)
at sun.security.krb5.internal.tools.Kinit.main(DashoA12275:106)
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.ah.a(DashoA12275:133)
at sun.security.krb5.internal.av.a(DashoA12275:58)
at sun.security.krb5.internal.av.<init>(DashoA12275:53)
at sun.security.krb5.KrbAsRep.<init>(DashoA12275:50)
... 4 more

The thing is that if i use MIT or Heimdal Kerberos on client side it is possible to get the above mentionend ticket.
So kinit in the JDK doesn't behave like MIT or HEIMDAL.

Any Ideas ?

Maybe it's only an encryption/description issue, because it seems that the Windows KDC is issueing a ticket,
otherwise (e.g. kinit with non existing username) i get the following:
Exception: krb_error 6 Client not found in Kerberos database (6) Client not found in Kerberos database
KrbException: Client not found in Kerberos database (6)
at sun.security.krb5.KrbAsRep.<init>(DashoA12275:64)
at sun.security.krb5.KrbAsReq.getReply(DashoA12275:345)
at sun.security.krb5.KrbAsReq.getReply(DashoA12275:303)
at sun.security.krb5.internal.tools.Kinit.<init>(DashoA12275:252)
at sun.security.krb5.internal.tools.Kinit.main(DashoA12275:106)
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.ah.a(DashoA12275:133)
at sun.security.krb5.internal.av.a(DashoA12275:58)
at sun.security.krb5.internal.av.<init>(DashoA12275:53)
at sun.security.krb5.KrbAsRep.<init>(DashoA12275:50)
... 4 more

Thanks,

-Holger
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Nov 23 2006
Added on Sep 6 2004
#other-security-apis-tools-and-issues
2 comments
421 views