Hello,
I'm trying to get a service ticket with GSS and I find the subject error. I have a code that works fine when the credentials are obtained with a JAAS callback, but the same code fails when I try to use the ticketCache.
The TGT obtained from the cache has to be different from the one get with the JAAS login in some way.
I have used kerbtray and the "key encryption type" for the TGT obtained with the login is null (etype 0). And this seems to be the problem in the output of the program (sun.security.krb5.internal.crypto.NullEType).
This is the log:
Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt true ticketCache is null KeyTab is null principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
KinitOptions cache name is C:\Documents and Settings\userkrb\krb5cc_userkrb
Obtained TGT from LSA: Credentials:
client=userkrb
server=krbtgt/TESTCERBEROS.ES
authTime=20051031092155Z
startTime=20051031092155Z
endTime=20051031192155Z
renewTill=20051107092155Z
flags: RENEWABLE;INITIAL;PRE-AUTHENT
EType (int): 0
Principal is userkrb
Commit Succeeded
Credentials acquireServiceCreds: same realm
CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
EType: sun.security.krb5.internal.crypto.NullEType
KrbKdcReq send: kdc=10.0.11.132, port=88, timeout=30000, number of retries =3, #bytes=1224
KrbKdcReq send: #bytes read=109
KDCRep: init() encoding tag is 126 req type is 13
KRBError:
sTime is Mon Oct 31 11:55:10 CET 2005 1130756110000
suSec is 683854
error code is 14
realm is TESTCERBEROS.ES
sname is http/sunblade.testcerberos.es
GSSClient... GSS Exception No valid credentials provided (Mechanism level: KDC has no support for encryption type (14))
Client authentication deined...
I've tested it with 1.4 and 1.5 but the same problem. This is my code:
login:
System.setProperty("java.security.krb5.realm", "TESTCERBEROS.ES");
System.setProperty("java.security.krb5.kdc", "10.0.11.132");
System.setProperty("java.security.auth.login.config", "C:/Documents and Settings/userkrb/login.conf");
System.setProperty("sun.security.krb5.debug","true");
System.setProperty("os.name","Windows 2000");
peerLC = new LoginContext("GSSClient", new TextCallbackHandler());
peerLC.login();
//When using ticket cache get the user name from the TGT
java.util.Set principals = peerLC.getSubject().getPrincipals();
java.util.Iterator iterador = principals.iterator();
if (iterador.hasNext()){
KerberosPrincipal principal = (KerberosPrincipal) iterador.next();
clientName =principal.getName();
}
return (GSSContext) Subject.doAs( peerLC.getSubject(), this);
Service ticket:
GSSManager manager = GSSManager.getInstance();
Oid kerberos = new Oid("1.2.840.113554.1.2.2");
GSSName clientPeerName = manager.createName(clientName ,GSSName.NT_USER_NAME);
GSSName remotePeerName = manager.createName("http@sunblade", GSSName.NT_HOSTBASED_SERVICE);
GSSCredential peerCredentials = manager.createCredential(clientPeerName,10*60,kerberos,GSSCredential.INITIATE_ONLY);
GSSContext peerContext = manager.createContext(remotePeerName,kerberos, peerCredentials,GSSContext.DEFAULT_LIFETIME);
byte[] byteToken = new byte[0];
byteToken = peerContext.initSecContext(byteToken, 0, byteToken.length);
And conf file:
GSSClient{
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
doNotPrompt=true
debug = true
;
};
Probably I'm missing something, but I don't know. Any help appreciated.