GSS-API/Kerberos v5 Authentication - Example throws strange exception

Similar Messages

• Change password in Active Directory using the JNDI GSS-API/Kerberos

  Hi
  I am trying to the JNDI GSS-API to change a user password.
  When I actually try to change the password using ctx.modifyAttributes(userName, mods), I get the exception:
  09:39:38,163 ERROR [STDERR] javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000001F: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0 ]; remaining name 'CN=USER,OU=Usuarios,DC=testead,DC=br'
  Here's my java code:
  public class ChangePasswordLDAPCommand implements Command {
       static Logger logger = Logger.getLogger(ChangePasswordLDAPCommand.class.getName());
       @SuppressWarnings("unchecked")
       public boolean execute(org.apache.commons.chain.Context context) throws ApplicationException {
            logger.info("Início - execute");
            try {
                 CoreConfig config = CoreConfig.getInstance();
                 String userName = config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_ADMIN_NAME);
                 char[] password = config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_ADMIN_PASSWORD).toCharArray();
                 Subject subject = new Subject();
                 Krb5LoginModule krb5LoginModule = new Krb5LoginModule();
                 Map<String, String> map = new HashMap<String, String>();
                 Map<String, String> shared = new HashMap<String, String>();
                 map.put("com.sun.security.auth.module.Krb5LoginModule","required");
                 map.put("client","true");
                 map.put("useTicketCache","true");
                 map.put("doNotPrompt","true");
                 map.put("useKeyTab","true");
                 map.put("useFirstPass","true");
                 map.put("refreshKrb5Config","true");
                 logger.info(">>>>> map.toString(): "+map.toString());
                 shared.put("javax.security.auth.login.name", config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_ADMIN_NAME));
                 shared.put("javax.security.auth.login.password", config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_ADMIN_PASSWORD));
                 shared.put("javax.net.debug","SSL,handshake,trustmanager");
                 shared.put("sun.security.krb5.debug","true");
                 shared.put("com.sun.jndi.ldap.connect.pool.timeout","30000");
                 logger.info(">>>>> shared.toString(): "+shared.toString());
                 krb5LoginModule.initialize(subject, new UserNamePasswordCallbackHandler(userName,password),shared,map);
                 krb5LoginModule.login();
                 if(krb5LoginModule.commit()){
                      //Recupera o usuario a ser alterado
                      UsuarioTOLDAP usuarioTO = (UsuarioTOLDAP) context.get(CoreConfig.USUARIO_TO_LDAP);
                      logger.info(">>>>>>>>>>>>>>>>>>>>>> subject.toString(): "+subject.toString());
                      Subject.doAsPrivileged(subject, new JndiAction(usuarioTO), null);
            } catch (LoginException e) {
                 e.printStackTrace();
            } catch (PrivilegedActionException e) {
                 e.printStackTrace();
            logger.info("Fim - execute");
            return Command.CONTINUE_PROCESSING;
  @SuppressWarnings("unchecked")
  public class JndiAction implements java.security.PrivilegedExceptionAction{
       private static Logger logger = Logger.getLogger(JndiAction.class.getName());
       private UsuarioTOLDAP usuarioTOLDAP = null;
       public JndiAction(UsuarioTOLDAP usuarioTO) {
            this.usuarioTOLDAP = usuarioTO;
       public Object run() {
            performJndiOperation(usuarioTOLDAP);
            return null;
       @SuppressWarnings("unchecked")
       private static void performJndiOperation(UsuarioTOLDAP usuarioTOLDAP){
            logger.info(">>>>> entrei na JndiOperation");
            try {
                 CoreConfig config = CoreConfig.getInstance();          
                 String distinguishedName = "";
                 String keystore = "C:/Documents and Settings/user/.keystore";
                 System.setProperty(CoreConfig.JAVAX_NET_SSL_TRUSTSTORE,keystore);
                 System.setProperty("com.sun.jndi.ldap.connect.pool.timeout","30000");
                 System.setProperty("javax.net.debug","all");
                 System.setProperty("sun.security.krb5.debug","true");
                 Hashtable env = new Hashtable();
                 env.put(Context.INITIAL_CONTEXT_FACTORY, CoreConfig.INITIAL_CONTEXT_FACTORY);
                 env.put(Context.PROVIDER_URL, config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_URL));
                 env.put(Context.SECURITY_AUTHENTICATION, CoreConfig.SECURITY_PROTOCOL_GSSAPI);
                 env.put(Context.SECURITY_PRINCIPAL, config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_ADMIN_NAME));
                 env.put(Context.SECURITY_CREDENTIALS, config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_ADMIN_PASSWORD));
                 env.put(CoreConfig.JAVAX_NET_SSL_TRUSTSTORE,keystore);
                 env.put("javax.security.sasl.qop","auth-int");
                 env.put("javax.security.sasl.strength","high");
                 env.put("javax.security.sasl.server.authentication","true");
                String userName = "CN=USER,"+config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_BASE_DN);
                 // Cria o contexto inicial de acesso ao LDAP
                 //DirContext ctx = new InitialDirContext(env);
                 // Create the initial directory context
                 LdapContext ctx = new InitialLdapContext(env,null);
                 //set password is a ldap modfy operation
                 ModificationItem[] mods = new ModificationItem[1];
                 //Replace the "unicdodePwd" attribute with a new value
                 //Password must be both Unicode and a quoted string
                 String newQuotedPassword = "\"" + usuarioTOLDAP.getNovaSenha() + "\"";
                 byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");
                 mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("unicodePwd", newUnicodePassword));
                 // Perform the update
                 ctx.modifyAttributes(userName, mods);
                 ctx.close();
            } catch (NamingException e1) {
                 e1.printStackTrace();
            } catch (UnsupportedEncodingException e) {
                 e.printStackTrace();
            } catch (IOException e) {
                 // TODO Auto-generated catch block
                 e.printStackTrace();
  }Edited by: c0m4nch3 on Jan 21, 2010 12:13 PM

  Refer to my response for a similar question in http://forums.sun.com/thread.jspa?threadID=5416736
  Also the following may be related: http://forums.sun.com/thread.jspa?threadID=5196192
  Good luck.

• Java GSS API - Kerberos - Receive timed out when requesting service ticket.

  Hi,
  I'm following the following exercises about Kerberos/JGSS-API :
  http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/lab/
  On exercise 3, I get an exception (when requesting a service ticket) from the client side:
  "+Exception in thread "main" java.security.PrivilegedActionException: GSSException: No valid credentials provided (Mechanism level: Receive timed out)
  etc.+"
  This seems to happen when the GSSContext.initSecContext(...) method is called.
  The server side receives the client connection:
  "+Waiting for incoming connection...+
  +Got connection from client /xxx.xxx.x.xxx+"
  But then displays the following exception:
  "+Exception in thread "main" java.security.PrivilegedActionException: java.net.SocketException: Connection reset
  etc.+"
  I checked my KDC (win 2003 Server SP2) and added SPNs with setspn but the error remains.
  Any suggestion are more than welcome !

  The TGT is already present on my Client machine because it is acquired automaticaly from the KDC during the Windows opening session.
  I use then JAAS to access the LSA and obtain the TGT - This doesn't need any further connection to the KDC.
  But the Service Ticket is requested to the KDC by my client machine..
  Here is the complete output (Client side) after I destroyed the tickets (with Kerberos MIT Leash.exe and/or kdestroy.exe ):
  Debug is  true storeKey false useTicketCache true useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
  Acquire TGT from Cache
  +>>>KinitOptions cache name is C:\Documents and Settings\user.MYDOMAIN\krb5cc_user+
  +>> Acquire default native Credentials+
  +>>> Obtained TGT from LSA: Credentials:+
  [email protected]
  server=krbtgt/[email protected]
  authTime=20080529135209Z
  startTime=20080529135209Z
  endTime=20080530015209Z
  renewTill=20080702135209Z
  flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT
  EType (int): 23
  Principal is [email protected]
  Commit Succeeded
  +Authenticated principal: [[email protected]]+
  Connected to address host1/xxx.xxx.x.xxx
  Found ticket for [email protected] to go to krbtgt/[email protected] expiring on Fri May 30 03:52:09 CEST 2008
  Entered Krb5Context.initSecContext with state=STATE_NEW
  Found ticket for [email protected] to go to krbtgt/[email protected] expiring on Fri May 30 03:52:09 CEST 2008
  Service ticket not found in the subject
  +>>> Credentials acquireServiceCreds: same realm+
  Using builtin default etypes for default_tgs_enctypes
  default etypes for default_tgs_enctypes: 3 1 23 16 17.
  +>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType+
  +>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType+
  +>>> KrbKdcReq send: kdc=yyy.yyy.y.y UDP:88, timeout=30000, number of retries =3, #bytes=1262+
  +>>> KDCCommunication: kdc=yyy.yyy.y.y UDP:88, timeout=30000,Attempt =1, #bytes=1262+
  SocketTimeOutException with attempt: 1
  +>>> KDCCommunication: kdc=yyy.yyy.y.y UDP:88, timeout=30000,Attempt =2, #bytes=1262+
  SocketTimeOutException with attempt: 2
  +>>> KDCCommunication: kdc=yyy.yyy.y.y UDP:88, timeout=30000,Attempt =3, #bytes=1262+
  Exception in thread "main" java.security.PrivilegedActionException: GSSException: No valid credentials provided (Mechanism level: Receive timed out)
  +     at java.security.AccessController.doPrivileged(Native Method)+
  +     at javax.security.auth.Subject.doAs(Subject.java:396)+
  +     at SimpleAuthzz2.loginAndAction(SimpleAuthzz2.java:56)+
  +     at SimpleGssClient.main(SimpleGssClient.java:36)+
  SocketTimeOutException with attempt: 3
  Caused by: GSSException: No valid credentials provided (Mechanism level: Receive timed out)
  +     at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:659)+
  +     at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:213)+
  +     at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:158)+
  +     at SimpleGssClient$GssClientAction.run(SimpleGssClient.java:121)+
  +     ... 4 more+
  Caused by: java.net.SocketTimeoutException: Receive timed out
  +     at java.net.PlainDatagramSocketImpl.peekData(Native Method)+
  +     at java.net.DatagramSocket.receive(DatagramSocket.java:662)+
  +     at sun.security.krb5.internal.UDPClient.receive(UDPClient.java:77)+
  +     at sun.security.krb5.KrbKdcReq$KdcCommunication.run(KrbKdcReq.java:278)+
  +     at java.security.AccessController.doPrivileged(Native Method)+
  +     at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:195)+
  +     at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:140)+
  +     at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:106)+
  +     at sun.security.krb5.KrbTgsReq.send(KrbTgsReq.java:215)+
  +     at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:293)+
  +     at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106)+
  +     at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:561)+
  +     at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:585)+
  +     ... 7 more+
  It seems like the TGT is still present in the cache, even if Leash displays "no tickets".
  Meanwhile, in the KDC-server side:
  -What is the correct spn to add? C:\setspn GssServer/host1 user ? (I in fact tried many possibilities)..
  -Is there any other special configuration to do in the KDC ?
  Thanks a lot!

• InitCtx.lookup("jmx") throws strange Exception

  Hi!
  I am trying to get handle of an MBeanServer from the JVM like described
  in the Netweaver help (in reality there is still a try .. catch clause to be added):
  import javax.naming.InitialContext;
  import javax.management.MBeanServer;
  // Lookup MBeanServer from the JNDI
  InitialContext initCtx = new InitialContext();
  MBeanServer mbs = (MBeanServer) initCtx.lookup("jmx");
  But if I do that I alway get this Exception you can see below. So now I wonder do I have a problem with the configuration of my server or is the documentation of SAP wrong? Has somebody else tried something like this.
  Thanks for any hints!!
  Nils
  javax.naming.NoInitialContextException: Need to specify class name in environment or system property, or as an applet parameter, or in an application resource file:  java.naming.factory.initial
       at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:640)
       at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:243)
       at javax.naming.InitialContext.getURLOrDefaultInitCtx(InitialContext.java:280)
       at javax.naming.InitialContext.lookup(InitialContext.java:347)
       at M.init(M.java:33)
       at M.main(M.java:114)

  Hi Ivaylo!
  Thanks for the advice, but the thing is running on the server side and the document you refered me to says the following:
  Clients that are running on the server side do not need to specify any properties. They simply use the InitialContext constructor without parameters:
  Context ctx = new InitialContext();
  And I suppose the "Properties env" is supposed to get in "InitialContext(env);", but since I won't use this call at all ...
  Hm, it is a pity, since sometimes it would really easier not to do it remotely. Any other ideas?
  Thanks in advance,
  Nils

• Edu.mit.Kerberos.kadmind: Cannot set GSS-API authentication names.

  Its dont stop to appear in my console:
  01/12/11 01:40:02          edu.mit.Kerberos.kadmind[1387]          kadmind: Cannot set GSS-API authentication names.
  01/12/11 01:40:02          com.apple.launchd[1]          (edu.mit.Kerberos.kadmind[1387]) Exited with exit code: 1
  01/12/11 01:40:02          com.apple.launchd[1]          (edu.mit.Kerberos.kadmind) Throttling respawn: Will start in 10 seconds
  Can someone help please?
  Thanks!

  It looks like for some reason kdamind is being launched run in a sandbox (i.e. with restrictions on what it can do). Check the file /System/Library/LaunchDaemons/edu.mit.kadmind.plist; it should look a lot like this:
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
  <plist version="1.0">
  <dict>
  <key>Label</key>
  <string>edu.mit.Kerberos.kadmind</string>
  <key>Program</key>
  <string>/usr/sbin/kadmind</string>
  <key>ProgramArguments</key>
  <array>
  <string>/usr/sbin/kadmind</string>
  <string>-nofork</string>
  </array>
  <key>KeepAlive</key>
  <dict>
  <key>PathState</key>
  <dict>
  <key>/Library/Preferences/edu.mit.Kerberos.kadmind.launchd</key>
  <true/>
  </dict>
  </dict>
  <key>EnableTransactions</key>
  <true/>
  </dict>
  </plist>

• How to use Kerberos & GSS-API to authenticate in Windows OS

  Hi,
  I need to use Kerberos and GSS-API authentication for user loing in my JSP/Java application against Active Directory in Windows 2003 Server.
  I have goen through one thread which is quite similar to my need, but it's used for Linux host, which u can see below.
  http://forum.java.sun.com/thread.jspa?threadID=579829&tstart=300
  Anyone can guide me that how to authenticate user using Kerberos again Active Directory for Windows Environment ?
  Thanking you in Advance.
  Satyam AMIN

  You can use Java GSS/Kerberos for authentication using any KDC (Solaris/Linux/Windows) provided you have setup the configuration.
  Here are the Java GSS tutorials to get started:
  http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/index.html
  Seema

• Changing user password in Active Directory using the JNDI GSS-API/Kerberos5

  Hello,
  I am trying to the JNDI GSS-API to change a user password on an Active Directory Server 2003. I have seen a variation of this using SSL on the thread [*http://forums.sun.com/thread.jspa?threadID=592611&start=0&tstart=0*|http://forums.sun.com/thread.jspa?threadID=592611&start=0&tstart=0]
  but I can't seem to make this work using the GSS-API. I can successfully create a javax.security.auth.login.LoginContext.LoginContext and then call the login method on it to log in as a user. I then call the javax.security.auth.Subject.doAs() method which calls the run method in a class extending the javax.security.PrivilegedActionClass. But when I actually try to change the password using InitialDirContext.modifyAttributes(), I get the exception:
  *javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 00002077: SvcErr: DSID-03190DC9, problem 5003 (WILL_NOT_PERFORM), data 0*
  *If anyone can help me figure out why it doesn't work, that would be great!*
  P.S: I know the error seems to suggest that there might be some active directory setting that is preventing this from working, but I've checked all relevant settings on the Windows 2003 server Active Directory that I can think of: In the User properties->Account->Account options, I've made sure the user can change password. Also, in the Group Policy->Computer Configuration->Windows Settings->Security Settings->Account Policies->Password Policy, Maximum password age is zero and so is minimum password age.
  Here's my java code:
  {code}import javax.naming.*;
  import javax.security.auth.*;
  import java.security.PrivilegedAction;
  import java.io.UnsupportedEncodingException;
  public void changeSecret((String uid, String oldPassword, String newPassword)
       throws NamingException, ACException{
  try {
       K5CallbackHandler cb = new K5CallbackHandler(uid, oldPassword);
       LoginContext lc = new LoginContext("marker", cb);
       lc.login();
       Subject.doAs(lc.getSubject(), new ChangePasswordAction(rz.getName(), oldPassword, newPassword));
       catch(LoginException e) {
       try {
            lc.logout();
       catch(LoginException e) {
  }ChangePasswordAction.java is:import javax.naming.*;
  import javax.naming.naming.directory.*;
  import java.io.UnsupportedEncodingException;
  private class ChangePasswordAction implements PrivilegedAction {
       private String uid;
       private String quotedOldPassword;
       private String quotedNewPassword;
       public ChangePasswordAction(String uid, String oldPassword, String newPassword) {
            this.uid = uid;
            quotedOldPassword = "\"" + oldPassword + "\"";
            quotedNewPassword = "\"" + newPassword + "\"";
       public Object run() {
            Hashtable env = new Hashtable(11);
            env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
            env.put(Context.PROVIDER_URL, "ldap://ad2k3:389");
            env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
            try {
                 DirContext ctx = new InitialDirContext(env);
                 ModificationItem[] mods = new ModificationItem[2];
                 byte[] oldPasswordUnicode = quotedOldPassword.getBytes("UTF-16LE");
                 byte[] newPasswordUnicode = quotedNewPassword.getBytes("UTF-16LE");
                 mods[0] = new ModificationItem(DirContext.REMOVE_ATTRIBUTE, new BasicAttribute("unicodePwd", oldPasswordUnicode));
                 mods[1] = new ModificationItem(DirContext.ADD_ATTRIBUTE, new BasicAttribute("unicodePwd", newPasswordUnicode));
                 ctx.modifyAttributes(uid, mods);
                 ctx.close();
            } catch (NamingException e) {
            } catch (UnsupportedEncodingException e) {
            return null;
  }K5CallbackHandler is:import javax.security.auth.callback.*;
  final class K5CallbackHandler
  implements CallbackHandler {
       private final String name;
       private final char[] passwd;
       public K5CallbackHandler(String nm, String pw) {
            name = nm;
            if(pw == null) {
                 passwd = new char[0];
            else {
                 passwd = pw.toCharArray();
       public void handle(Callback[] callbacks)
       throws java.io.IOException, UnsupportedCallbackException {
            for(int i = 0; i < callbacks.length; i++) {
                 if(callbacks[i] instanceof NameCallback) {
                      NameCallback cb = (NameCallback) callbacks;
                      cb.setName(name);
                 else {
                      if(callbacks[i] instanceof PasswordCallback) {
                           PasswordCallback cb = (PasswordCallback) callbacks[i];
                           cb.setPassword(passwd);
                      else {
                           throw new UnsupportedCallbackException(callbacks[i]);
  }The relevant entry in the JAAS.conf file that is referred to as "marker" in the LoginContext constructor is:
  marker {
  com.sun.security.auth.module.Krb5LoginModule required client=TRUE;

  This is one of the two Active Directory operations I have never solved using Java/JNDI. (FYI the other one is Cross Domain Move).
  My gut feel is that the underlying problem (which happens to be common to both Change Password & X-Domain Move) is that Java/JNDI/GSSAPI does not negotiate a sufficiently strong key length that allows Active Directory to change passwords or perform cross domain moves when using Kerberos & GSSAPI.
  Active Directory requires at a minimum, 128 bit key lengths for these security related operations.
  In more recent Kerberos suites and Java versions, support for RC4-HMAC & AES has been introduced, so it may be possible that you can negotiate a suitably string key length.
  Make sure that your Kerberos configuration is using either RC4-HMAC or AES and that Java is requesting a strong level of protection. (You can do this by adding //Specify the quality of protection
  //Eg. auth-conf; confidentiality, auth-int; integrity
  //confidentiality is required to set a password
  env.put("javax.security.sasl.qop","auth-conf");
  //require high strength 128 bit crypto
  env.put("javax.security.sasl.strength","high"); in your ChangePasswordAction class.
  You may also want to enable sasl logging in your app to see what exactly is going on and you may also want to check on the Java Security forum how to configure/enforce/check both RC4-HMAC or AES is used as the Kerbeos cipher suite and that a string key length is being used.
  Good luck.

• CFLDAP GSS-API

  Anybody had any luck connecting to an AD Server via CFLDAP when it only appears to allow authentication using GSS-API?

  I'm having almost the same problem.
  I'm authenticating users against MS Active Directory: the Kerberos stuff works fine, but when I try to execute the LDAP query I get the following exception:
  javax.naming.AuthenticationException: SASL authentication failed [Root exception is java.lang.IllegalAccessError: tried to access class sun.security.krb5.KrbKdcReq from class sun.security.krb5.internal.az]
  at com.sun.jndi.ldap.LdapClient.saslBind(LdapClient.java:411)
  at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:215)
  at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2640)
  at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:290)
  This error occurs only for a few users, while for others the code works perfectly.
  I've tried using both Sun's JDK (1.4.2_08) and BEA JRockit with the same result.
  Thanks in advance
  Alberto

• GSS-API Java Gurus

  Hi!
  Could somebody please clearify for me what's happening here:
  java.lang.IllegalArgumentException: Authentication time of ticket cannot be null
       at javax.security.auth.kerberos.KerberosTicket.init(KerberosTicket.java:279)
       at javax.security.auth.kerberos.KerberosTicket.(KerberosTicket.java:222)
       at sun.security.jgss.krb5.Krb5InitCredential.(Krb5InitCredential.java:118)
       at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:198)
       at sun.security.jgss.krb5.InitSecContextToken.(InitSecContextToken.java:107)
       at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:584)
       at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:300)
       at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246)
  Kerberos token seems to be valid it starts with:
  60 82 09 01 06 09 2A 86 48 86 F7 12 01 02 02 01
  00 6E 82 08......
  With gssapi in c this is supposed to work....
  Thanx.

  This is what I do with the SPNEGO token before I pass it to acceptSecContext():
  byte[] spnegoBytes = new BASE64Decoder().decodeBuffer(authHeader);
  byte[] gssbytes = new String(spnegoBytes).substring(66).getBytes();
  authHeader is the base64 String following "Negotiate " in the token sent by the browser
  Using the MS doc abaout SPNEGO I calculated that the Kerberos body starts at byte 66 and runs to the end of the array. This seems to be accepted by acceptSecContext() or at least parsable but now I'm running into issues with encryption type support:
  GSSException occurred Failure unspecified at GSS-API level (Mechanism level: KDC has no support for encryption type (14))
  GSSException: Failure unspecified at GSS-API level (Mechanism level: KDC has no support for encryption type (14))
  at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:734)
  at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:300)
  at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246)

• GSS-API How to get the client-to-service ticket

  In Kerberos when requesting services, the client sends the following two messages to the TGS: A composed message of the Ticket-Granting Ticket and the ID of the requested serviceand authenticator (which is composed of the client ID and the timestamp), all encrypted using the client/TGS session key.
  Then upon receiving these messages the TGS sends the followings to the client:
  A: Client-to-server ticket (which includes the client ID, client network address, validity period and Client/server session key) encrypted using the service's secret key.
  B: Client/server session key encrypted with the client/TGS session key.
  Now I'm wondering how to obtain A and B throught the kerberos login in GSS-API . I have the following code that I use to request a kerberized service but it returns only a KerberosTicket in PrivateCredentialsSet for the Subject. A sessionKey can also be obtained form this KerberosTicket ! Which session key is this ? the session key B described above? and Where to get the Client-to-server ticket (A) described above ?
  Thanks for any help !
  Alex
  lc = new LoginContext("login-client", new TextCallbackHandler());
  lc.login();
  mysubject = lc.getSubject();
  java.util.Set principals = lc.getSubject().getPrincipals();
  java.util.Iterator iterador = principals.iterator();
  if (iterador.hasNext()){
  KerberosPrincipal principal = (KerberosPrincipal) iterador.next();
  clientName =principal.getName();
  PrivilegedAction generateServiceTicket = new ClientAction(clientName,"[email protected]");
  Subject.doAs(mysubject, generateServiceTicket);
  Set prvCredentials = lc.getSubject().getPrivateCredentials();
  for (Iterator i = prvCredentials.iterator(); i.hasNext(); j++) {
  KerberosTicket ticket = (KerberosTicket) i.next();
  prvKrbCrds = (KerberosTicket[]) mysubject.getPrivateCredentials().toArray(new KerberosTicket[0]);
  public Object run() {
  try{
  GSSManager manager = GSSManager.getInstance();
  Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2");
  Oid krb5PrincipalNameType = new Oid("1.2.840.113554.1.2.2.1");
  GSSName userName = manager.createName(pn,GSSName.NT_USER_NAME);
  GSSCredential cred = manager.createCredential(usr,
  GSSCredential.DEFAULT_LIFETIME,
  krb5Mechanism,
  GSSCredential.INITIATE_ONLY);
  GSSName peerName = manager.createName(servicename,
  GSSName.NT_HOSTBASED_SERVICE, krb5Mechanism);
  GSSContext setContext = manager.createContext(peerName, krb5Mechanism, cred,
  GSSContext.DEFAULT_LIFETIME);
  setContext.requestInteg(false);
  setContext.requestConf(false);
  byte[] inputBuf = new byte[0];
  byte[] tkt = setContext.initSecContext(inputBuf, 0, 0);
  }catch(GSSException gsse){
  gsse.printStackTrace();
  }

  In Kerberos when requesting services, the client sends the following two messages to the TGS: A composed message of the Ticket-Granting Ticket and the ID of the requested serviceand authenticator (which is composed of the client ID and the timestamp), all encrypted using the client/TGS session key.
  Then upon receiving these messages the TGS sends the followings to the client:
  A: Client-to-server ticket (which includes the client ID, client network address, validity period and Client/server session key) encrypted using the service's secret key.
  B: Client/server session key encrypted with the client/TGS session key.
  Now I'm wondering how to obtain A and B throught the kerberos login in GSS-API . I have the following code that I use to request a kerberized service but it returns only a KerberosTicket in PrivateCredentialsSet for the Subject. A sessionKey can also be obtained form this KerberosTicket ! Which session key is this ? the session key B described above? and Where to get the Client-to-server ticket (A) described above ?
  Thanks for any help !
  Alex
  lc = new LoginContext("login-client", new TextCallbackHandler());
  lc.login();
  mysubject = lc.getSubject();
  java.util.Set principals = lc.getSubject().getPrincipals();
  java.util.Iterator iterador = principals.iterator();
  if (iterador.hasNext()){
  KerberosPrincipal principal = (KerberosPrincipal) iterador.next();
  clientName =principal.getName();
  PrivilegedAction generateServiceTicket = new ClientAction(clientName,"[email protected]");
  Subject.doAs(mysubject, generateServiceTicket);
  Set prvCredentials = lc.getSubject().getPrivateCredentials();
  for (Iterator i = prvCredentials.iterator(); i.hasNext(); j++) {
  KerberosTicket ticket = (KerberosTicket) i.next();
  prvKrbCrds = (KerberosTicket[]) mysubject.getPrivateCredentials().toArray(new KerberosTicket[0]);
  public Object run() {
  try{
  GSSManager manager = GSSManager.getInstance();
  Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2");
  Oid krb5PrincipalNameType = new Oid("1.2.840.113554.1.2.2.1");
  GSSName userName = manager.createName(pn,GSSName.NT_USER_NAME);
  GSSCredential cred = manager.createCredential(usr,
  GSSCredential.DEFAULT_LIFETIME,
  krb5Mechanism,
  GSSCredential.INITIATE_ONLY);
  GSSName peerName = manager.createName(servicename,
  GSSName.NT_HOSTBASED_SERVICE, krb5Mechanism);
  GSSContext setContext = manager.createContext(peerName, krb5Mechanism, cred,
  GSSContext.DEFAULT_LIFETIME);
  setContext.requestInteg(false);
  setContext.requestConf(false);
  byte[] inputBuf = new byte[0];
  byte[] tkt = setContext.initSecContext(inputBuf, 0, 0);
  }catch(GSSException gsse){
  gsse.printStackTrace();
  }

• JAAS and GSS-API Tutorial Question

  I am running the JAAS and GSS-API tutorial from http://java.sun.com/j2se/1.4.1/docs/guide/security/jgss/tutorials/BasicClientServer.html. I am running in a Windows 2000 Active Directory environment. It appears to be running correctly, but I have a question. Every time it is run, it asks for the User ID (it supplies a default of my current login name) and then a password. The server also asks for the same information. I am running the client and server on the same machine, so the user ID and password entered for both are identical.
  I was under the impression, however, that either GSS-API or JAAS using Kerberos would be able to obtain credentials without asking for the user ID and password, because I am already logged on. Is there something I need to change in the example do this? I am missing something else?
  Thank you.
  Craig

  Please do not reply to this posting. If you have suggestions or questions, please use http://forum.java.sun.com/thread.jsp?forum=60&thread=383862&tstart=0&trange=30 on this same topic.

• GSS API failing with java 1.6 but working with java 1.5 in jboss 3.2.6

  18:05:08,210 INFO [STDOUT] GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
  18:05:08,210 INFO [STDOUT]      at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:87)
  18:05:08,210 INFO [STDOUT]      at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:111)
  18:05:08,213 INFO [STDOUT]      at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:178)
  18:05:08,214 INFO [STDOUT]      at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:384)
  18:05:08,214 INFO [STDOUT]      at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:42)
  18:05:08,214 INFO [STDOUT]      at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:139)
  18:05:08,214 INFO [STDOUT]      at com.apple.ist.ds.server.impl.snkp.SSOTokenVerifier.credentialForService(SSOTokenVerifier.java:324)
  18:05:08,214 INFO [STDOUT]      at com.apple.ist.ds.server.impl.snkp.SSOTokenVerifier.initialize(SSOTokenVerifier.java:97)
  18:05:08,214 INFO [STDOUT]      at com.apple.ist.saci.iphonevpn.servlet.SACIIPhoneStartUpServlet.init(SACIIPhoneStartUpServlet.java:26)
  18:05:08,214 INFO [STDOUT]      at javax.servlet.GenericServlet.init(GenericServlet.java:256)
  18:05:08,214 INFO [STDOUT]      at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1029)
  18:05:08,214 INFO [STDOUT]      at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:862)
  18:05:08,214 INFO [STDOUT]      at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4013)
  18:05:08,214 INFO [STDOUT]      at org.apache.catalina.core.StandardContext.start(StandardContext.java:4357)
  18:05:08,214 INFO [STDOUT]      at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:823)
  18:05:08,214 INFO [STDOUT]      at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:807)
  18:05:08,214 INFO [STDOUT]      at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:595)
  18:05:08,214 INFO [STDOUT]      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  18:05:08,214 INFO [STDOUT]      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  18:05:08,214 INFO [STDOUT]      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  18:05:08,215 INFO [STDOUT]      at java.lang.reflect.Method.invoke(Method.java:597)
  18:05:08,215 INFO [STDOUT]      at org.apache.commons.modeler.BaseModelMBean.invoke(BaseModelMBean.java:503)
  18:05:08,215 INFO [STDOUT]      at org.jboss.mx.server.RawDynamicInvoker.invoke(RawDynamicInvoker.java:149)
  18:05:08,215 INFO [STDOUT]      at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:473)
  18:05:08,215 INFO [STDOUT]      at org.apache.catalina.core.StandardContext.init(StandardContext.java:5441)
  18:05:08,215 INFO [STDOUT]      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  18:05:08,215 INFO [STDOUT]      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  18:05:08,215 INFO [STDOUT]      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  18:05:08,215 INFO [STDOUT]      at java.lang.reflect.Method.invoke(Method.java:597)
  18:05:08,215 INFO [STDOUT]      at org.apache.commons.modeler.BaseModelMBean.invoke(BaseModelMBean.java:503)
  18:05:08,215 INFO [STDOUT]      at org.jboss.mx.server.RawDynamicInvoker.invoke(RawDynamicInvoker.java:149)
  18:05:08,215 INFO [STDOUT]      at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:473)
  18:05:08,215 INFO [STDOUT]      at org.jboss.web.tomcat.tc5.TomcatDeployer.performDeployInternal(TomcatDeployer.java:316)
  18:05:08,215 INFO [STDOUT]      at org.jboss.web.tomcat.tc5.TomcatDeployer.performDeploy(TomcatDeployer.java:76)
  18:05:08,215 INFO [STDOUT]      at org.jboss.web.AbstractWebDeployer.start(AbstractWebDeployer.java:320)
  18:05:08,215 INFO [STDOUT]      at org.jboss.web.WebModule.startModule(WebModule.java:62)
  18:05:08,215 INFO [STDOUT]      at org.jboss.web.WebModule.startService(WebModule.java:40)
  18:05:08,215 INFO [STDOUT]      at org.jboss.system.ServiceMBeanSupport.jbossInternalStart(ServiceMBeanSupport.java:271)
  18:05:08,215 INFO [STDOUT]      at org.jboss.system.ServiceMBeanSupport.jbossInternalLifecycle(ServiceMBeanSupport.java:221)
  18:05:08,215 INFO [STDOUT]      at sun.reflect.GeneratedMethodAccessor2.invoke(Unknown Source)
  18:05:08,215 INFO [STDOUT]      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  18:05:08,215 INFO [STDOUT]      at java.lang.reflect.Method.invoke(Method.java:597)
  18:05:08,216 INFO [STDOUT]      at org.jboss.mx.server.ReflectedDispatcher.dispatch(ReflectedDispatcher.java:60)
  18:05:08,216 INFO [STDOUT]      at org.jboss.mx.server.Invocation.dispatch(Invocation.java:62)
  18:05:08,216 INFO [STDOUT]      at org.jboss.mx.server.Invocation.dispatch(Invocation.java:54)
  18:05:08,216 INFO [STDOUT]      at org.jboss.mx.server.Invocation.invoke(Invocation.java:82)
  18:05:08,216 INFO [STDOUT]      at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:197)
  18:05:08,216 INFO [STDOUT]      at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:473)
  18:05:08,216 INFO [STDOUT]      at org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController.java:884)
  18:05:08,216 INFO [STDOUT]      at $Proxy20.start(Unknown Source)
  18:05:08,221 INFO [STDOUT] Caused by: javax.security.auth.login.LoginException: java.lang.NullPointerException
       at com.sun.security.auth.callback.TextCallbackHandler.handle(TextCallbackHandler.java:102)
       at org.jboss.security.auth.spi.UsernamePasswordLoginModule.getUsernameAndPassword(UsernamePasswordLoginModule.java:216)
       at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:131)
       at org.jboss.security.auth.spi.UsersRolesLoginModule.login(UsersRolesLoginModule.java:124)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
       at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
       at javax.security.auth.login.LoginContext$5.run(LoginContext.java:706)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:703)
       at javax.security.auth.login.LoginContext.login(LoginContext.java:575)
       at sun.security.jgss.GSSUtil.login(GSSUtil.java:246)

  18:05:08,221 INFO [STDOUT] Caused by: javax.security.auth.login.LoginException: java.lang.NullPointerException
  at com.sun.security.auth.callback.TextCallbackHandler.handle(TextCallbackHandler.java:102)It seems you are providing username using a TextCallbackHandler (which is default for GSS-API). This is OK if you are writing a console program and the user can input the name in a command line prompt. If you are writing a server side program, there is no console, you need to write your own CallbackHandler to provide username.

• Export with BiarEngine.jar works, using the API it throws an exception

  Hello,
  I'm using BiarEngine.jar to export from my CMS. it works fine.
  Now I want to use the API to get someting more handy, but I receive an exception (NoSuchFieldError) as if I had a mismatch between versions.
  I'm stuck with it, if somebody has an idea...
  Thanks a lot.
  Alain
  Here is the java code:
  IExportOptions oExportOptions = BIARFactory.getFactory().createExportOptions();
  oExportOptions.setIncludeSecurity(false);
  oExportOptions.setIncludeDependencies(true);
  oExportOptions.setCallback(
       new IExportCallback()
            public void onSuccess(int id)      {...}
            public void onFailure(int id, BIARException biarException) {...};
  BIAROutput oBIAROutput = new BIAROutput( oEntrepriseSession, "c:\myFile.biar", exportOptions );
  At this point it throws the exception:
  Exception in thread "main" java.lang.NoSuchFieldError: SI_MODELCUID_SET
       at com.businessobjects.sdk.plugin.desktop.deltastore.internal.DeltaStore.setupProperties(DeltaStore.java:188)
       at com.businessobjects.sdk.plugin.desktop.deltastore.internal.DeltaStore.unpack(DeltaStore.java:37)
       at com.crystaldecisions.sdk.occa.infostore.internal.al.continueUnpack(Unknown Source)
       at com.crystaldecisions.sdk.occa.infostore.internal.al.startUnpack(Unknown Source)
       at com.crystaldecisions.sdk.occa.infostore.internal.InternalInfoStore.queryHelper(Unknown Source)
       at com.crystaldecisions.sdk.occa.infostore.internal.InternalInfoStore.query(Unknown Source)
       at com.crystaldecisions.sdk.occa.infostore.internal.at.query(Unknown Source)
       at com.businessobjects.sdk.biar.internal.XSDManager$RepositoryXSD.retrieveXSDVersions(XSDManager.java:204)
       at com.businessobjects.sdk.biar.internal.XSDManager$RepositoryXSD.<init>(XSDManager.java:194)
       at com.businessobjects.sdk.biar.internal.XSDManager$XSDCache.getXSD(XSDManager.java:365)
       at com.businessobjects.sdk.biar.internal.XSDManager.<init>(XSDManager.java:55)
       at com.businessobjects.sdk.biar.BIAROutput.<init>(BIAROutput.java:73)

  >
  Just need to confirm if the ANT script can be run against individual OSB project than OSB configuration project?
  >
  It is possible. I'm going the same way here. However, I remember I needed to contact support because it was not a standard feature of the Ant task. They provided me with the patch that allowed me to use -configSubProjects parameter in export.
  >
  Can we have multiple OSB configuration projects on the OSB server ?
  >
  I don't think so.

• Problems with basic authentication example

  I am trying to run the basic authentication example from the Professional JSP book (Chapter 16) although for some reason I continue to get "AUTHENTICATION MECHANISM NULL" instead of "AUTHENTICATION MECHANISM BASIC". I do not even get the pop-up window with the prompt for Username and Password. I am running Tomcat 4.0-dev and have tried to access the login window by pointing the browser to the appropriate file:
  //localhost:8080/ch16-basic/index.jsp
  Still not login window???
  I have added the extra user and password to the tomcat-users.xml file (username="projsp" password="projsp" roles="superuser")
  Still no luck????
  Could someone please let me know what could possibly be going wrong.
  Thank you!!!!

  The index.jsp is:
  <html>
  <head>
  <title>Protected Area Page</title>
  </head>
  <body>
  <%
  out.println("<H2>Authentication Mechanism "+ request.getAuthType() +" </H2>" );
  %>
  </body>
  </html>
  The tomcat-users.xml is:
  <!--
  NOTE: By default, no user is included in the "manager" role required
  to operate the "/manager" web application. If you wish to use this app,
  you must define such a user - the username and password are arbitrary.
  -->
  <tomcat-users>
  <user name="tomcat" password="tomcat" roles="tomcat" />
  <user name="role1" password="tomcat" roles="role1" />
  <user name="both" password="tomcat" roles="tomcat,role1" />
  <user name="projsp" password="projsp" roles="superuser" />
  </tomcat-users>
  And the web.xml is:
  <?xml version="1.0" encoding="ISO-8859-1"?>
  <!DOCTYPE web-app
  PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
  "http://java.sun.com/j2ee/dtds/web-app_2_3.dtd">
  <web-app>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>Entire Application</web-resource-name>
  <url-pattern>/*</url-pattern>
  </web-resource-collection>
  </security-constraint>
  <login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>ProJSP Authentication Example</realm-name>
  </login-config>
  </web-app>
  WHY ISN"T THIS WORKING!!!!

• Error: Unable to load the GSS-API Shared Library

  Hi all,
  I'm trying to install a working copy of SAP on a Debian Etch host. I've tried all versions available here: ftp://ftp.sap.com/pub/sapgui/java/  (710 r[2-6])  The jar installer completes successfully without error, but when I attempt to launch the application, I'm greeted with the same critical error each time. Here's my connection string:
  conn=/M/my-server-hostname/S/3610/G/PRD_GENERIC&sncon=true&sncqop=3
  Here's my (Sun) java version:
  java version "1.6.0_06"
  Java(TM) SE Runtime Environment (build 1.6.0_06-b02)
  Java HotSpot(TM) Server VM (build 10.0-b22, mixed mode)
  Here's the full error message:
  Error: Unable to load the GSS-API Shared Library
  named "sncgss.so"
  Fri Nov 21 16:07:25 2008
  Release 710
  Component SNC (Secure Network Communication), version 5
  rc = -1, module sncxxdl_mt.c, line 342
  Detail SncPDLInit
  System Call dlopen
  Is there a software dependency I might be missing? This is my first attempt at installing SAP on a Linux host, so there may be something else even more obvious that I'm not seeing...
  Thanks in advance for any help you can provide.
  -Eric

  Hi,
  one solution should be to set the env variable $SNC_LIB to you libseude.so, e.g.
  $>setenv SNC_LIB /usr/sap/<sid>/SYS/exe/run/libsecude.o (or wherever the lib resides)
  and then restart guilogon.
  Also, as fas as I know, SAPGUI has issues with Java 6, so I would rather go with Java 5 or 1.4.2.
  Oliver Stabel