Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Server not found in Kerberos database (7)

843810Jul 5 2007 — edited Aug 21 2007

Hi!

Running the examples from
http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/lab
works fine for me as long as I use the Kerberos test realm I have set up on a unix machine. But when I run the same classes against our Active Directory, the client spills a stacktrace, indicating that AD can not find the server in its database. But it actually is in that database, as the sample server can perfectly authenticate as exactly that principal!

Enabling all security related debug info i could find, this is the client dump:

$ java -Djava.security.auth.login.config=jaas-krb5.conf
	-Djava.security.krb5.kdc=##KDC##
	-Djava.security.krb5.realm=##REALM##
	-Dsun.security.jgss.debug=true
	-Dsun.security.krb5.debug=true
	-Djava.security.debug="logincontext,policy,scl,gssloginconfig"
	GssClient host ##SERVER##
scl:  getPermissions ProtectionDomain  (file:/xxxxx/ <no signer certificates>)
 sun.misc.Launcher$AppClassLoader@11b86e7
 <no principals>
 java.security.Permissions@1a46e30 (
 (java.io.FilePermission \xxxxx\- read)
 (java.lang.RuntimePermission exitVM)
)


scl:
Debug is  true storeKey false useTicketCache true useKeyTab true doNotPrompt false ticketCache is nu
ll isInitiator true KeyTab is null refreshKrb5Config is false principal is xxxxx tryFirstPass is tru
e useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
KinitOptions cache name is C:\xxxxxAcquire default native Credentials
Obtained TGT from LSA: Credentials:client=##USER##@##REALM##
server=krbtgt/##REALM##@##REALM##
authTime=20070705103930Z
startTime=20070705103930Z
endTime=20070705203930Z
renewTill=20070712103930Z
flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT
EType (int): 23
Principal is ##USER##@##REALM##
                [Krb5LoginModule] authentication succeeded
        [LoginContext]: login success
Commit Succeeded

        [LoginContext]: commit success
Authenticated principal: [##USER##@##REALM##]
Connected to address ##SERVER##/xxxxx

xxxxx

create server name with host@##SERVER##
Search Subject for Kerberos V5 INIT cred (<<DEF>>, sun.security.jgss.krb5.Krb5InitCredential)
Found ticket for ##USER##@##REALM## to go to krbtgt/##REALM##@##REALM## expiring on Thu Jul
 05 20:39:30 GMT 2007
Entered Krb5Context.initSecContext with state=STATE_NEW
Found ticket for ##USER##@##REALM## to go to krbtgt/##REALM##@##REALM## expiring on Thu Jul
 05 20:39:30 GMT 2007
Service ticket not found in the subject
Credentials acquireServiceCreds: same realmUsing builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 3 1 23 16 17.
CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType

EType: sun.security.krb5.internal.crypto.ArcFourHmacEType

KrbKdcReq send: kdc=##KDC## UDP:88, timeout=30000, number of retries =3, #bytes=1328

KDCCommunication: kdc=##KDC## UDP:88, timeout=30000,Attempt =1, #bytes=1328

KrbKdcReq send: #bytes read=101

KrbKdcReq send: #bytes read=101

KDCRep: init() encoding tag is 126 req type is 13

KRBError:         sTime is Thu Jul 05 14:43:05 GMT 2007 1183646585000
         suSec is 487997
         error code is 7
         error Message is Server not found in Kerberos database
         realm is ##REALM##
         sname is host/##SERVER##
         msgType is 30
KrbException: Server not found in Kerberos database (7)
        at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
        at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
        at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
        at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
        at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
        at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
        at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
        at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
        at GssClient$GssClientAction.run(GssClient.java:171)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Unknown Source)
        at Jaas.loginAndAction(Jaas.java:94)
        at GssClient.main(GssClient.java:97)
Caused by: KrbException: Identifier doesn't match expected value (906)
        at sun.security.krb5.internal.KDCRep.init(Unknown Source)
        at sun.security.krb5.internal.TGSRep.init(Unknown Source)
        at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)
        ... 13 more
Exception in thread "main" java.security.PrivilegedActionException: GSSException: No valid credentia
ls provided (Mechanism level: Server not found in Kerberos database (7))
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Unknown Source)
        at Jaas.loginAndAction(Jaas.java:94)
        at GssClient.main(GssClient.java:97)
Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerbero
s database (7))
        at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
        at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
        at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
        at GssClient$GssClientAction.run(GssClient.java:171)
        ... 4 more
Caused by: KrbException: Server not found in Kerberos database (7)
        at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
        at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
        at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
        at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
        at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
        ... 8 more
Caused by: KrbException: Identifier doesn't match expected value (906)
        at sun.security.krb5.internal.KDCRep.init(Unknown Source)
        at sun.security.krb5.internal.TGSRep.init(Unknown Source)
        at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)
        ... 13 more

Why's AD claiming in the KRBError that it can't find a sname/realm which exactly matches the principal it accepted for the server? This totally confuses me! Can please anyone bring some light?

Regards

Locked Post

New comments cannot be posted to this locked post.

Locked on Sep 18 2007

Added on Jul 5 2007

#kerberos-java-gss-jgss

1 comment

24,330 views