Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Kerberos Configuration Issues: Server prompts for password

843810Feb 15 2007 — edited Jan 22 2008

I'm trying to write a Java Servlet Filter to perform kerberos through Spnego. I'm working with a windows 2003 Server (Enterprise Edition) but I keep getting prompted for the password. This obviously won't do for a server program so I'm trying to figure out a way around entering the password each time the program starts up.

Here's my (simplified) code:

GSSManager m_manager = GSSManager.getInstance();
Oid l_spnegoOid = new Oid("1.3.6.1.5.5.2");
m_serverCreds = m_manager.createCredential(null,
GSSCredential.DEFAULT_LIFETIME, l_spnegoOid,GSSCredential.ACCEPT_ONLY);

I'm calling java with these arguments:

-Djava.security.auth.login.config=C:\spnegoLogin.conf 
-Dsun.security.krb5.debug=true 
-Djavax.security.auth.useSubjectCredsOnly=false 
-Dsun.security.spnego.debug=true

My conf file looks like this:

com.sun.security.jgss.accept  {
     com.sun.security.auth.module.Krb5LoginModule required
	principal="HTTP/files.xythosps.com"
	keyTab="C:\test.keytab"
	ticketCache="C:\Documents and Settings\files\krb5cc_files"
	useTicketCache=true
	useKeyTab=true 
	storeKey=true;
};

the debug output looks like this. Notice the second line where I'm prompted for the password:

Config name: C:\WINDOWS\krb5.ini
Kerberos password for HTTP/files.xythosps.com:
default etypes for default_tkt_enctypes: 1.
default etypes for default_tkt_enctypes: 1.
KrbAsReq calling createMessage

KrbAsReq in createMessage

KrbKdcReq send: kdc=xythosps.com UDP:88, timeout=30000, number of retries =3, #bytes=155

KDCCommunication: kdc=xythosps.com UDP:88, timeout=30000,Attempt =1, #bytes=155

KrbKdcReq send: #bytes read=635

KrbKdcReq send: #bytes read=635

EType: sun.security.krb5.internal.crypto.DesCbcCrcEType

crc32: 1ca9f464

crc32: 11100101010011111010001100100

KrbAsRep cons in KrbAsReq.getReply HTTP/files.xythosps.comdefault etypes for default_tkt_enctypes: 1.
Found key for HTTP/files.xythosps.com@XYTHOSPS.COM(1)

And I created my principal and keytab like so:

C:\Program Files\Support Tools>setspn.exe -A HTTP/files.xythosps.com@XYTHOSPS.COM files
Registering ServicePrincipalNames for CN=files,CN=Users,DC=xythosps,DC=com
        HTTP/files.xythosps.com@XYTHOSPS.COM
Updated object

C:\Program Files\Support Tools>setspn.exe -L files
Registered ServicePrincipalNames for CN=files,CN=Users,DC=xythosps,DC=com:
    HTTP/files.xythosps.com@XYTHOSPS.COM
    
C:\Program Files\Support Tools>ktpass.exe -princ HTTP/files.xythosps.com@XYTHOSPS.COM -pass welcome -mapuser files 
-out C:\test.keytab -crypto DES-CBC-CRC
Targeting domain controller: ssoserver.xythosps.com
Using legacy password setting method
Successfully mapped HTTP/files.xythosps.com to files.
WARNING: pType and account type do not match. This might cause  problems.
Key created.
Output keytab to C:\test.keytab:
Keytab version: 0x502
keysize 63 HTTP/files.xythosps.com@XYTHOSPS.COM ptype 0 (KRB5_NT_UNKNOWN) vno 8 etype 0x1 (DES-CBC-CRC) keylength 8 (0x9d67c243ad029246)

C:\Program Files\Java\jdk1.6.0\bin>kinit.exe -k -t C:\test.keytab HTTP/files.xythosps.com@XYTHOSPS.COM
New ticket is stored in cache file C:\Documents and Settings\files\krb5cc_files

To make things simple I'm running this as the actual user the Service Principal is associated with.

Locked Post

New comments cannot be posted to this locked post.

Locked on Feb 19 2008

Added on Feb 15 2007

#kerberos-java-gss-jgss

8 comments

896 views