Skip to Main Content
Forums

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

[Krb5LoginModule] authentication failed against Active Directory

843810Jul 2 2008 — edited Aug 14 2008
Hello,

I'm developing a SSO solution for 'coursewizard', a Servlet webapp run on Tomcat.

We're using Yale's Central Authentication Service (CAS), JAAS and Kerberos protocol to athenticate against a Windoz Server 2003 Active Directory.

After making it over various hurdles with setting up SSL, auth handler classes (KerberosAuthHandler, CASCallbackHandler), JAAS config and krb5 config, we find that our clients fail to authenticate.

We get this error message:

Acquire TGT using AS Exchange
[Krb5LoginModule] authentication failed
ad.ad.coursewizard.com: ad.ad.coursewizard.com

I can't find any info on what conditions would result in an authentication exception returning the KDC (Key Distribution Center) URL, or what this is trying to tell us.

The process that happens is:

When 'login()' is called on our LoginContext, Krb5LoginModule.attemptAuthentication(false) is called.

'principal' and 'encKey' values are set and are eventually used to set a 'cred' (Credentials) object.
Like this:
cred = Credentials.acquireTGT(principal,encKey)

This returns NULL, and is handled by IOException which prints out the message we see.


Taking another approach, I obtained the JAAS sample code (JaasAcn.java), configured, compiled and attempted authentication via command line, rather than through the Servlet webapp with Tomcat, SSL and CAS.

I get the same IOException.


I put the JaasAcn sample on the Active Directory server to run it locally and it works. I get:

Commit Succeeded
Authentication succeeded!


One difference I noted in the console output between 'succeeded' and 'failed' is that there are more EncryptionKeys listed when 'succeeded'.

Both scenarios display keyType=3, keyType=1, and keyType=16, but 'succeeded' also lists keyType=23 and keyType=17.

I don't know what the significance of this difference is though.


I've tried various configuration commands with ksetup and ktab utilities on the AD server and also installing ksetup on a Win XP client and configuring it to logon to a kerberos realm rather than a Windoz Domain, but I get a 'domain not available' error with that.


We think that we should not have to configure the clients, since they will be using a webapp, in a browser and not necessarliy always from a Windoz box.

What do I have to configure to make the JaasAcn sample authenticate from a client XP box?

What do I have to configure to make my Servlet webapp authenticate against Active Directory using JAAS and Kerberos?


Regards,
Bob Van
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Sep 11 2008
Added on Jul 2 2008
#kerberos-java-gss-jgss
10 comments
2,960 views