CFLDAP GSS-API

Anybody had any luck connecting to an AD Server via CFLDAP when it only appears to allow authentication using GSS-API?

I'm having almost the same problem.
I'm authenticating users against MS Active Directory: the Kerberos stuff works fine, but when I try to execute the LDAP query I get the following exception:
javax.naming.AuthenticationException: SASL authentication failed [Root exception is java.lang.IllegalAccessError: tried to access class sun.security.krb5.KrbKdcReq from class sun.security.krb5.internal.az]
at com.sun.jndi.ldap.LdapClient.saslBind(LdapClient.java:411)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:215)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2640)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:290)
This error occurs only for a few users, while for others the code works perfectly.
I've tried using both Sun's JDK (1.4.2_08) and BEA JRockit with the same result.
Thanks in advance
Alberto

Similar Messages

GSS API failing with java 1.6 but working with java 1.5 in jboss 3.2.6

18:05:08,210 INFO [STDOUT] GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
18:05:08,210 INFO [STDOUT]      at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:87)
18:05:08,210 INFO [STDOUT]      at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:111)
18:05:08,213 INFO [STDOUT]      at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:178)
18:05:08,214 INFO [STDOUT]      at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:384)
18:05:08,214 INFO [STDOUT]      at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:42)
18:05:08,214 INFO [STDOUT]      at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:139)
18:05:08,214 INFO [STDOUT]      at com.apple.ist.ds.server.impl.snkp.SSOTokenVerifier.credentialForService(SSOTokenVerifier.java:324)
18:05:08,214 INFO [STDOUT]      at com.apple.ist.ds.server.impl.snkp.SSOTokenVerifier.initialize(SSOTokenVerifier.java:97)
18:05:08,214 INFO [STDOUT]      at com.apple.ist.saci.iphonevpn.servlet.SACIIPhoneStartUpServlet.init(SACIIPhoneStartUpServlet.java:26)
18:05:08,214 INFO [STDOUT]      at javax.servlet.GenericServlet.init(GenericServlet.java:256)
18:05:08,214 INFO [STDOUT]      at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1029)
18:05:08,214 INFO [STDOUT]      at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:862)
18:05:08,214 INFO [STDOUT]      at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4013)
18:05:08,214 INFO [STDOUT]      at org.apache.catalina.core.StandardContext.start(StandardContext.java:4357)
18:05:08,214 INFO [STDOUT]      at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:823)
18:05:08,214 INFO [STDOUT]      at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:807)
18:05:08,214 INFO [STDOUT]      at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:595)
18:05:08,214 INFO [STDOUT]      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
18:05:08,214 INFO [STDOUT]      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
18:05:08,214 INFO [STDOUT]      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
18:05:08,215 INFO [STDOUT]      at java.lang.reflect.Method.invoke(Method.java:597)
18:05:08,215 INFO [STDOUT]      at org.apache.commons.modeler.BaseModelMBean.invoke(BaseModelMBean.java:503)
18:05:08,215 INFO [STDOUT]      at org.jboss.mx.server.RawDynamicInvoker.invoke(RawDynamicInvoker.java:149)
18:05:08,215 INFO [STDOUT]      at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:473)
18:05:08,215 INFO [STDOUT]      at org.apache.catalina.core.StandardContext.init(StandardContext.java:5441)
18:05:08,215 INFO [STDOUT]      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
18:05:08,215 INFO [STDOUT]      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
18:05:08,215 INFO [STDOUT]      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
18:05:08,215 INFO [STDOUT]      at java.lang.reflect.Method.invoke(Method.java:597)
18:05:08,215 INFO [STDOUT]      at org.apache.commons.modeler.BaseModelMBean.invoke(BaseModelMBean.java:503)
18:05:08,215 INFO [STDOUT]      at org.jboss.mx.server.RawDynamicInvoker.invoke(RawDynamicInvoker.java:149)
18:05:08,215 INFO [STDOUT]      at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:473)
18:05:08,215 INFO [STDOUT]      at org.jboss.web.tomcat.tc5.TomcatDeployer.performDeployInternal(TomcatDeployer.java:316)
18:05:08,215 INFO [STDOUT]      at org.jboss.web.tomcat.tc5.TomcatDeployer.performDeploy(TomcatDeployer.java:76)
18:05:08,215 INFO [STDOUT]      at org.jboss.web.AbstractWebDeployer.start(AbstractWebDeployer.java:320)
18:05:08,215 INFO [STDOUT]      at org.jboss.web.WebModule.startModule(WebModule.java:62)
18:05:08,215 INFO [STDOUT]      at org.jboss.web.WebModule.startService(WebModule.java:40)
18:05:08,215 INFO [STDOUT]      at org.jboss.system.ServiceMBeanSupport.jbossInternalStart(ServiceMBeanSupport.java:271)
18:05:08,215 INFO [STDOUT]      at org.jboss.system.ServiceMBeanSupport.jbossInternalLifecycle(ServiceMBeanSupport.java:221)
18:05:08,215 INFO [STDOUT]      at sun.reflect.GeneratedMethodAccessor2.invoke(Unknown Source)
18:05:08,215 INFO [STDOUT]      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
18:05:08,215 INFO [STDOUT]      at java.lang.reflect.Method.invoke(Method.java:597)
18:05:08,216 INFO [STDOUT]      at org.jboss.mx.server.ReflectedDispatcher.dispatch(ReflectedDispatcher.java:60)
18:05:08,216 INFO [STDOUT]      at org.jboss.mx.server.Invocation.dispatch(Invocation.java:62)
18:05:08,216 INFO [STDOUT]      at org.jboss.mx.server.Invocation.dispatch(Invocation.java:54)
18:05:08,216 INFO [STDOUT]      at org.jboss.mx.server.Invocation.invoke(Invocation.java:82)
18:05:08,216 INFO [STDOUT]      at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:197)
18:05:08,216 INFO [STDOUT]      at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:473)
18:05:08,216 INFO [STDOUT]      at org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController.java:884)
18:05:08,216 INFO [STDOUT]      at $Proxy20.start(Unknown Source)
18:05:08,221 INFO [STDOUT] Caused by: javax.security.auth.login.LoginException: java.lang.NullPointerException
     at com.sun.security.auth.callback.TextCallbackHandler.handle(TextCallbackHandler.java:102)
     at org.jboss.security.auth.spi.UsernamePasswordLoginModule.getUsernameAndPassword(UsernamePasswordLoginModule.java:216)
     at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:131)
     at org.jboss.security.auth.spi.UsersRolesLoginModule.login(UsersRolesLoginModule.java:124)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:597)
     at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
     at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
     at javax.security.auth.login.LoginContext$5.run(LoginContext.java:706)
     at java.security.AccessController.doPrivileged(Native Method)
     at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:703)
     at javax.security.auth.login.LoginContext.login(LoginContext.java:575)
     at sun.security.jgss.GSSUtil.login(GSSUtil.java:246)

18:05:08,221 INFO [STDOUT] Caused by: javax.security.auth.login.LoginException: java.lang.NullPointerException
at com.sun.security.auth.callback.TextCallbackHandler.handle(TextCallbackHandler.java:102)It seems you are providing username using a TextCallbackHandler (which is default for GSS-API). This is OK if you are writing a console program and the user can input the name in a command line prompt. If you are writing a server side program, there is no console, you need to write your own CallbackHandler to provide username.

Change password in Active Directory using the JNDI GSS-API/Kerberos

Hi
I am trying to the JNDI GSS-API to change a user password.
When I actually try to change the password using ctx.modifyAttributes(userName, mods), I get the exception:
09:39:38,163 ERROR [STDERR] javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000001F: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0 ]; remaining name 'CN=USER,OU=Usuarios,DC=testead,DC=br'
Here's my java code:
public class ChangePasswordLDAPCommand implements Command {
     static Logger logger = Logger.getLogger(ChangePasswordLDAPCommand.class.getName());
     @SuppressWarnings("unchecked")
     public boolean execute(org.apache.commons.chain.Context context) throws ApplicationException {
          logger.info("Início - execute");
          try {
               CoreConfig config = CoreConfig.getInstance();
               String userName = config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_ADMIN_NAME);
               char[] password = config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_ADMIN_PASSWORD).toCharArray();
               Subject subject = new Subject();
               Krb5LoginModule krb5LoginModule = new Krb5LoginModule();
               Map<String, String> map = new HashMap<String, String>();
               Map<String, String> shared = new HashMap<String, String>();
               map.put("com.sun.security.auth.module.Krb5LoginModule","required");
               map.put("client","true");
               map.put("useTicketCache","true");
               map.put("doNotPrompt","true");
               map.put("useKeyTab","true");
               map.put("useFirstPass","true");
               map.put("refreshKrb5Config","true");
               logger.info(">>>>> map.toString(): "+map.toString());
               shared.put("javax.security.auth.login.name", config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_ADMIN_NAME));
               shared.put("javax.security.auth.login.password", config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_ADMIN_PASSWORD));
               shared.put("javax.net.debug","SSL,handshake,trustmanager");
               shared.put("sun.security.krb5.debug","true");
               shared.put("com.sun.jndi.ldap.connect.pool.timeout","30000");
               logger.info(">>>>> shared.toString(): "+shared.toString());
               krb5LoginModule.initialize(subject, new UserNamePasswordCallbackHandler(userName,password),shared,map);
               krb5LoginModule.login();
               if(krb5LoginModule.commit()){
                    //Recupera o usuario a ser alterado
                    UsuarioTOLDAP usuarioTO = (UsuarioTOLDAP) context.get(CoreConfig.USUARIO_TO_LDAP);
                    logger.info(">>>>>>>>>>>>>>>>>>>>>> subject.toString(): "+subject.toString());
                    Subject.doAsPrivileged(subject, new JndiAction(usuarioTO), null);
          } catch (LoginException e) {
               e.printStackTrace();
          } catch (PrivilegedActionException e) {
               e.printStackTrace();
          logger.info("Fim - execute");
          return Command.CONTINUE_PROCESSING;
@SuppressWarnings("unchecked")
public class JndiAction implements java.security.PrivilegedExceptionAction{
     private static Logger logger = Logger.getLogger(JndiAction.class.getName());
     private UsuarioTOLDAP usuarioTOLDAP = null;
     public JndiAction(UsuarioTOLDAP usuarioTO) {
          this.usuarioTOLDAP = usuarioTO;
     public Object run() {
          performJndiOperation(usuarioTOLDAP);
          return null;
     @SuppressWarnings("unchecked")
     private static void performJndiOperation(UsuarioTOLDAP usuarioTOLDAP){
          logger.info(">>>>> entrei na JndiOperation");
          try {
               CoreConfig config = CoreConfig.getInstance();
               String distinguishedName = "";
               String keystore = "C:/Documents and Settings/user/.keystore";
               System.setProperty(CoreConfig.JAVAX_NET_SSL_TRUSTSTORE,keystore);
               System.setProperty("com.sun.jndi.ldap.connect.pool.timeout","30000");
               System.setProperty("javax.net.debug","all");
               System.setProperty("sun.security.krb5.debug","true");
               Hashtable env = new Hashtable();
               env.put(Context.INITIAL_CONTEXT_FACTORY, CoreConfig.INITIAL_CONTEXT_FACTORY);
               env.put(Context.PROVIDER_URL, config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_URL));
               env.put(Context.SECURITY_AUTHENTICATION, CoreConfig.SECURITY_PROTOCOL_GSSAPI);
               env.put(Context.SECURITY_PRINCIPAL, config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_ADMIN_NAME));
               env.put(Context.SECURITY_CREDENTIALS, config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_ADMIN_PASSWORD));
               env.put(CoreConfig.JAVAX_NET_SSL_TRUSTSTORE,keystore);
               env.put("javax.security.sasl.qop","auth-int");
               env.put("javax.security.sasl.strength","high");
               env.put("javax.security.sasl.server.authentication","true");
              String userName = "CN=USER,"+config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_BASE_DN);
               // Cria o contexto inicial de acesso ao LDAP
               //DirContext ctx = new InitialDirContext(env);
               // Create the initial directory context
               LdapContext ctx = new InitialLdapContext(env,null);
               //set password is a ldap modfy operation
               ModificationItem[] mods = new ModificationItem[1];
               //Replace the "unicdodePwd" attribute with a new value
               //Password must be both Unicode and a quoted string
               String newQuotedPassword = "\"" + usuarioTOLDAP.getNovaSenha() + "\"";
               byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");
               mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("unicodePwd", newUnicodePassword));
               // Perform the update
               ctx.modifyAttributes(userName, mods);
               ctx.close();
          } catch (NamingException e1) {
               e1.printStackTrace();
          } catch (UnsupportedEncodingException e) {
               e.printStackTrace();
          } catch (IOException e) {
               // TODO Auto-generated catch block
               e.printStackTrace();
}Edited by: c0m4nch3 on Jan 21, 2010 12:13 PM

Refer to my response for a similar question in http://forums.sun.com/thread.jspa?threadID=5416736
Also the following may be related: http://forums.sun.com/thread.jspa?threadID=5196192
Good luck.

Changing user password in Active Directory using the JNDI GSS-API/Kerberos5

Hello,
I am trying to the JNDI GSS-API to change a user password on an Active Directory Server 2003. I have seen a variation of this using SSL on the thread [*http://forums.sun.com/thread.jspa?threadID=592611&start=0&tstart=0*|http://forums.sun.com/thread.jspa?threadID=592611&start=0&tstart=0]
but I can't seem to make this work using the GSS-API. I can successfully create a javax.security.auth.login.LoginContext.LoginContext and then call the login method on it to log in as a user. I then call the javax.security.auth.Subject.doAs() method which calls the run method in a class extending the javax.security.PrivilegedActionClass. But when I actually try to change the password using InitialDirContext.modifyAttributes(), I get the exception:
*javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 00002077: SvcErr: DSID-03190DC9, problem 5003 (WILL_NOT_PERFORM), data 0*
*If anyone can help me figure out why it doesn't work, that would be great!*
P.S: I know the error seems to suggest that there might be some active directory setting that is preventing this from working, but I've checked all relevant settings on the Windows 2003 server Active Directory that I can think of: In the User properties->Account->Account options, I've made sure the user can change password. Also, in the Group Policy->Computer Configuration->Windows Settings->Security Settings->Account Policies->Password Policy, Maximum password age is zero and so is minimum password age.
Here's my java code:
{code}import javax.naming.*;
import javax.security.auth.*;
import java.security.PrivilegedAction;
import java.io.UnsupportedEncodingException;
public void changeSecret((String uid, String oldPassword, String newPassword)
     throws NamingException, ACException{
try {
     K5CallbackHandler cb = new K5CallbackHandler(uid, oldPassword);
     LoginContext lc = new LoginContext("marker", cb);
     lc.login();
     Subject.doAs(lc.getSubject(), new ChangePasswordAction(rz.getName(), oldPassword, newPassword));
     catch(LoginException e) {
     try {
          lc.logout();
     catch(LoginException e) {
}ChangePasswordAction.java is:import javax.naming.*;
import javax.naming.naming.directory.*;
import java.io.UnsupportedEncodingException;
private class ChangePasswordAction implements PrivilegedAction {
     private String uid;
     private String quotedOldPassword;
     private String quotedNewPassword;
     public ChangePasswordAction(String uid, String oldPassword, String newPassword) {
          this.uid = uid;
          quotedOldPassword = "\"" + oldPassword + "\"";
          quotedNewPassword = "\"" + newPassword + "\"";
     public Object run() {
          Hashtable env = new Hashtable(11);
          env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
          env.put(Context.PROVIDER_URL, "ldap://ad2k3:389");
          env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
          try {
               DirContext ctx = new InitialDirContext(env);
               ModificationItem[] mods = new ModificationItem[2];
               byte[] oldPasswordUnicode = quotedOldPassword.getBytes("UTF-16LE");
               byte[] newPasswordUnicode = quotedNewPassword.getBytes("UTF-16LE");
               mods[0] = new ModificationItem(DirContext.REMOVE_ATTRIBUTE, new BasicAttribute("unicodePwd", oldPasswordUnicode));
               mods[1] = new ModificationItem(DirContext.ADD_ATTRIBUTE, new BasicAttribute("unicodePwd", newPasswordUnicode));
               ctx.modifyAttributes(uid, mods);
               ctx.close();
          } catch (NamingException e) {
          } catch (UnsupportedEncodingException e) {
          return null;
}K5CallbackHandler is:import javax.security.auth.callback.*;
final class K5CallbackHandler
implements CallbackHandler {
     private final String name;
     private final char[] passwd;
     public K5CallbackHandler(String nm, String pw) {
          name = nm;
          if(pw == null) {
               passwd = new char[0];
          else {
               passwd = pw.toCharArray();
     public void handle(Callback[] callbacks)
     throws java.io.IOException, UnsupportedCallbackException {
          for(int i = 0; i < callbacks.length; i++) {
               if(callbacks[i] instanceof NameCallback) {
                    NameCallback cb = (NameCallback) callbacks;
                    cb.setName(name);
               else {
                    if(callbacks[i] instanceof PasswordCallback) {
                         PasswordCallback cb = (PasswordCallback) callbacks[i];
                         cb.setPassword(passwd);
                    else {
                         throw new UnsupportedCallbackException(callbacks[i]);
}The relevant entry in the JAAS.conf file that is referred to as "marker" in the LoginContext constructor is:
marker {
com.sun.security.auth.module.Krb5LoginModule required client=TRUE;

This is one of the two Active Directory operations I have never solved using Java/JNDI. (FYI the other one is Cross Domain Move).
My gut feel is that the underlying problem (which happens to be common to both Change Password & X-Domain Move) is that Java/JNDI/GSSAPI does not negotiate a sufficiently strong key length that allows Active Directory to change passwords or perform cross domain moves when using Kerberos & GSSAPI.
Active Directory requires at a minimum, 128 bit key lengths for these security related operations.
In more recent Kerberos suites and Java versions, support for RC4-HMAC & AES has been introduced, so it may be possible that you can negotiate a suitably string key length.
Make sure that your Kerberos configuration is using either RC4-HMAC or AES and that Java is requesting a strong level of protection. (You can do this by adding //Specify the quality of protection
//Eg. auth-conf; confidentiality, auth-int; integrity
//confidentiality is required to set a password
env.put("javax.security.sasl.qop","auth-conf");
//require high strength 128 bit crypto
env.put("javax.security.sasl.strength","high"); in your ChangePasswordAction class.
You may also want to enable sasl logging in your app to see what exactly is going on and you may also want to check on the Java Security forum how to configure/enforce/check both RC4-HMAC or AES is used as the Kerbeos cipher suite and that a string key length is being used.
Good luck.

How to use Kerberos & GSS-API to authenticate in Windows OS

Hi,
I need to use Kerberos and GSS-API authentication for user loing in my JSP/Java application against Active Directory in Windows 2003 Server.
I have goen through one thread which is quite similar to my need, but it's used for Linux host, which u can see below.
http://forum.java.sun.com/thread.jspa?threadID=579829&tstart=300
Anyone can guide me that how to authenticate user using Kerberos again Active Directory for Windows Environment ?
Thanking you in Advance.
Satyam AMIN

You can use Java GSS/Kerberos for authentication using any KDC (Solaris/Linux/Windows) provided you have setup the configuration.
Here are the Java GSS tutorials to get started:
http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/index.html
Seema

Error: Unable to load the GSS-API Shared Library

Hi all,
I'm trying to install a working copy of SAP on a Debian Etch host. I've tried all versions available here: ftp://ftp.sap.com/pub/sapgui/java/ (710 r[2-6]) The jar installer completes successfully without error, but when I attempt to launch the application, I'm greeted with the same critical error each time. Here's my connection string:
conn=/M/my-server-hostname/S/3610/G/PRD_GENERIC&sncon=true&sncqop=3
Here's my (Sun) java version:
java version "1.6.0_06"
Java(TM) SE Runtime Environment (build 1.6.0_06-b02)
Java HotSpot(TM) Server VM (build 10.0-b22, mixed mode)
Here's the full error message:
Error: Unable to load the GSS-API Shared Library
named "sncgss.so"
Fri Nov 21 16:07:25 2008
Release 710
Component SNC (Secure Network Communication), version 5
rc = -1, module sncxxdl_mt.c, line 342
Detail SncPDLInit
System Call dlopen
Is there a software dependency I might be missing? This is my first attempt at installing SAP on a Linux host, so there may be something else even more obvious that I'm not seeing...
Thanks in advance for any help you can provide.
-Eric

Hi,
one solution should be to set the env variable $SNC_LIB to you libseude.so, e.g.
$>setenv SNC_LIB /usr/sap/<sid>/SYS/exe/run/libsecude.o (or wherever the lib resides)
and then restart guilogon.
Also, as fas as I know, SAPGUI has issues with Java 6, so I would rather go with Java 5 or 1.4.2.
Oliver Stabel

GSS API library required to set up a Secure Network Connection (SNC)

We are working in a project to connect Microsoft ILM to SAP CUA. The goal is to manage Identities in
SAP CUA by Microsoft ILM.
The requirement is to make use of an encrypted network connection between the two systems.
Due to our investigation it looks like that we need to use a SNC (Secure Network Connection).
To set up a SNC we need a third party GSS API library. Before we can order this GSS API library we need to
test this in a test environment.
Our question if there is a possibility that we can use a trial version of a GSS API library, to set up a test environment?
Is there another way to setup a SNC in a test environment?
We are looking for a GSS API Library?
If you need more information please contact me.

Hi AndrZegers ,
This is Supply Network collaboration (SNC) forum and your query looks like more of security.
You can post your query in security forum.
Security
Regards,
Nikhil

GSS-API/Kerberos v5 Authentication - Example throws strange exception

Hi There,
When II'm trying to run the GSS-API example I get this exception:
java.lang.SecurityException: D:\Program Files\jdk1.2.2\jre\lib\security\HBJAASLogin.config (The system cannot find the file specified)
I know that the exception is thrown because it cannot find the file: HBJAASLogin.config
The strangest thing is that I don't have that file, if I search for it on the NET it isn't found anywhere ?!?
And on the code there's no mention of the file ???
Why does it need the file?
Thank You
Pinho

hi,
i am very sorry to disturb you..
already i sent this problem to [email protected]
but i not able to see my mail in users archives.
so i am forwarding this.
i don't know how to forward this to forum
please help me
Thanks and Regards
kumar
-----Original Message-----
From: kumar [mailto:[email protected]]
Sent: Wednesday, April 10, 2002 6:17 PM
To: [email protected]
Subject: Compilation error :: please help me.. it is urgent
hi ,
I downloaded following version of openssl and during compilation, i got the following error.
openssl-engine-0.9.6c.
i got the same result with version openssl-0.9.6 also
Step : Compile OpenSSL
C:\kumar\openssl-engine-0.9.6c.tar\openssl-engine-0.9.6c> ms\mingw32
C:\kumar\openssl-engine-0.9.6c.tar\openssl-engine-0.9.6c>perl Configure Mingw32
Configuring for Mingw32
IsWindows=1
CC =gcc
CFLAG =-DTHREADS -DDSO_WIN32 -DL_ENDIAN -fomit-frame-pointer -O3 -m486
-Wall
EX_LIBS =
BN_ASM =bn_asm.o
DES_ENC =des_enc.o fcrypt_b.o
BF_ENC =bf_enc.o
CAST_ENC =c_enc.o
RC4_ENC =rc4_enc.o
RC5_ENC =rc5_enc.o
MD5_OBJ_ASM =
SHA1_OBJ_ASM =
RMD160_OBJ_ASM=
PROCESSOR =
RANLIB =true
PERL =perl
THIRTY_TWO_BIT mode
DES_PTR used
DES_RISC1 used
DES_UNROLL used
BN_LLONG mode
RC4_INDEX mode
RC4_CHUNK is undefined
Configured for Mingw32.
Generating x86 for GNU assember
Bignum
DES
crypt
Blowfish
CAST5
RC4
MD5
SHA1
RIPEMD160
RC5\32
Generating makefile
Generating DLL definition files
Building OpenSSL
mkdir tmp
mkdir out
mkdir outinc
mkdir outinc\openssl
copy .\crypto\cryptlib.h tmp\cryptlib.h
1 file(s) copied.
copy .\crypto\buildinf.h tmp\buildinf.h
1 file(s) copied.
copy .\crypto\md32_common.h tmp\md32_common.h
1 file(s) copied.
copy .\crypto\md4\md4_locl.h tmp\md4_locl.h
1 file(s) copied.
copy .\crypto\md5\md5_locl.h tmp\md5_locl.h
1 file(s) copied.
copy .\crypto\sha\sha_locl.h tmp\sha_locl.h
1 file(s) copied.
copy .\crypto\ripemd\rmd_locl.h tmp\rmd_locl.h
1 file(s) copied.
copy .\crypto\ripemd\rmdconst.h tmp\rmdconst.h
1 file(s) copied.
copy .\crypto\des\des_locl.h tmp\des_locl.h
1 file(s) copied.
copy .\crypto\des\rpc_des.h tmp\rpc_des.h
1 file(s) copied.
copy .\crypto\des\spr.h tmp\spr.h
1 file(s) copied.
copy .\crypto\des\des_ver.h tmp\des_ver.h
1 file(s) copied.
copy .\crypto\rc2\rc2_locl.h tmp\rc2_locl.h
1 file(s) copied.
copy .\crypto\rc4\rc4_locl.h tmp\rc4_locl.h
1 file(s) copied.
copy .\crypto\rc5\rc5_locl.h tmp\rc5_locl.h
1 file(s) copied.
copy .\crypto\idea\idea_lcl.h tmp\idea_lcl.h
1 file(s) copied.
copy .\crypto\bf\bf_pi.h tmp\bf_pi.h
1 file(s) copied.
copy .\crypto\bf\bf_locl.h tmp\bf_locl.h
1 file(s) copied.
copy .\crypto\cast\cast_s.h tmp\cast_s.h
1 file(s) copied.
copy .\crypto\cast\cast_lcl.h tmp\cast_lcl.h
1 file(s) copied.
copy .\crypto\bn\bn_lcl.h tmp\bn_lcl.h
1 file(s) copied.
copy .\crypto\bn\bn_prime.h tmp\bn_prime.h
1 file(s) copied.
copy .\crypto\bio\bss_file.c tmp\bss_file.c
1 file(s) copied.
copy .\crypto\objects\obj_dat.h tmp\obj_dat.h
1 file(s) copied.
copy .\crypto\conf\conf_def.h tmp\conf_def.h
1 file(s) copied.
copy .\ssl\ssl_locl.h tmp\ssl_locl.h
1 file(s) copied.
copy .\apps\apps.h tmp\apps.h
1 file(s) copied.
copy .\apps\progs.h tmp\progs.h
1 file(s) copied.
copy .\apps\s_apps.h tmp\s_apps.h
1 file(s) copied.
copy .\apps\testdsa.h tmp\testdsa.h
1 file(s) copied.
copy .\apps\testrsa.h tmp\testrsa.h
1 file(s) copied.
copy .\.\e_os.h outinc\openssl\e_os.h
1 file(s) copied.
copy .\.\e_os2.h outinc\openssl\e_os2.h
1 file(s) copied.
copy .\crypto\crypto.h outinc\openssl\crypto.h
1 file(s) copied.
copy .\crypto\tmdiff.h outinc\openssl\tmdiff.h
1 file(s) copied.
copy .\crypto\opensslv.h outinc\openssl\opensslv.h
1 file(s) copied.
copy .\crypto\opensslconf.h outinc\openssl\opensslconf.h
1 file(s) copied.
copy .\crypto\ebcdic.h outinc\openssl\ebcdic.h
1 file(s) copied.
copy .\crypto\symhacks.h outinc\openssl\symhacks.h
1 file(s) copied.
copy .\crypto\md2\md2.h outinc\openssl\md2.h
1 file(s) copied.
copy .\crypto\md4\md4.h outinc\openssl\md4.h
1 file(s) copied.
copy .\crypto\md5\md5.h outinc\openssl\md5.h
1 file(s) copied.
copy .\crypto\sha\sha.h outinc\openssl\sha.h
1 file(s) copied.
copy .\crypto\mdc2\mdc2.h outinc\openssl\mdc2.h
1 file(s) copied.
copy .\crypto\hmac\hmac.h outinc\openssl\hmac.h
1 file(s) copied.
copy .\crypto\ripemd\ripemd.h outinc\openssl\ripemd.h
1 file(s) copied.
copy .\crypto\des\des.h outinc\openssl\des.h
1 file(s) copied.
copy .\crypto\rc2\rc2.h outinc\openssl\rc2.h
1 file(s) copied.
copy .\crypto\rc4\rc4.h outinc\openssl\rc4.h
1 file(s) copied.
copy .\crypto\rc5\rc5.h outinc\openssl\rc5.h
1 file(s) copied.
copy .\crypto\idea\idea.h outinc\openssl\idea.h
1 file(s) copied.
copy .\crypto\bf\blowfish.h outinc\openssl\blowfish.h
1 file(s) copied.
copy .\crypto\cast\cast.h outinc\openssl\cast.h
1 file(s) copied.
copy .\crypto\bn\bn.h outinc\openssl\bn.h
1 file(s) copied.
copy .\crypto\rsa\rsa.h outinc\openssl\rsa.h
1 file(s) copied.
copy .\crypto\dsa\dsa.h outinc\openssl\dsa.h
1 file(s) copied.
copy .\crypto\dso\dso.h outinc\openssl\dso.h
1 file(s) copied.
copy .\crypto\dh\dh.h outinc\openssl\dh.h
1 file(s) copied.
copy .\crypto\buffer\buffer.h outinc\openssl\buffer.h
1 file(s) copied.
copy .\crypto\bio\bio.h outinc\openssl\bio.h
1 file(s) copied.
copy .\crypto\stack\stack.h outinc\openssl\stack.h
1 file(s) copied.
copy .\crypto\stack\safestack.h outinc\openssl\safestack.h
1 file(s) copied.
copy .\crypto\lhash\lhash.h outinc\openssl\lhash.h
1 file(s) copied.
copy .\crypto\rand\rand.h outinc\openssl\rand.h
1 file(s) copied.
copy .\crypto\err\err.h outinc\openssl\err.h
1 file(s) copied.
copy .\crypto\objects\objects.h outinc\openssl\objects.h
1 file(s) copied.
copy .\crypto\objects\obj_mac.h outinc\openssl\obj_mac.h
1 file(s) copied.
copy .\crypto\evp\evp.h outinc\openssl\evp.h
1 file(s) copied.
copy .\crypto\asn1\asn1.h outinc\openssl\asn1.h
1 file(s) copied.
copy .\crypto\asn1\asn1_mac.h outinc\openssl\asn1_mac.h
1 file(s) copied.
copy .\crypto\pem\pem.h outinc\openssl\pem.h
1 file(s) copied.
copy .\crypto\pem\pem2.h outinc\openssl\pem2.h
1 file(s) copied.
copy .\crypto\x509\x509.h outinc\openssl\x509.h
1 file(s) copied.
copy .\crypto\x509\x509_vfy.h outinc\openssl\x509_vfy.h
1 file(s) copied.
copy .\crypto\x509v3\x509v3.h outinc\openssl\x509v3.h
1 file(s) copied.
copy .\crypto\conf\conf.h outinc\openssl\conf.h
1 file(s) copied.
copy .\crypto\conf\conf_api.h outinc\openssl\conf_api.h
1 file(s) copied.
copy .\crypto\txt_db\txt_db.h outinc\openssl\txt_db.h
1 file(s) copied.
copy .\crypto\pkcs7\pkcs7.h outinc\openssl\pkcs7.h
1 file(s) copied.
copy .\crypto\pkcs12\pkcs12.h outinc\openssl\pkcs12.h
1 file(s) copied.
copy .\crypto\comp\comp.h outinc\openssl\comp.h
1 file(s) copied.
copy .\crypto\engine\engine.h outinc\openssl\engine.h
1 file(s) copied.
copy .\ssl\ssl.h outinc\openssl\ssl.h
1 file(s) copied.
copy .\ssl\ssl2.h outinc\openssl\ssl2.h
1 file(s) copied.
copy .\ssl\ssl3.h outinc\openssl\ssl3.h
1 file(s) copied.
copy .\ssl\ssl23.h outinc\openssl\ssl23.h
1 file(s) copied.
copy .\ssl\tls1.h outinc\openssl\tls1.h
1 file(s) copied.
copy .\rsaref\rsaref.h outinc\openssl\rsaref.h
1 file(s) copied.
gcc -o tmp\cryptlib.o -Ioutinc -Itmp -O3 -fomit-frame-pointer -DDSO_WIN32 -c .
\crypto\cryptlib.c
process_begin: CreateProcess((null), gcc -o tmp\cryptlib.o -Ioutinc -Itmp -O3 -f
omit-frame-pointer -DDSO_WIN32 -c .\crypto\cryptlib.c, ...) failed.
make (e=2): The system cannot find the file specified.
make: *** [tmp\cryptlib.o] Error 2
You can ignore the error messages above
1 file(s) copied.
Building the libraries
Building OpenSSL
gcc -o tmp/cryptlib.o -Ioutinc -Itmp -DL_ENDIAN -DDSO_WIN32 -fomit-frame-pointe
r -O3 -m486 -Wall -DBN_ASM -DMD5_ASM -DSHA1_ASM -c ./crypto/cryptlib.c
process_begin: CreateProcess((null), gcc -o tmp/cryptlib.o -Ioutinc -Itmp -DL_EN
DIAN -DDSO_WIN32 -fomit-frame-pointer -O3 -m486 -Wall -DBN_ASM -DMD5_ASM -DSHA1_
ASM -c ./crypto/cryptlib.c, ...) failed.
make (e=2): The system cannot find the file specified.
make: *** [tmp/cryptlib.o] Error 2
C:\kumar\openssl-engine-0.9.6c.tar\openssl-engine-0.9.6c>
Note :
As per readme instruction,
i am using following
     1. GNU C (Mingw32) :
          gcc-2.95.2-msvcrt.exe
          make-3.76.1.zip
     2. ActivePerl-5.6.1.631-MSWin32-x86.msi
what is the work around? is there any mistake from my side?
please help me.. it is urgent
Thanks and Regards
kumar

Edu.mit.Kerberos.kadmind: Cannot set GSS-API authentication names.

Its dont stop to appear in my console:
01/12/11 01:40:02          edu.mit.Kerberos.kadmind[1387]          kadmind: Cannot set GSS-API authentication names.
01/12/11 01:40:02          com.apple.launchd[1]          (edu.mit.Kerberos.kadmind[1387]) Exited with exit code: 1
01/12/11 01:40:02          com.apple.launchd[1]          (edu.mit.Kerberos.kadmind) Throttling respawn: Will start in 10 seconds
Can someone help please?
Thanks!

It looks like for some reason kdamind is being launched run in a sandbox (i.e. with restrictions on what it can do). Check the file /System/Library/LaunchDaemons/edu.mit.kadmind.plist; it should look a lot like this:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>edu.mit.Kerberos.kadmind</string>
<key>Program</key>
<string>/usr/sbin/kadmind</string>
<key>ProgramArguments</key>
<array>
<string>/usr/sbin/kadmind</string>
<string>-nofork</string>
</array>
<key>KeepAlive</key>
<dict>
<key>PathState</key>
<dict>
<key>/Library/Preferences/edu.mit.Kerberos.kadmind.launchd</key>
<true/>
</dict>
</dict>
<key>EnableTransactions</key>
<true/>
</dict>
</plist>

GSS-API Java Gurus

Hi!
Could somebody please clearify for me what's happening here:
java.lang.IllegalArgumentException: Authentication time of ticket cannot be null
     at javax.security.auth.kerberos.KerberosTicket.init(KerberosTicket.java:279)
     at javax.security.auth.kerberos.KerberosTicket.(KerberosTicket.java:222)
     at sun.security.jgss.krb5.Krb5InitCredential.(Krb5InitCredential.java:118)
     at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:198)
     at sun.security.jgss.krb5.InitSecContextToken.(InitSecContextToken.java:107)
     at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:584)
     at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:300)
     at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246)
Kerberos token seems to be valid it starts with:
60 82 09 01 06 09 2A 86 48 86 F7 12 01 02 02 01
00 6E 82 08......
With gssapi in c this is supposed to work....
Thanx.

This is what I do with the SPNEGO token before I pass it to acceptSecContext():
byte[] spnegoBytes = new BASE64Decoder().decodeBuffer(authHeader);
byte[] gssbytes = new String(spnegoBytes).substring(66).getBytes();
authHeader is the base64 String following "Negotiate " in the token sent by the browser
Using the MS doc abaout SPNEGO I calculated that the Kerberos body starts at byte 66 and runs to the end of the array. This seems to be accepted by acceptSecContext() or at least parsable but now I'm running into issues with encryption type support:
GSSException occurred Failure unspecified at GSS-API level (Mechanism level: KDC has no support for encryption type (14))
GSSException: Failure unspecified at GSS-API level (Mechanism level: KDC has no support for encryption type (14))
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:734)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:300)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246)

GSS-API How to get the client-to-service ticket

In Kerberos when requesting services, the client sends the following two messages to the TGS: A composed message of the Ticket-Granting Ticket and the ID of the requested serviceand authenticator (which is composed of the client ID and the timestamp), all encrypted using the client/TGS session key.
Then upon receiving these messages the TGS sends the followings to the client:
A: Client-to-server ticket (which includes the client ID, client network address, validity period and Client/server session key) encrypted using the service's secret key.
B: Client/server session key encrypted with the client/TGS session key.
Now I'm wondering how to obtain A and B throught the kerberos login in GSS-API . I have the following code that I use to request a kerberized service but it returns only a KerberosTicket in PrivateCredentialsSet for the Subject. A sessionKey can also be obtained form this KerberosTicket ! Which session key is this ? the session key B described above? and Where to get the Client-to-server ticket (A) described above ?
Thanks for any help !
Alex
lc = new LoginContext("login-client", new TextCallbackHandler());
lc.login();
mysubject = lc.getSubject();
java.util.Set principals = lc.getSubject().getPrincipals();
java.util.Iterator iterador = principals.iterator();
if (iterador.hasNext()){
KerberosPrincipal principal = (KerberosPrincipal) iterador.next();
clientName =principal.getName();
PrivilegedAction generateServiceTicket = new ClientAction(clientName,"[email protected]");
Subject.doAs(mysubject, generateServiceTicket);
Set prvCredentials = lc.getSubject().getPrivateCredentials();
for (Iterator i = prvCredentials.iterator(); i.hasNext(); j++) {
KerberosTicket ticket = (KerberosTicket) i.next();
prvKrbCrds = (KerberosTicket[]) mysubject.getPrivateCredentials().toArray(new KerberosTicket[0]);
public Object run() {
try{
GSSManager manager = GSSManager.getInstance();
Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2");
Oid krb5PrincipalNameType = new Oid("1.2.840.113554.1.2.2.1");
GSSName userName = manager.createName(pn,GSSName.NT_USER_NAME);
GSSCredential cred = manager.createCredential(usr,
GSSCredential.DEFAULT_LIFETIME,
krb5Mechanism,
GSSCredential.INITIATE_ONLY);
GSSName peerName = manager.createName(servicename,
GSSName.NT_HOSTBASED_SERVICE, krb5Mechanism);
GSSContext setContext = manager.createContext(peerName, krb5Mechanism, cred,
GSSContext.DEFAULT_LIFETIME);
setContext.requestInteg(false);
setContext.requestConf(false);
byte[] inputBuf = new byte[0];
byte[] tkt = setContext.initSecContext(inputBuf, 0, 0);
}catch(GSSException gsse){
gsse.printStackTrace();
}

In Kerberos when requesting services, the client sends the following two messages to the TGS: A composed message of the Ticket-Granting Ticket and the ID of the requested serviceand authenticator (which is composed of the client ID and the timestamp), all encrypted using the client/TGS session key.
Then upon receiving these messages the TGS sends the followings to the client:
A: Client-to-server ticket (which includes the client ID, client network address, validity period and Client/server session key) encrypted using the service's secret key.
B: Client/server session key encrypted with the client/TGS session key.
Now I'm wondering how to obtain A and B throught the kerberos login in GSS-API . I have the following code that I use to request a kerberized service but it returns only a KerberosTicket in PrivateCredentialsSet for the Subject. A sessionKey can also be obtained form this KerberosTicket ! Which session key is this ? the session key B described above? and Where to get the Client-to-server ticket (A) described above ?
Thanks for any help !
Alex
lc = new LoginContext("login-client", new TextCallbackHandler());
lc.login();
mysubject = lc.getSubject();
java.util.Set principals = lc.getSubject().getPrincipals();
java.util.Iterator iterador = principals.iterator();
if (iterador.hasNext()){
KerberosPrincipal principal = (KerberosPrincipal) iterador.next();
clientName =principal.getName();
PrivilegedAction generateServiceTicket = new ClientAction(clientName,"[email protected]");
Subject.doAs(mysubject, generateServiceTicket);
Set prvCredentials = lc.getSubject().getPrivateCredentials();
for (Iterator i = prvCredentials.iterator(); i.hasNext(); j++) {
KerberosTicket ticket = (KerberosTicket) i.next();
prvKrbCrds = (KerberosTicket[]) mysubject.getPrivateCredentials().toArray(new KerberosTicket[0]);
public Object run() {
try{
GSSManager manager = GSSManager.getInstance();
Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2");
Oid krb5PrincipalNameType = new Oid("1.2.840.113554.1.2.2.1");
GSSName userName = manager.createName(pn,GSSName.NT_USER_NAME);
GSSCredential cred = manager.createCredential(usr,
GSSCredential.DEFAULT_LIFETIME,
krb5Mechanism,
GSSCredential.INITIATE_ONLY);
GSSName peerName = manager.createName(servicename,
GSSName.NT_HOSTBASED_SERVICE, krb5Mechanism);
GSSContext setContext = manager.createContext(peerName, krb5Mechanism, cred,
GSSContext.DEFAULT_LIFETIME);
setContext.requestInteg(false);
setContext.requestConf(false);
byte[] inputBuf = new byte[0];
byte[] tkt = setContext.initSecContext(inputBuf, 0, 0);
}catch(GSSException gsse){
gsse.printStackTrace();
}

JAAS and GSS-API Tutorial Question

I am running the JAAS and GSS-API tutorial from http://java.sun.com/j2se/1.4.1/docs/guide/security/jgss/tutorials/BasicClientServer.html. I am running in a Windows 2000 Active Directory environment. It appears to be running correctly, but I have a question. Every time it is run, it asks for the User ID (it supplies a default of my current login name) and then a password. The server also asks for the same information. I am running the client and server on the same machine, so the user ID and password entered for both are identical.
I was under the impression, however, that either GSS-API or JAAS using Kerberos would be able to obtain credentials without asking for the user ID and password, because I am already logged on. Is there something I need to change in the example do this? I am missing something else?
Thank you.
Craig

Please do not reply to this posting. If you have suggestions or questions, please use http://forum.java.sun.com/thread.jsp?forum=60&thread=383862&tstart=0&trange=30 on this same topic.

Java GSS API - Kerberos - Receive timed out when requesting service ticket.

Hi,
I'm following the following exercises about Kerberos/JGSS-API :
http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/lab/
On exercise 3, I get an exception (when requesting a service ticket) from the client side:
"+Exception in thread "main" java.security.PrivilegedActionException: GSSException: No valid credentials provided (Mechanism level: Receive timed out)
etc.+"
This seems to happen when the GSSContext.initSecContext(...) method is called.
The server side receives the client connection:
"+Waiting for incoming connection...+
+Got connection from client /xxx.xxx.x.xxx+"
But then displays the following exception:
"+Exception in thread "main" java.security.PrivilegedActionException: java.net.SocketException: Connection reset
etc.+"
I checked my KDC (win 2003 Server SP2) and added SPNs with setspn but the error remains.
Any suggestion are more than welcome !

The TGT is already present on my Client machine because it is acquired automaticaly from the KDC during the Windows opening session.
I use then JAAS to access the LSA and obtain the TGT - This doesn't need any further connection to the KDC.
But the Service Ticket is requested to the KDC by my client machine..
Here is the complete output (Client side) after I destroyed the tickets (with Kerberos MIT Leash.exe and/or kdestroy.exe ):
Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
+>>>KinitOptions cache name is C:\Documents and Settings\user.MYDOMAIN\krb5cc_user+
+>> Acquire default native Credentials+
+>>> Obtained TGT from LSA: Credentials:+
[email protected]
server=krbtgt/[email protected]
authTime=20080529135209Z
startTime=20080529135209Z
endTime=20080530015209Z
renewTill=20080702135209Z
flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT
EType (int): 23
Principal is [email protected]
Commit Succeeded
+Authenticated principal: [[email protected]]+
Connected to address host1/xxx.xxx.x.xxx
Found ticket for [email protected] to go to krbtgt/[email protected] expiring on Fri May 30 03:52:09 CEST 2008
Entered Krb5Context.initSecContext with state=STATE_NEW
Found ticket for [email protected] to go to krbtgt/[email protected] expiring on Fri May 30 03:52:09 CEST 2008
Service ticket not found in the subject
+>>> Credentials acquireServiceCreds: same realm+
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 3 1 23 16 17.
+>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType+
+>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType+
+>>> KrbKdcReq send: kdc=yyy.yyy.y.y UDP:88, timeout=30000, number of retries =3, #bytes=1262+
+>>> KDCCommunication: kdc=yyy.yyy.y.y UDP:88, timeout=30000,Attempt =1, #bytes=1262+
SocketTimeOutException with attempt: 1
+>>> KDCCommunication: kdc=yyy.yyy.y.y UDP:88, timeout=30000,Attempt =2, #bytes=1262+
SocketTimeOutException with attempt: 2
+>>> KDCCommunication: kdc=yyy.yyy.y.y UDP:88, timeout=30000,Attempt =3, #bytes=1262+
Exception in thread "main" java.security.PrivilegedActionException: GSSException: No valid credentials provided (Mechanism level: Receive timed out)
+     at java.security.AccessController.doPrivileged(Native Method)+
+     at javax.security.auth.Subject.doAs(Subject.java:396)+
+     at SimpleAuthzz2.loginAndAction(SimpleAuthzz2.java:56)+
+     at SimpleGssClient.main(SimpleGssClient.java:36)+
SocketTimeOutException with attempt: 3
Caused by: GSSException: No valid credentials provided (Mechanism level: Receive timed out)
+     at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:659)+
+     at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:213)+
+     at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:158)+
+     at SimpleGssClient$GssClientAction.run(SimpleGssClient.java:121)+
+     ... 4 more+
Caused by: java.net.SocketTimeoutException: Receive timed out
+     at java.net.PlainDatagramSocketImpl.peekData(Native Method)+
+     at java.net.DatagramSocket.receive(DatagramSocket.java:662)+
+     at sun.security.krb5.internal.UDPClient.receive(UDPClient.java:77)+
+     at sun.security.krb5.KrbKdcReq$KdcCommunication.run(KrbKdcReq.java:278)+
+     at java.security.AccessController.doPrivileged(Native Method)+
+     at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:195)+
+     at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:140)+
+     at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:106)+
+     at sun.security.krb5.KrbTgsReq.send(KrbTgsReq.java:215)+
+     at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:293)+
+     at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106)+
+     at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:561)+
+     at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:585)+
+     ... 7 more+
It seems like the TGT is still present in the cache, even if Leash displays "no tickets".
Meanwhile, in the KDC-server side:
-What is the correct spn to add? C:\setspn GssServer/host1 user ? (I in fact tried many possibilities)..
-Is there any other special configuration to do in the KDC ?
Thanks a lot!

SAP GUI Error - (GSS-APP DLL) on Windows Vista!

Hi All
I am getting an error when setting up SAP GUI version 710 on Windows Vista.
When I try to set up an snc logon i get the following message:
Unable to load the GSS-API DLL named 'sncgss32.dll'
On Windows XP we have a GSSAPI32.DLL in the C drive and all is ok?
Any ideas
Thanks
Phil

The following is working on Vista at a major client in DK. It is important to know wether you use a 32bit or 64bit Operating System. This example is with 32bit system.
Create a uservariable in MS Vista called SNC_LIB. Value is <drive>:\<path>\gsskrb5.dll
example: SNC_LIB=c:\windows\system32\gsskrb5.dll
the file gsskrb5.dll should ofcourse be placed in the folder specified above. You can download the file from microsoft or from SAP (I think it can be found in a note)
The you setup your SAP environment to handle SSO with the same file in the serversetup - i recommend only to use the gsskrb5.dl file. Verify that the setup is correct on the server. If it is correct the SNC tab will exist on transaction SU01 and when you enter the correct value in the "SNC name" field the should pop up a green checkmark..
In the gui on the specific system you should enter the following value in the Secure Network setting "SAPService<system id>@<domain>".
It should work without problem.. If you have an older version of SAP you should perhaps try out the GSSNTLM.DLL file instead of GSSKRB5.DLL. That can sometimes help if it does not work.
Best regards
Klaus van Berkel

Question about Java GSS-Kerberos authentication

Hi,
I am new to GSS API. I have a client requirement to use Java GSS Kerberos Authentication instead of using IIS for Integrated Windows Authentication. In IWA, the IE browser automatically picks up the logged-in windows user credentials and passes it to IIS, which authenticates you against Active Directory and returns SUCCESS.
We are planning to write a Servlet/JSP code on Apache Tomcat on Solaris 10, which uses Java GSS API to do Kerberos Authentication and return SUCCESS to the user. When I look at the examples:
http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/tutorials/AcnOnly.html#RunAc
it says:
"You will be prompted for your Kerberos user name and password, and the underlying Kerberos authentication mechanism specified in the login configuration file will log you into Kerberos. If your login is successful, you will see the following message: Authentication succeeded!"
Does this mean that in Kerberos Authentication using Java GSS API, the user will have to enter his windows credentials for authentication? Is there a way for the credentials to be passed from Windows automatically to the API, without user intervention?
Any links detailing the procedure would be of great help.
Thanks,
shetty2k

We are having a similar requirement from our end. To make situation worst I do not even have an idea about an approach.
What are the ways that we can use windows credentials to authenticate against IIS with tomcat?
any help is greatly appreciated.
R.

CFLDAP GSS-API

Similar Messages

Maybe you are looking for