Mechanism level: Checksum failed
Hello everyone, I hope that you can help me.I have problems with the examples of JGSS. The log is:
GSSServer:
Config name: C:\WINDOWS\krb5.ini
KeyTabInputStream, readName(): HIPER.COM.PE
KeyTabInputStream, readName(): developer
KeyTab: load() entry length: 56; type: 17
KeyTabInputStream, readName(): HIPER.COM.PE
KeyTabInputStream, readName(): developer
KeyTab: load() entry length: 56; type: 23
KeyTabInputStream, readName(): HIPER.COM.PE
KeyTabInputStream, readName(): developer
KeyTab: load() entry length: 64; type: 16
KeyTabInputStream, readName(): HIPER.COM.PE
KeyTabInputStream, readName(): developer
KeyTab: load() entry length: 48; type: 3
KeyTabInputStream, readName(): HIPER.COM.PE
KeyTabInputStream, readName(): developer
KeyTab: load() entry length: 48; type: 1Added key: 1version: 1
Added key: 3version: 1
Added key: 16version: 1
Added key: 23version: 1
Added key: 17version: 1
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 17 23 16 3 1.
0: EncryptionKey: keyType=17 kvno=1 keyValue (hex dump)=
0000: E2 4B DD 17 2F 34 55 E6 BB 78 33 85 28 90 52 3C .K../4U..x3.(.R<
1: EncryptionKey: keyType=23 kvno=1 keyValue (hex dump)=
0000: 25 F1 43 85 EE 17 82 BB 71 FE E1 E5 83 5D 63 0F %.C.....q....]c.
2: EncryptionKey: keyType=16 kvno=1 keyValue (hex dump)=
0000: 31 04 E0 F8 F4 CB 57 89 C1 13 B3 15 20 A1 10 64 1.....W..... ..d
0010: 16 57 CB 57 01 D9 F8 67
3: EncryptionKey: keyType=3 kvno=1 keyValue (hex dump)=
0000: 70 38 0E 49 73 2A 57 51
4: EncryptionKey: keyType=1 kvno=1 keyValue (hex dump)=
0000: 70 38 0E 49 73 2A 57 51
default etypes for default_tkt_enctypes: 17 23 16 3 1.
KrbAsReq calling createMessage
KrbAsReq in createMessage
KrbKdcReq send: kdc=192.168.61.2 UDP:88, timeout=30000, number of retries =3, #bytes=152
KDCCommunication: kdc=192.168.61.2 UDP:88, timeout=30000,Attempt =1, #bytes=152
KrbKdcReq send: #bytes read=626
KrbKdcReq send: #bytes read=626
EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
KrbAsRep cons in KrbAsReq.getReply developerAuthenticated principal: [[email protected]]
Found key for [email protected](1)
Found key for [email protected](23)
Found key for [email protected](16)
Found key for [email protected](17)
Found key for [email protected](3)
Waiting for incoming connection...
Got connection from client /192.168.61.66
Entered Krb5Context.acceptSecContext with state=STATE_NEW
EType: sun.security.krb5.internal.crypto.ArcFourHmacETypeChecksum failed !
Exception in thread "main" java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:396)
at com.hiper.jgss.Jaas.loginAndAction(Jaas.java:95)
at com.hiper.jgss.GssServer.main(GssServer.java:89)
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
at com.hiper.jgss.GssServer$GssServerAction.run(GssServer.java:168)
... 4 more
Caused by: KrbException: Checksum failed
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:85)
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:77)
at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:267)
at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
... 7 more
Caused by: java.security.GeneralSecurityException: Checksum failed
at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCrypto.java:388)
at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(ArcFourHmac.java:74)
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:83)
... 13 more
Java Result: 1
GSSClient:
run:
KinitOptions cache name is C:\Documents and Settings\cgamarra\krb5cc_cgamarra
DEBUG <CCacheInputStream> client principal is [email protected]
DEBUG <CCacheInputStream> server principal is krbtgt/[email protected]
DEBUG <CCacheInputStream> key type: 23
DEBUG <CCacheInputStream> auth time: Wed Jan 16 17:56:16 COT 2008
DEBUG <CCacheInputStream> start time: Wed Jan 16 17:56:16 COT 2008
DEBUG <CCacheInputStream> end time: Thu Jan 17 03:56:16 COT 2008
DEBUG <CCacheInputStream> renew_till time: Wed Dec 31 19:00:00 COT 1969
CCacheInputStream: readFlags() INITIAL;Host address is /192.168.61.66
DEBUG <CCacheInputStream>
KrbCreds found the default ticket granting ticket in credential cache.
Obtained TGT from LSA: Credentials:[email protected]
server=krbtgt/[email protected]
authTime=20080116225616Z
startTime=20080116225616Z
endTime=20080117085616Z
renewTill=19700101000000Z
flags: INITIAL
EType (int): 23
Authenticated principal: [[email protected]]
Connected to address cgamarra/192.168.61.66
Config name: C:\WINDOWS\krb5.ini
Found ticket for [email protected] to go to krbtgt/[email protected] expiring on Thu Jan 17 03:56:16 COT 2008
Entered Krb5Context.initSecContext with state=STATE_NEW
Found ticket for [email protected] to go to krbtgt/[email protected] expiring on Thu Jan 17 03:56:16 COT 2008
Service ticket not found in the subject
Credentials acquireServiceCreds: same realmdefault etypes for default_tgs_enctypes: 17 23 16 3 1.
CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbKdcReq send: kdc=192.168.61.2 UDP:88, timeout=30000, number of retries =3, #bytes=596
KDCCommunication: kdc=192.168.61.2 UDP:88, timeout=30000,Attempt =1, #bytes=596
KrbKdcReq send: #bytes read=569
KrbKdcReq send: #bytes read=569
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbApReq: APOptions are 00100000 00000000 00000000 00000000
EType: sun.security.krb5.internal.crypto.ArcFourHmacETypeKrb5Context setting mySeqNumber to: 372002863
Created InitSecContextToken:
0000: 01 00 6E 82 01 EA 30 82 01 E6 A0 03 02 01 05 A1 ..n...0.........
0010: 03 02 01 0E A2 07 03 05 00 20 00 00 00 A3 82 01 ......... ......
0020: 0E 61 82 01 0A 30 82 01 06 A0 03 02 01 05 A1 0E .a...0..........
0030: 1B 0C 48 49 50 45 52 2E 43 4F 4D 2E 50 45 A2 28 ..HIPER.COM.PE.(
0040: 30 26 A0 03 02 01 00 A1 1F 30 1D 1B 04 68 6F 73 0&.......0...hos
0050: 74 1B 15 63 67 61 6D 61 72 72 61 2E 68 69 70 65 t..cgamarra.hipe
0060: 72 2E 63 6F 6D 2E 70 65 A3 81 C4 30 81 C1 A0 03 r.com.pe...0....
0070: 02 01 17 A1 03 02 01 0B A2 81 B4 04 81 B1 8D 1D ................
0080: 14 45 C1 35 7D C5 71 4C 81 10 FE 41 D7 34 48 15 .E.5..qL...A.4H.
0090: 78 35 3D 63 4D F5 4B F5 39 18 2D 28 50 E7 A8 D7 x5=cM.K.9.-(P...
00A0: 4E 32 F2 F9 62 63 DE 2D E3 05 F7 B3 41 E4 CE 16 N2..bc.-....A...
00B0: 77 A1 F4 0E BC 04 59 03 0D 06 12 FB F4 7F 5B 60 w.....Y.......[`
00C0: E0 1D 9A 37 9C 07 9A FA FD A6 2A 57 84 3D 20 86 ...7......*W.= .
00D0: 3B 7F 39 5E 07 63 EC 32 20 36 47 5E FA F9 49 C6 ;.9^.c.2 6G^..I.
00E0: E9 E1 77 1E 77 EC C8 B5 35 FE 80 38 3B 4E 98 21 ..w.w...5..8;N.!
00F0: 5D 63 EB 19 4D A8 0A 79 52 D8 8C 72 05 AA 81 4E ]c..M..yR..r...N
0100: 7E 93 47 06 79 AF 81 DE C1 3A E5 A2 93 8C 12 AB ..G.y....:......
0110: 85 96 22 09 71 37 E5 99 31 86 33 AC 3A 89 F7 CB ..".q7..1.3.:...
0120: CE 02 0F 49 1F F2 B7 9D A5 79 B4 28 B7 14 99 A4 ...I.....y.(....
0130: 81 BE 30 81 BB A0 03 02 01 17 A2 81 B3 04 81 B0 ..0.............
0140: E4 97 3F 28 21 08 16 19 46 5B B8 FF C7 4C 53 D1 ..?(!...F[...LS.
0150: E6 5B AE 64 23 70 9E 72 11 B5 AE 2C 0D 5C 6D 48 .[.d#p.r...,.\mH
0160: B5 7D 3B 83 90 17 1B D1 65 FB 78 BF 6E 34 18 5C ..;.....e.x.n4.\
0170: B5 3A 3D 5C 40 8F 82 3E EC DB 11 B3 0D 06 2B C1 .:=\@..>......+.
0180: 4C FD A1 A4 E1 DE 1A 94 AB F0 43 56 B8 14 48 00 L.........CV..H.
0190: 55 EC 55 00 F5 01 9C 80 C3 F4 9E 1C B8 BA FE 86 U.U.............
01A0: 14 BA 23 CC 61 18 44 3F C2 CC D1 76 A3 3C 9C 57 ..#.a.D?...v.<.W
01B0: D3 3A 58 D5 36 C9 CC 59 55 4E 38 88 47 5A 3C 1A .:X.6..YUN8.GZ<.
01C0: 03 18 3B 53 B8 60 6E 6A 19 A8 AE FD 0E D0 9D 60 ..;S.`nj.......`
01D0: 3A 7F B1 F3 28 0C 3A 96 61 80 0A 36 16 28 6B 80 :...(.:.a..6.(k.
01E0: 1D F9 6C 76 C2 98 8D D0 7E A4 EF 8D A8 02 2B CC ..lv..........+.
Exception in thread "main" java.security.PrivilegedActionException: java.net.SocketException: Connection reset
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:396)
at com.hiper.jgss.Jaas.loginAndAction(Jaas.java:100)
at com.hiper.jgss.GssClient.main(GssClient.java:103)
Caused by: java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(SocketInputStream.java:168)
at java.net.SocketInputStream.read(SocketInputStream.java:182)
at java.io.DataInputStream.readInt(DataInputStream.java:370)
at com.hiper.jgss.GssClient$GssClientAction.run(GssClient.java:203)
... 4 more
Java Result: 1
Does anyone know how to fix the exception: Mechanism level: Checksum failed ?
Thanks.
Looks like the client's target and the server does not match, maybe not the same principal.
The JGSS tutorials starts the server side program using a service principal, which looks like host/[email protected] As I read from your debug output, your server program's principal is [email protected], which is a normal user principal.
Similar Messages
-
Checksum failed and some newbie questiions
Hi people,
I have tried the GSS-API without JAAS tutorial for java 1.5 at http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/BasicClientServer.html with that config:
1) Environment config:
- JKD 1.5.0 update 11
- Windows XP pro against Active Directory on a Windows Server
2) The bcsLogin.conf jaas config file exactly as it appears in the tutorial
3) My krb5.conf file:
[libdefaults]
default_realm = MYCOMPANY.COM
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
[realms]
MYCOMPANY.COM = {
kdc = MYCOMPANY.COM
admin_server = MYCOMPANY.COM
default_domain = MYCOMPANY.COM
[domain_realm]
MYCOMPANY = MYCOMPANY.COM4) Parameters for the SampleServer program:
Program arguments
4444
VM arguments
-Djavax.security.auth.useSubjectCredsOnly=false
-Djava.security.krb5.conf=krb5.conf
-Djava.security.auth.login.config=bcsLogin.conf
5) Parameters for the SampleClient program:
Program arguments
krbtgt localhost 4444
VM arguments
-Djavax.security.auth.useSubjectCredsOnly=false
-Djava.security.krb5.conf=krb5.conf
-Djava.security.auth.login.config=bcsLogin.conf
After executing it I obtained the below checksum exception:
Checksum failed !
Exception in thread "main" java.lang.RuntimeException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
at SampleServer.main(SampleServer.java:121)
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:730)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:300)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246)
at SampleServer.main(SampleServer.java:118)
Caused by: KrbException: Checksum failed
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:85)
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:77)
at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:167)
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:267)
at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:715)
... 3 more
Caused by: java.security.GeneralSecurityException: Checksum failed
at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCrypto.java:387)
at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(ArcFourHmac.java:74)
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:83)
... 9 moreApart from help for the exception itselft I have some questions:
1- For the SampleClient program I use krbtgt as the server name but I don�t know exactly why this works. Other values don�t work and I don�t know exactly what this server name is, who creates it, etc. I would be grateful for some explanation about it
2- I use the same username-password (mine) for authentication in the SampleServer and in the SampleClient, is that correct?
Thank you very much in advance.Hello wangwj,
I don�t know what you want to say exactly with �trying the username you used for ServerClient�.
In the SampleServer code (I believe that you refer it as ServerClient) there is no place where I can give a username (apart from my credentials when I do a login).
Debugging SampleClient the program generates the next error when I use a server name different from krbtgt:
KRBError: sTime is Fri Mar 09 09:32:16 CET 2007 1173429136000
suSec is 407323
error code is 7
error Message is Server not found in Kerberos database
realm is ADGBS.COM
sname is V442596
eData provided.
msgType is 30When I use krbtgt as the server name all goes ok for the client (well, it shows an error but is expected):
KRBError: sTime is Fri Mar 09 09:42:33 CET 2007 1173429753000
suSec is 711423
error code is 52
error Message is Response too big for UDP, retry with TCP
realm is ADGBS.COM
sname is krbtgt
msgType is 30After that:
1) It�s possible that I have to create a new server account in Kerberos and pass his username to the client parameter?
2) In the first post I wrote it shows a checksum exception. I have read that It�s needed that Active Directoy configures to DES encryption for interoperability. Someone knows something about that?
Thanks in advance, -
Checksum failed while authenticating via Kerberos
Hi All,
I having a problem getting authentication using kerberos to work, I get the message checksum failed. The environment is Windows 2008 Server as DC and IE 8 as client and the application is running inside JBoss (in this case I am using the negotiation-toolkit) and the following trace is in the server.log. Can someone point me in the right direction for solving this problem, i've configured two local environments using w2k3 and w2k8 which are both working just fine but in the customers network it fails with the following trace:
l
2011-03-30 11:33:21,845 TRACE [org.jboss.security.SecurityRolesAssociation] (http-0.0.0.0-8888-1) Setting threadlocal:{}
2011-03-30 11:33:21,846 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-0.0.0.0-8888-1) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]
2011-03-30 11:33:21,846 TRACE [org.jboss.security.negotiation.NegotiationAuthenticator] (http-0.0.0.0-8888-1) Authenticating user
2011-03-30 11:33:21,846 DEBUG [org.jboss.security.negotiation.NegotiationAuthenticator] (http-0.0.0.0-8888-1) Header - Negotiate 2011-03-30 11:33:21,847 TRACE [org.jboss.security.negotiation.common.MessageTrace.Request.Base64] (http-0.0.0.0-8888-1) 2011-03-30 11:33:21,847 TRACE [org.jboss.security.negotiation.common.MessageTrace.Request.Hex] (http-0.0.0.0-8888-1)2011-03-30 11:33:21,848 TRACE [org.jboss.security.negotiation.common.NegotiationContext] (http-0.0.0.0-8888-1) associate 176127440
2011-03-30 11:33:21,850 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.SPNEGO] (http-0.0.0.0-8888-1) Begin isValid, principal:FFE8282EB0A470619839BBD7EDF16A5E, cache info: null
2011-03-30 11:33:21,850 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.SPNEGO] (http-0.0.0.0-8888-1) defaultLogin, principal=FFE8282EB0A470619839BBD7EDF16A5E
2011-03-30 11:33:21,850 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-0.0.0.0-8888-1) Begin getAppConfigurationEntry(SPNEGO), size=13
2011-03-30 11:33:21,850 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-0.0.0.0-8888-1) End getAppConfigurationEntry(SPNEGO), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.negotiation.spnego.SPNEGOLoginModule
ControlFlag: LoginModuleControlFlag: requisite
Options:
name=serverSecurityDomain, value=host
name=password-stacking, value=useFirstPass
[1]
LoginModule Class: org.jboss.security.auth.spi.UsersRolesLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
name=usersProperties, value=props/spnego-users.properties
name=rolesProperties, value=props/spnego-roles.properties
name=password-stacking, value=useFirstPass
2011-03-30 11:33:21,850 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) initialize
2011-03-30 11:33:21,850 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) Security domain: SPNEGO
2011-03-30 11:33:21,850 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) serverSecurityDomain=host
2011-03-30 11:33:21,850 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) login
2011-03-30 11:33:21,850 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-0.0.0.0-8888-1) Begin getAppConfigurationEntry(host), size=13
2011-03-30 11:33:21,850 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-0.0.0.0-8888-1) End getAppConfigurationEntry(host), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: com.sun.security.auth.module.Krb5LoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
name=principal, value=host/[email protected]
name=useKeyTab, value=true
name=storeKey, value=true
name=keyTab, value=/DATA/jbossserver.host.keytab
name=debug, value=true
name=doNotPrompt, value=true
2011-03-30 11:33:21,850 INFO [STDOUT] (http-0.0.0.0-8888-1) Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /DATA/jbossserver.host.keytab refreshKrb5Config is false principal is host/[email protected] tryFirstPass is false useFirstPass is false storePass is false clearPass is false
2011-03-30 11:33:21,850 INFO [STDOUT] (http-0.0.0.0-8888-1) KeyTab instance already exists
2011-03-30 11:33:21,850 INFO [STDOUT] (http-0.0.0.0-8888-1) Added key: 23version: 4
2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) Ordering keys wrt default_tkt_enctypes list
2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) Using builtin default etypes for default_tkt_enctypes
2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) default etypes for default_tkt_enctypes:
2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 3
2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 1
2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 23
2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 16
2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 17
2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) .
2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) principal's key obtained from the keytab
2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) Acquire TGT using AS Exchange
2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) Using builtin default etypes for default_tkt_enctypes
2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) default etypes for default_tkt_enctypes:
2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 3
2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 1
2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 23
2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 16
2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 17
2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) .
2011-03-30 11:33:21,852 INFO [STDOUT] (http-0.0.0.0-8888-1) >>> KrbAsReq calling createMessage
2011-03-30 11:33:21,852 INFO [STDOUT] (http-0.0.0.0-8888-1) >>> KrbAsReq in createMessage
2011-03-30 11:33:21,852 INFO [STDOUT] (http-0.0.0.0-8888-1) >>> KrbKdcReq send: kdc=rm-hq-dc1.shipyard.local UDP:88, timeout=30000, number of retries =3, #bytes=158
2011-03-30 11:33:21,852 INFO [STDOUT] (http-0.0.0.0-8888-1) >>> KDCCommunication: kdc=rm-hq-dc1.shipyard.local UDP:88, timeout=30000,Attempt =1, #bytes=158
2011-03-30 11:33:21,853 INFO [STDOUT] (http-0.0.0.0-8888-1) >>> KrbKdcReq send: #bytes read=633
2011-03-30 11:33:21,854 INFO [STDOUT] (http-0.0.0.0-8888-1) >>> KrbKdcReq send: #bytes read=633
2011-03-30 11:33:21,854 INFO [STDOUT] (http-0.0.0.0-8888-1) >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
2011-03-30 11:33:21,854 INFO [STDOUT] (http-0.0.0.0-8888-1) >>> KrbAsRep cons in KrbAsReq.getReply host/jbossserver
2011-03-30 11:33:21,855 INFO [STDOUT] (http-0.0.0.0-8888-1) principal is host/[email protected]
2011-03-30 11:33:21,855 INFO [STDOUT] (http-0.0.0.0-8888-1) EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 4F C6 44 97 D0 B8 9C 96 A9 79 5B 87 EB 44 71 33 O.D......y[..Dq3
2011-03-30 11:33:21,855 INFO [STDOUT] (http-0.0.0.0-8888-1) Added server's keyKerberos Principal host/[email protected] Version 4key EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: 4F C6 44 97 D0 B8 9C 96 A9 79 5B 87 EB 44 71 33 O.D......y[..Dq3
2011-03-30 11:33:21,855 INFO [STDOUT] (http-0.0.0.0-8888-1) [Krb5LoginModule] added Krb5Principal host/[email protected] to Subject
2011-03-30 11:33:21,855 INFO [STDOUT] (http-0.0.0.0-8888-1) Commit Succeeded
2011-03-30 11:33:21,858 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) Subject = Subject:
Principal: host/[email protected]
Private Credential: Ticket (hex) =
0000: 61 82 01 1F 30 82 01 1B A0 03 02 01 05 A1 13 1B a...0...........
0120: 9E 96 D4 ...
Client Principal = host/[email protected]
Server Principal = krbtgt/[email protected]
Session Key = EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: 81 5B 77 9E C3 74 46 AC 87 26 B0 00 5C B6 56 6E .[w..tF..&..\.Vn
Forwardable Ticket false
Forwarded Ticket false
Proxiable Ticket false
Proxy Ticket false
Postdated Ticket false
Renewable Ticket false
Initial Ticket false
Auth Time = Wed Mar 30 11:33:17 CEST 2011
Start Time = Wed Mar 30 11:33:17 CEST 2011
End Time = Wed Mar 30 21:33:17 CEST 2011
Renew Till = null
Client Addresses Null
Private Credential: Kerberos Principal host/[email protected] Version 4key EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: 4F C6 44 97 D0 B8 9C 96 A9 79 5B 87 EB 44 71 33 O.D......y[..Dq3
2011-03-30 11:33:21,858 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) Logged in 'host' LoginContext
2011-03-30 11:33:21,858 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) Creating new GSSContext.
2011-03-30 11:33:21,866 INFO [STDOUT] (http-0.0.0.0-8888-1) Found key for host/[email protected](23)
2011-03-30 11:33:21,867 INFO [STDOUT] (http-0.0.0.0-8888-1) Entered Krb5Context.acceptSecContext with state=STATE_NEW
2011-03-30 11:33:21,868 INFO [STDOUT] (http-0.0.0.0-8888-1) >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
2011-03-30 11:33:21,869 ERROR [STDERR] (http-0.0.0.0-8888-1) Checksum failed !
2011-03-30 11:33:21,870 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) Result - GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
2011-03-30 11:33:21,870 ERROR [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) Unable to authenticate
GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
at org.jboss.security.negotiation.spnego.SPNEGOLoginModule$AcceptSecContext.run(SPNEGOLoginModule.java:294)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:337)
at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:118)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:552)
at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:486)
at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)
at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)
at org.jboss.web.tomcat.security.JBossWebRealm.authenticate(JBossWebRealm.java:384)
at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:127)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619)
Caused by: KrbException: Checksum failed
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:85)
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:77)
at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:267)
at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
... 35 more
Caused by: java.security.GeneralSecurityException: Checksum failed
at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCrypto.java:388)
at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(ArcFourHmac.java:74)
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:83)
... 41 more
2011-03-30 11:33:21,871 INFO [STDOUT] (http-0.0.0.0-8888-1) [Krb5LoginModule]: Entering logout
2011-03-30 11:33:21,871 INFO [STDOUT] (http-0.0.0.0-8888-1) [Krb5LoginModule]: logged out Subject
2011-03-30 11:33:21,872 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) abort
2011-03-30 11:33:21,872 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8888-1) initialize
2011-03-30 11:33:21,872 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8888-1) Security domain: SPNEGO
2011-03-30 11:33:21,872 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8888-1) findResource: null
2011-03-30 11:33:21,872 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8888-1) Properties file=vfsfile:/DATA/jboss-5.1.0.GA/server/default/conf/props/spnego-users.properties, defaults=null
2011-03-30 11:33:21,872 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8888-1) Loaded properties, users=[]
2011-03-30 11:33:21,872 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8888-1) findResource: null
2011-03-30 11:33:21,872 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8888-1) Properties file=vfsfile:/DATA/jboss-5.1.0.GA/server/default/conf/props/spnego-roles.properties, defaults=null
2011-03-30 11:33:21,872 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8888-1) Loaded properties, users=[[email protected], [email protected]]
2011-03-30 11:33:21,872 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8888-1) abort
2011-03-30 11:33:21,872 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.SPNEGO] (http-0.0.0.0-8888-1) Login failure
javax.security.auth.login.LoginException: Unable to authenticate - Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:141)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:552)
at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:486)
at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)
at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)
at org.jboss.web.tomcat.security.JBossWebRealm.authenticate(JBossWebRealm.java:384)
at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:127)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619)
2011-03-30 11:33:21,873 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.SPNEGO] (http-0.0.0.0-8888-1) End isValid, false
2011-03-30 11:33:21,873 TRACE [org.jboss.security.negotiation.common.NegotiationContext] (http-0.0.0.0-8888-1) clear 176127440
2011-03-30 11:33:21,873 TRACE [org.jboss.security.SecurityRolesAssociation] (http-0.0.0.0-8888-1) Setting threadlocal:null
2011-03-30 11:33:21,873 TRACE [org.jboss.security.SecurityRolesAssociation] (http-0.0.0.0-8888-1) Setting threadlocal:nullThanks! That did the trick.
For those who aren't sure what we're talking about, here are the details. In the inspector tab of the user's record in Workgroup Manager, there's an item called AuthenticationAuthority. For servers that use Kerberos, it should have at least two attributes, one for ApplePasswordServer and one for Kerberos.
The Kerberos entry should look something like this:
;Kerberosv5;0x4de7dafb19f92bf00000008b0000207c;[email protected];
MYSERVER.MYDOMAIN.COM;1024 35 1501888096699469040706569854027123220425732604738787130135110270232071940183724 3
78199029604219894640418726569868666187867257570714183982184166144733112632082318
21356466533532379022305132046121848691642928615842396713606475071069113591094835
025483043226511805720826544139932983788313141311383927555379596135211 [email protected]:123.45.67.89
When you copy the attribute from a working user, there are two items that need to be changed (assuming you have only one kerberos realm). The first item is the long string of letters and numbers after ;Kerberosv5; in the first line. That's the user's UUID. The second is the user's short name ("fred" in the example above). The easiest way to make the changes is to paste the attribute into a text editor (TextEdit, or TextWrangler if you have it). Copy the user's UUID from the problematic account, and paste it over the one in the text you previously copied and pasted. Then change the short name to match the problematic user. Then copy the entire block from your text editor, select AuthenticationAuthority and click the New Value button. Click in the Text: field and paste. The Hex field will take care of itself. Click OK, then Save your changes.
Of course before you start making changes like this to your directory, make sure you have a good back up to revert back to in case something gets messed up. -
Terrible error with kerberos, win2003 - Checksum failed!
Now i'm trying to use CAS SSO with kerberos for authentication.
I done all settings by instruction, see this tutorial http://www.ja-sig.org/wiki/display/CASUM/SPNEGO.
So, the error is: Failure unspecified at GSS-API level (Mechanism level: Checksum failed).
I guess, there is a problem with encryption type, but i don't know how to resolve it. Please help
My stacktrace shown below:
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level:
Checksum failed)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:
741)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java
:323)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java
:267)
... 75 more
Caused by: KrbException: Checksum failed
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHma
cEType.java:85)
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHma
cEType.java:77)
at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:267)
at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken
.java:79)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:
724)
... 77 more
Caused by: java.security.GeneralSecurityException: Checksum failed
at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCry
pto.java:388)
at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(ArcFourHmac.jav
a:74)
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHma
cEType.java:83)
... 83 moreThank you for advice, my friend.
I have analyzed info in TGS-REQ request, but i could not find any SPN in it.
Please see this screenshot and say me: where is needed SPN in ticket?
Here is my full configuration:
[logging]
[libdefaults]
ticket_lifetime = 24000
default_realm = MYCORP.KUBA
dns_lookup_kdc = true
dns_lookup_realm = true
default_tkt_enctypes = rc4-hmac des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = rc4-hmac des3-hmac-sha1 des-cbc-crc
[realms]
MYCORP.KUBA = {
kdc = mycorp.kuba:88
admin_server = mycorp.kuba:749
default_domain = mycorp.kuba
[domain_realm]
.mycorp.kuba = MYCORP.KUBA
mycorp.kuba = MYCORP.KUBA
[domain_realm]
.mycorp.kuba = MYCORP.KUBA
[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true
<bean class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig"
p:jcifsDomainController="xxx"
p:jcifsNetbiosWins="xxx"
p:jcifsServicePrincipal="HTTP/MYUSER.mycorp.kuba"
p:jcifsServicePassword="secret"
p:useSubjectCredsOnly="true"
p:kerberosDebug="true"
p:kerberosRealm="MYCORP.KUBA"
p:kerberosKdc="xxx"
p:kerberosConf="c:/winnt/krb5.conf"
p:loginConf="C:/mypath/WEB-INF/login.conf"
/>
jcifs.spnego.initiate {
com.sun.security.auth.module.Krb5LoginModule
required
debug=true
realm="MYCORP.KUBA"
principal="HTTP/MYUSER.mycorp.kuba"
storeKey=true
doNotPrompt=false
client=true
refreshKrb5Config=true
storePass=true
isInitiator=false
useKeyTab=true
useTicketCache=false
keyTab="c:\a.keytab"
jcifs.spnego.accept {
com.sun.security.auth.module.Krb5LoginModule
required
debug=true
realm="MYCORP.KUBA"
principal="HTTP/MYUSER.mycorp.kuba"
storeKey=true
doNotPrompt=false
client=true
refreshKrb5Config=true
storePass=true
isInitiator=false
useKeyTab=true
useTicketCache=false
keyTab="c:\a.keytab"
setspn -A HTTP/MYUSER.mycorp.kuba myuser
ktpass -out a.keytab -princ HTTP/[email protected] -pass secret -mapuser [email protected] -ptype krb5_nt_principal -crypto RC4-HMAC-NTWhat is wrong with it? Please correct it if you can? -
ASO - checksum fail with JDBC thin client on Windows
I'm trying to configure Oracle Advanced Security for SQL Developer. I'm using SQL Developer 1.5.1 (downloaded with the included JDK). When configuring the connection I select Connection Type: Advanced. My JDBC URL is:
jdbc:oracle:thin:@(description=(address=(protocol=tcp)(host=hostname.com)(port=1234))(connect_data=(service_name=DVLP)(SQLNET.ENCRYPTION_CLIENT=REQUESTED)(SQLNET.ENCRYPTION_TYPES_CLIENT=AES256)(SQLNET.CRYPTO_CHECKSUM_CLIENT=REQUESTED)(SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT=MD5)))
This works great in Linux. But on a fully patched Windows XP machine when I try to connect I get "Io exception: Checksum fail Vendor code 17002"
Note that this is only a problem with the thin client. If I use the OCI client (jdbc:oracle:oci:@....) it works fine.
Also note that the db to which I'm trying to connect is a 10g database with these sqlnet.ora parameters:
#ASO Encryption
sqlnet.encryption_server=required
sqlnet.encryption_client=required
sqlnet.encryption_types_server=(AES256,3DES168,3DES112)
sqlnet.encryption_types_client=(AES256,3DES168,3DES112)
#ASO Checksum
sqlnet.crypto_checksum_server=requested
sqlnet.crypto_checksum_client=requested
sqlnet.crypto_checksum_types_server = (MD5)
sqlnet.crypto_checksum_types_client = (MD5)
SQLNET.INBOUND_CONNECT_TIMEOUT_LSNR1251=120
# Require clients to be Oracle 10g or higher
SQLNET.ALLOWED_LOGON_VERSION = 10
Has anyone else seen this?
Thanks for your help!As a test I created a simple Java program to connect to the db. I used the same ojdbc5.jar that is shipped with sql developer. My test program ran fine. So it would seem the problem is SQL Developer specific.
The class:
import java.sql.*;
public class testJDBC_ASO {
public static void main(String[] args) throws SQLException {
DriverManager.registerDriver (new oracle.jdbc.OracleDriver());
Connection conn = DriverManager.getConnection
("jdbc:oracle:thin:@(description=(address=(protocol=tcp)(host=hostname.com)(port=1234))(connect_data=(service_name=DVLP)(SQLNET.ENCRYPTION_CLIENT=REQUESTED)(SQLNET.ENCRYPTION_TYPES_CLIENT=AES256)(SQLNET.CRYPTO_CHECKSUM_CLIENT=REQUESTED)(SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT=MD5)))",
"username", "password");
Statement stmt = conn.createStatement();
ResultSet rset = stmt.executeQuery("select BANNER from SYS.V_$VERSION");
while (rset.next())
System.out.println (rset.getString(1)); /
stmt.close();
The output:
C:>java -cp ojdbc5.jar;. testJDBC_ASO
Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - 64bi
PL/SQL Release 10.2.0.3.0 - Production
CORE 10.2.0.3.0 Production
TNS for Solaris: Version 10.2.0.3.0 - Production
NLSRTL Version 10.2.0.3.0 - Production
Edited by: RichardJQ on Oct 31, 2008 1:52 PM -
RABAX: level LEV_RX_WRITE_SNAP failed
Hello,
I am performing some tests in our SAP system on HP UX, Oracle. One of this test includes cancelling a wp with core so it generates an ABAP dump. The WP gets cancelled, but No dump information is being written. In the WP trace file, I see this information. Something to do with RABAX and LEV_RX_WRITE_SNAP failed. I also deleted some entries from SNAP table using standard background job, but that did not help either.
PLEASE help!
======================
M PfStatDisconnect: disconnect statistics
M Entering TH_CALLHOOKS
M ThCallHooks: call hook >SAP-Trace buffer write< for event BEFORE_DUMP
M TrThHookFunc: called for WP dump
M ThCallHooks: call hook >ThrSaveSPAFields< for event BEFORE_DUMP
M ThrSaveSPAFields: save spa fields
M Entering ThSetStatError
M ThIErrHandle: don't try rollback again
M ThIErrHandle: call ThrCoreInfo
A RABAX in unkown environment: task_type=0, run level=8, rabax state=80000000 ztta_task_type=0
( 0) 0x40000000017503ec CTrcStack2 + 0x2bc [dw.sapRP1_DVEBMGS10]
( 1) 0x4000000001750120 CTrcStack + 0x18 [dw.sapRP1_DVEBMGS10]
( 2) 0x4000000001db5c78 rabax_CStackSave__Fv + 0x100 [dw.sapRP1_DVEBMGS10]
( 3) 0x4000000001dc22bc ab_rabax + 0x1e1c [dw.sapRP1_DVEBMGS10]
( 4) 0x4000000001db5734 ab_CoreInfo + 0xd4 [dw.sapRP1_DVEBMGS10]
( 5) 0x4000000000e90e34 ThrCoreInfo + 0x14 [dw.sapRP1_DVEBMGS10]
( 6) 0x4000000001041818 ThIErrHandle + 0x15e8 [dw.sapRP1_DVEBMGS10]
( 7) 0x400000000104021c ThErrHandle + 0x24 [dw.sapRP1_DVEBMGS10]
( 8) 0x400000000112a3e4 ThSigHandler + 0xa4 [dw.sapRP1_DVEBMGS10]
( 9) 0x4000000000b3d790 SigIGenAction + 0x668 [dw.sapRP1_DVEBMGS10]
(10) 0xc0000000002f9398 sigreturn [/usr/lib/pa2064/libc.2]
(11) 0xc0000000002ff2ec semopsys + 0x2c [/usr/lib/pa20_64/libc.2]
(12) 0xc000000000306ecc semop + 0xcc [/usr/lib/pa2064/libc.2]
(13) 0x4000000000ee5348 WtRstOsEvt + 0x68 [dw.sapRP1_DVEBMGS10]
(14) 0x4000000000ee5c4c EvtWtRst + 0xcc [dw.sapRP1_DVEBMGS10]
(15) 0x4000000001054eb8 ThRqWaitFor + 0x3a0 [dw.sapRP1_DVEBMGS10]
(16) 0x40000000010305dc ThRqAccept + 0x200c [dw.sapRP1_DVEBMGS10]
(17) 0x400000000103421c ThReceive + 0x57c [dw.sapRP1_DVEBMGS10]
(18) 0x4000000001028fdc TskhLoop + 0x13dc [dw.sapRP1_DVEBMGS10]
(19) 0x4000000001021ba8 tskhstart + 0x1e0 [dw.sapRP1_DVEBMGS10]
(20) 0x4000000000dccfe4 DpMain + 0x484 [dw.sapRP1_DVEBMGS10]
(21) 0x4000000002276bfc nlsui_main + 0x14 [dw.sapRP1_DVEBMGS10]
(22) 0x4000000000a38154 main + 0x14 [dw.sapRP1_DVEBMGS10]
(23) 0xc00000000000a770 $START$ + 0xa0 [/usr/lib/pa20_64/dld.sl]
A TH VERBOSE LEVEL FULL
M SigIRegisterRoutine: handler for signal 11 installed (ab_catch_dumperror)
M SigIRegisterRoutine: handler for signal 10 installed (ab_catch_dumperror)
A ** RABAX: level LEV_RX_WRITE_SYSLOG entered.
A ** RABAX: level LEV_RX_WRITE_SYSLOG completed.
A ** RABAX: level LEV_RX_WRITE_SNAP entered.
M SigIRegisterRoutine: handler for signal 10 installed (ab_catch_dumperror)
A ** RABAX: level LEV_RX_WRITE_SNAP failed.
============================================Hello,
No one has come across this error?
It is only that the SYSTEM_CORE_DUMPED error does not get registered, other Dumps are visible. What is the core dump doing different that the others?
Please help with this error
Thanks -
SPNEGO(Checksum Failed), wfetch succeed
I have tried to visit my web server, SPNEGO enabled with JAAS.
If I connect with wfetch, it always work.
if I try to connect by IE, sometimes it work, sometimes it failed.
I don't have any idea now, I need help, it is urgent!
Caused by: KrbException: Checksum failed
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHma
cEType.java:85)
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHma
cEType.java:77)
at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:267)
at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken
.java:79)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:
724)
... 49 more
Caused by: java.security.GeneralSecurityException: Checksum failed
at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCry
pto.java:388)
at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(ArcFourHmac.jav
a:74)
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHma
cEType.java:83)
... 55 moreJAAS login always succeed, but action fails and report "checksum failed".
If the quest is sent from wfetch, then action succeed, so I had guessed there must be difference between the request sent from IE and from wfetch.wfetch work means there is not big mistake, I create account, set spn , generate keytab file with Microsoft ktpass or Java ktab, I had checked everything quite carefully and sometimes it did work for IE, but sometimes It failed. Even I did not make any change, just restart the tomcat, the result may change from success to failure.
Is there anybody who did get the JAAS work properly with Microsoft domain and IE?
Edited by: waynelou on Mar 19, 2009 7:22 PM -
Webutil get error wut-115 checksum failed
We are trying to use the file upload function from the webutil package. We are trying to upload a simple text file into a blob failed and we get the following error wut-115 checksum failed. we have initialized the blob field to an empty blob but we still get the error. what causes this error to occurr and what is the best way to try to resolve the issue.
regards,
RobertDuncan:
we tried the package in the reverse direction and everything works fine. We are able to take a file stored in a blob column and download it to the client machine. However we still can not upload a file to a blob column in the database from a client machine. We tried this on multiple pc's. We have a webutil schema and in that schema we have the webutil_db package. this compiles fine. when we invoke our forms we log in as the webutil user. our webutil.cfg file is enabled true to allow database downloads. We are able to get every other functionality to work so far in the webutil package that we tried except for this one. Do you have any suggestions or would even take the time to direct connect in to see the problem?
Also we will need this package to work in the JVM environment currently we have webutil working using jinit. We do alot of work for the navy and army and JVM is the only allowed method we can use for our forms. I have heard that this package is not supported in the native JVM environment. This will hurt the prospects of many military and governmental applications due to them not allowing software installed on the client machine. After all that is why we are using java servlets and oracle over the web for them to access their application.
Regards,
Robert -
Decrypting encPart example? Checksum failed
I'm trying to decrypt the encrypted data part of the Kerberos ticket. My understanding of the algorithm is where I believe I'm mixed up somewhere (all code is server side):
1) The login context on the server side provides a Subject which contains the private key of the server when storeKey=true in the configuration, of type KerberosKey. This is the key that can be used to decrypt the EncryptedPart of the client's ticket.
LoginContext lc = new LoginContext(LCONF_SVR, new TextCallbackHandler());
lc.login();
Subject sub = lc.getSubject();
// Get KerberosKey from private creds
for (Iterator i = sub.getPrivateCredentials().iterator(); i.hasNext();) {
Object o = i.next();
if (o instanceof KerberosKey) {
svrPrivKey = (KerberosKey)o;
break;
}2) This KerberosKey can be used to create an EncryptionKey:
EncryptionKey privKey = new EncryptionKey(svrPrivKey.getEncoded(),
svrPrivKey.getKeyType(),
svrPrivKey.getVersionNumber());2) When con.requestCredDeleg(true) on the client side, after con.isEstablished()==true, con.getDelegCred() on the server side returns a GSSCredentials which, along with con.getSrcName(), can create a Subject the contains the client's KerberosTicket in it's private credentials.
Subject delegSub = GSSUtil.getSubject(con.getSrcName(), con.getDelegCred());
Set<KerberosTicket> tickets = delegSub.getPrivateCredentials(KerberosTicket.class);3) The KerberosTicket EncryptedPart can be decrypted using the server's EncryptedKey above, with "usage = 2":
for (Iterator ti = tickets.iterator(); ti.hasNext();) {
KerberosTicket kbrTicket = (KerberosTicket)ti.next();
Ticket ticket = new Ticket(kbrTicket.getEncoded());
encTicketPart = new EncTicketPart(ticket.encPart.decrypt(privKey, 2));
}There's something wrong with my understanding, as I am always getting "KrbException: Checksum Failed." from the decrypt, from down in sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt. (Where can I get the source for sun.security.krb5 packages for debugging, btw?).
Where am I going wrong? Can someone point me to example code that shows how to get from a KerberosTicket to a EncTicketPart?
Thanks!
B AtkinsHere is how I get the AP-REQ out of the byte[] received on the socket from the Client:
* Parses the token received from the Client
* (GSS-API InitialContextToken)
* Encoding: ASN.1 DER
private byte[] parseToken(byte[] token) throws Exception {
DerInputStream dis = new DerInputStream(token);
// get the GSS sequence (set is the same, and has constructed flag)
DerValue[] values = dis.getSet(token.length, true);
// Look for the AP_REQ tag [APPLICATION 14] (constructed)
for (int i=0; i<values.length; i++) {
DerValue value = values;
if (value.isConstructed((byte)14)) {
value.resetTag(DerValue.tag_Set);
return parseApReq(value.toDerInputStream(), value.length());
throw new Exception("No AP-REQ found in GSS InitialContextToken");
}Here's the parsing of that AP-REQ: /**
* Parses tne AP-REQ PDU, which is the innerContextToken of
* the GSS InitialToken.
* Encoding: ASN.1/DER
private byte[] parseApReq(DerInputStream dis, int len) throws Exception {
// get the AP_REQ sequence (set is the same, and has constructed flag)
byte apOptions = 0;
DerValue ticket = null;
DerValue[] values = dis.getSet(len, true);
for (int i=0; i<values.length; i++) {
DerValue value = values[i];
if (value.isContextSpecific((byte)2)) {
// Get the bit string encapsulated in the
// context specific outter element.
apOptions = value.getData().getDerValue().getBitString()[0];
else if (value.isContextSpecific((byte)3)) {
// Get the value encapsulated in the
// context specific outter element.
ticket = value.getData().getDerValue();
if (ticket == null)
throw new Exception("No Ticket found in AP-REQ PDU");
return getAuthorizationData(new Ticket(ticket), serverSub, apOptions);
}Here's the part that extracts the encPart and decrypts it. The server subject passed in is from the LoginContext.getSubject() on the server side, after lc.login(). /**
* Decrypt the EncryptedData into EncTicketPart
* Encoding: ASN.1/DER
private byte[] getAuthorizationData(Ticket ticket, Subject svrSub, byte ops)
throws Exception {
EncryptionKey key;
if (useSessionKey(ops))
key = getSessionKey(svrSub);
else
key = getPrivateKey(svrSub);
byte[] cleartext = ticket.encPart.decrypt(key, 2);
if (cleartext.length <= 0)
throw new Exception("zero length decrypt");
EncTicketPart encPart = new EncTicketPart(cleartext);
byte[] authPac = parseAuthData(encPart.authorizationData.asn1Encode(), 1);
return parseAuthData(authPac, 128);
Here's the key handling part, where *both* the Session and Private keys are acquired: private EncryptionKey getSessionKey(Subject sub) throws Exception {
KerberosCreds creds = getKrbCreds(sub);
SecretKey secKey = creds.ticket.getSessionKey();
return new EncryptionKey(secKey.getEncoded(), 23, new Integer(2));
private EncryptionKey getPrivateKey(Subject sub) throws Exception {
KerberosCreds creds = getKrbCreds(sub);
return new EncryptionKey(creds.key.getEncoded(),
creds.key.getKeyType(),
new Integer(2));
* Get credentials (KerberosKey and/or KerberosTicket) from a
* Subject
private KerberosCreds getKrbCreds(Subject sub) {
// Get the Client's Kerberos ticket from the private credentials
// of the subject.
KerberosCreds ret = new KerberosCreds();
Set<Object> creds = sub.getPrivateCredentials(Object.class);
for (Iterator<Object> i = creds.iterator(); i.hasNext();) {
Object cred = i.next();
if (cred instanceof KerberosTicket)
ret.ticket = (KerberosTicket)cred;
if (cred instanceof KerberosKey)
ret.key = (KerberosKey)cred;
return ret;
}As you can see, this has turned a GSS implementation into something that's very Kerberos (and AD, for that matter) specific.
Edited by: batkins on Feb 22, 2008 12:14 PM
Edited by: batkins on Feb 22, 2008 12:17 PM -
Verification failed / checksum failed
Hi,
This problem started just yesterday. I wanted to download (and later install) Firefox 4. When I downloaded the dmg, it says (in the "download manager window"): verfication failed. Or when I tried it with Chrome, it said: checksum failed.
So I thought I'd download a new Safari. But I get the same problem...
Anyone any ideas?Try [repairing the hard drive with Disk Utility|http://support.apple.com/kb/TS1417].
-
How to replace message in the forms when table level constraint fails!!
Hello all,
I have table level constraint in database.
when constraint fails i get message in the forms like
"ORA-00001 : UInique Constraint (CYAN.FA_JV_DTL_PK) violated"
I know i can replace this message by using trigger on-error.
but for this I have to write on-error trigger in my all the forms.
is there any short cut at database level?
so i can map my messages for each and every constraint.
by doing that database should send user defined message to the form instead of in-built database messages.
From
Chirag Patel
NairobiChirag,
I think this is english. I couldnt understand what exactly you want. Can you explain by not using short words and right spellings. I might help you.
Thanks
Ghulam -
Error - MLB Boot ROM FFFE0000 Checksum failed
I managed to get hold of Apples testing software and ran some over night tests on my Mac Pro 2008 model.
I have the same 12 errors from 17 passes but haven't had a chance to examin the manual.
Does anyone know what the error means?
error - MLB Boot ROM FFFE0000 Checksum failedMac Pro EFI Firmware Update 1.3
http://netkas.org -
Item-level targeting failing intermittantly
We have an OU with a GPP that pushes autologon keys for our KIOSKS. The gpp works by initially logging in with a kiosk user account that matches the
name of the computer account and then the GPP sets the autologon keys and after a reboot or logoff the machine auto-logs on after that. It has worked great for many months.
Since we recently increase our password security, we could no longer use the shorter password for
new kiosks without a painful work-around for our enduser support group.
To make things easy, we added an additional GPP reg key for defaultpassword and utilized “Item-Level Targeting” within the existing GPO/GPP (see images below).
Last week we tested this change successfully by adding new kiosk and rebooting both new and existing PCs. All existing kiosk accounts were members of
the PasswordComplexityDisabled group. This group is our Fine-grained password policy that permits legacy complexity and password length.
On Monday we got flooded with calls that the autologon wasn't working. I revert the item-level targeting entries and put the GPO back to its original state and the calls
subsided. Before doing so however, when we investigated problem machines, the strange thing we noticed was that we could login with the original shorter password if we supplied it manually and after that autologon worked fine. We also check
that the account in question was a member of the passwordcomplexitydisabled group. We are at a loss as to why the key seems to have been blanked or set with the wrong key even though a member of the correct group and the ILT logic was correct.
Any ideas.
David W King> There is nothing in the computer scope of the GPO that could have
> conflicted (we also link this same KIOSK GPO to the Computer OU) so I'm
> at a loss at what could have affected this defaultpassword key. Again
> the strange thing is that once the older/shorter password was supplied
> manually/interactively the GPP processed and then autologon resumed
> working.
One thing that comes to mind: The defaultpassword entry has to be
written to the registry BEFORE the user logs on, so if you try to change
it through a user policy, it will not really work...
Maybe carefully examining a RSoP results or modeling report will reveal
what was going on?
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :)) -
_root level methods failing when using movieClipLoader
man wouldn't have a clue why, using onloadInit BELOW, doesn't
listen to simple button methods addressed to the _root movieClip,
the script for this frame on the root mc is below, any help please
It works fine offline, but when on server the button response
just doesn't work
www.kevindauth.com and go to port Folio/ then top right
graphic to load animation, try pressing the right buttons as it
loads, it just fails, maybe best to check code below first thanks
kD:-)
stop();
var heartPlacer = this.createEmptyMovieClip("container2",
"101");
var heart_mc:MovieClipLoader = new MovieClipLoader();
var preload2 = new Object();
heart_mc.addListener(preload2);
preload2.onLoadStart = function(targetMC) {
heartPlacer._x=95;
trace("started loading "+targetMC);
container2._visible = false;
bar_mc._visible = true;
preload2.onLoadProgress = function(targetMC, lBytes, tBytes)
bar_mc._width = (lBytes/tBytes)*100;
preload2.onLoadComplete = function(targetMC) {
text._visible = false;
bar_mc._visible = false;
container2._visible = true;
loadingNow._visible = false;
oneToUnload._visible=false;
trace(targetMC+" finished");
heart_mc.loadClip("heartSpinning.swf", "container2");
_root.arrow_btn.onRelease=function(){
trace("tjisjao");
//preload2.onLoadInit = function(target:MovieClip) {
_root.sun2_btn.onRelease=function(){ //fails
heart_mc.unloadClip(target); //fails
var newVar:MovieClipLoader = new MovieClipLoader(); //fails
newVar.loadClip("workExNew.swf","targetMC"); //FAILS
//_root.med_btn.onRelease=function(){
//getURL("
http://66.7.197.27/~kevindau/meditation.htm","_blank");Just answered that one:
http://www.adobe.com/cfusion/webforums/forum/messageview.cfm?forumid=15&catid=288&threadid =1192673&enterthread=y
But in your case: you need an object to listen for the
MovieClipLoader events. So, use the current object as a listener...
in the constructor:
myloader = new MovieClipLoader();
myloader.addListener(this);
Then use private methods to capture the events:
private method onLoadInit(target:MovieClip){
and so on. -
RMAN 0 level backup failed while releasing channels at end.
In RMAN 0 level backup, when it's about to finish, reports an error as releasing channels. It backed up about 98% datafiles.
Is this backup is usable. As we can not affort to take backup again as it's a big terabyte databse.
Please suggest.
Thanks in advance.
Aj.Do you have release stmts in the script
From 9i onwards oracle Release the channels automatically upon backing up, so you can remove the release channel lines if you have and try it
Maybe you are looking for
-
Podcast app doesn't work with iTunes this made me want back to 5.1.1
Apple may want to make podcast more popout. they made a NEW app "podcasts" but I start to hate apple to do this just like the iOS 6 maps. the new Podcasts app is desinged to be work alone (without iTunes) it can download subscribe find, ok that's co
-
Blank PDFs in Linux with [acroread] defunct Adobe Reader 9.4
I am having an issue on a SuSE 11 sp1 box where opening a pdf after closing one gives me a blank screen. a ps -ef | grep acro* shows [acroread]<defunct> for the acroread process that was running. I noticed that I can open & close as many as 20 pdfs f
-
About connecting applets to servlets
Hi friens, I already posted regarding this problem twice but there were no replies. i am really desperate as it is eating up my time. I thought once more i will elaborate it. I am using the following code to connect an applet to servlet on my tomcat.
-
What TCP ports are used in Dataguard
Hi Team, what TCP ports are used in Dataguard, Dblink or SQL statement Thanks Aj
-
Hi, I created a analysis but this ends up in no result. So I want to open the logfile (via view log) but there is only a message 'no log found'. There is a place in oracle EM where I have to set this, but where...... regards Robbert ps OBI version is