Skip to Main Content
Forums

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Problem obtaining credentials from native ticket cache

843810Aug 18 2006 — edited Aug 24 2006
Hello dear colleagues,

I met with very strange behaviour using SSO. My test environment works on WinXP SP2, JDK 1.5.0_04-b05.
Kerberos configuration file is located in <JRE_HOME>\lib\security\krb5.conf and contains following:
[libdefaults]
	default_realm = <MY_REALM>
	clockskew = 10000
[realms]
	<MY_REALM> = {
		kdc = <MY_KDC>
		default_domain = <MY_DOMAIN>
	}
[appdefaults]
	kinit = {
		renewable = true
		forwardable = true
	}
Login configuration:
SSOClient {
    com.sun.security.auth.module.Krb5LoginModule Required 
    debug=true
    doNotPrompt=false
    useTicketCache=true
    useDefaultCcache=true
    renewTGT=true;
};
KerbTray tool outputs following information:

Client name: <MY_PRINCIPAL_NAME>@<MY_REALM>
Service name: krbtgt/<MY_REALM>@<MY_REALM>

Start time: 08/18/2006 10:30
End time: 08/18/2006 11:30
Renew Until: 08/25/2006 10:30

BUT! When application tries to process login, Kerberos outputs following:
KinitOptions cache name is C:\Documents and Settings\yurtsevich\krb5cc_<MY_PRINCIPAL_NAME>
Acquire default native Credentials
Credentials:
client=<MY_PRINCIPAL_NAME>@<MY_REALM>
server=krbtgt/<MY_REALM>@<MY_REALM>
authTime=20060818073024Z
startTime=20060818073024Z
endTime=20060818083024Z
renewTill=20060825073024Z
flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT
EType (int): 3
Debug is  true storeKey false useTicketCache true useKeyTab false doNotPrompt false ticketCache is null 
KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false 
storePass is false clearPass is false
Acquire TGT from Cache

KinitOptions cache name is C:\Documents and Settings\yurtsevich\krb5cc_<MY_PRINCIPAL_NAME>
Acquire default native Credentials

Obtained TGT from LSA: Credentials:
client=<MY_PRINCIPAL_NAME>@<MY_REALM>
server=krbtgt/<MY_REALM>@<MY_REALM>
authTime=20060818073024Z
startTime=20060818073024Z
endTime=20060818083024Z
renewTill=20060825073024Z
flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT
EType (int): 3
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 3 1 16.

CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType

EType: sun.security.krb5.internal.crypto.DesCbcMd5EType

KrbKdcReq send: kdc=<MY_KDC> UDP:88, timeout=30000, number of retries =3, #bytes=1344

KDCCommunication: kdc=<MY_KDC> UDP:88, timeout=30000,Attempt =1, #bytes=1344

KrbKdcReq send: #bytes read=1324

KrbKdcReq send: #bytes read=1324

EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
Ticket could not be renewed : Message stream modified (41)
Principal is null
null credentials from Ticket Cache
		[Krb5LoginModule] user entered username: <MY_PRINCIPAL_NAME>

Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 16.
principal is <MY_PRINCIPAL_NAME>@<MY_REALM>
Acquire TGT using AS Exchange
EncryptionKey: keyType=3 keyBytes (hex dump)=0000: 54 B6 20 A7 64 04 1C 97   
EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 54 B6 20 A7 64 04 1C 97   
EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 8A DF 43 D6 29 20 F2 80   5E 29 85 E9 B9 4F 19 3E  ..C.) ..^)...O.>
0010: 32 0E 2C 76 AE 91 25 AB   
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 16.

EType: sun.security.krb5.internal.crypto.DesCbcMd5EType

KrbAsReq calling createMessage

KrbAsReq in createMessage

KrbKdcReq send: kdc=<MY_KDC>UDP:88, timeout=30000, number of retries =3, #bytes=245

KDCCommunication: kdc=<MY_KDC> UDP:88, timeout=30000,Attempt =1, #bytes=245

KrbKdcReq send: #bytes read=215

KrbKdcReq send: #bytes read=215

KDCRep: init() encoding tag is 126 req type is 11

KRBError:
	 sTime is Fri Aug 18 11:11:55 CEST 2006 1155892315000
	 suSec is 310136
	 error code is 24
	 error Message is Pre-authentication information was invalid
	 realm is <MY_REALM>
	 sname is krbtgt/<MY_REALM>
	 eData provided.
		[Krb5LoginModule] authentication failed 
Pre-authentication information was invalid (24)
Remark. File C:\Documents and Settings\yurtsevich\krb5cc_<MY_PRINCIPAL_NAME> does not exist, so I use native ticket cache.

Registry key allowtgtsessionkey exists in HKLM\System\CurrentControlSet\Control\Lsa\Kerberos section.

As you may see, in Kerberos output start time and end time differes from what KerbTray outputs (3 hours earlier). It IS very strange. I can not understand this. May anybody help me?

Second thing is why TGT is not renewed? What this means?:
Ticket could not be renewed : Message stream modified (41)
I appreciate any help. Thanks in advance.
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Sep 21 2006
Added on Aug 18 2006
#kerberos-java-gss-jgss
5 comments
506 views