Mechanism level: Checksum failed

Similar Messages

• Checksum failed and some newbie questiions

  Hi people,
  I have tried the GSS-API without JAAS tutorial for java 1.5 at http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/BasicClientServer.html with that config:
  1) Environment config:
  - JKD 1.5.0 update 11
  - Windows XP pro against Active Directory on a Windows Server
  2) The bcsLogin.conf jaas config file exactly as it appears in the tutorial
  3) My krb5.conf file:
          [libdefaults]
                  default_realm = MYCOMPANY.COM
                  default_tkt_enctypes = rc4-hmac
                  default_tgs_enctypes = rc4-hmac
          [realms]
                  MYCOMPANY.COM = {
                          kdc = MYCOMPANY.COM
                          admin_server = MYCOMPANY.COM
                          default_domain = MYCOMPANY.COM
          [domain_realm]
                  MYCOMPANY = MYCOMPANY.COM4) Parameters for the SampleServer program:
  Program arguments
  4444
  VM arguments
  -Djavax.security.auth.useSubjectCredsOnly=false
  -Djava.security.krb5.conf=krb5.conf
  -Djava.security.auth.login.config=bcsLogin.conf
  5) Parameters for the SampleClient program:
  Program arguments
  krbtgt localhost 4444
  VM arguments
  -Djavax.security.auth.useSubjectCredsOnly=false
  -Djava.security.krb5.conf=krb5.conf
  -Djava.security.auth.login.config=bcsLogin.conf
  After executing it I obtained the below checksum exception:
  Checksum failed !
  Exception in thread "main" java.lang.RuntimeException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
       at SampleServer.main(SampleServer.java:121)
  Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
       at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:730)
       at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:300)
       at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246)
       at SampleServer.main(SampleServer.java:118)
  Caused by: KrbException: Checksum failed
       at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:85)
       at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:77)
       at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:167)
       at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:267)
       at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
       at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
       at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:715)
       ... 3 more
  Caused by: java.security.GeneralSecurityException: Checksum failed
       at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCrypto.java:387)
       at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(ArcFourHmac.java:74)
       at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:83)
       ... 9 moreApart from help for the exception itselft I have some questions:
  1-     For the SampleClient program I use krbtgt as the server name but I don�t know exactly why this works. Other values don�t work and I don�t know exactly what this server name is, who creates it, etc. I would be grateful for some explanation about it
  2-     I use the same username-password (mine) for authentication in the SampleServer and in the SampleClient, is that correct?
  Thank you very much in advance.

  Hello wangwj,
  I don�t know what you want to say exactly with �trying the username you used for ServerClient�.
  In the SampleServer code (I believe that you refer it as ServerClient) there is no place where I can give a username (apart from my credentials when I do a login).
  Debugging SampleClient the program generates the next error when I use a server name different from krbtgt:
  KRBError:      sTime is Fri Mar 09 09:32:16 CET 2007 1173429136000
        suSec is 407323
        error code is 7
        error Message is Server not found in Kerberos database
        realm is ADGBS.COM
        sname is V442596
        eData provided.
        msgType is 30When I use krbtgt as the server name all goes ok for the client (well, it shows an error but is expected):
  KRBError:      sTime is Fri Mar 09 09:42:33 CET 2007 1173429753000
        suSec is 711423
        error code is 52
        error Message is Response too big for UDP, retry with TCP
        realm is ADGBS.COM
        sname is krbtgt
        msgType is 30After that:
  1) It�s possible that I have to create a new server account in Kerberos and pass his username to the client parameter?
  2) In the first post I wrote it shows a checksum exception. I have read that It�s needed that Active Directoy configures to DES encryption for interoperability. Someone knows something about that?
  Thanks in advance,

• Checksum failed while authenticating via Kerberos

  Hi All,
  I having a problem getting authentication using kerberos to work, I get the message checksum failed. The environment is Windows 2008 Server as DC and IE 8 as client and the application is running inside JBoss (in this case I am using the negotiation-toolkit) and the following trace is in the server.log. Can someone point me in the right direction for solving this problem, i've configured two local environments using w2k3 and w2k8 which are both working just fine but in the customers network it fails with the following trace:
  l
  2011-03-30 11:33:21,845 TRACE [org.jboss.security.SecurityRolesAssociation] (http-0.0.0.0-8888-1) Setting threadlocal:{}
  2011-03-30 11:33:21,846 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-0.0.0.0-8888-1) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]
  2011-03-30 11:33:21,846 TRACE [org.jboss.security.negotiation.NegotiationAuthenticator] (http-0.0.0.0-8888-1) Authenticating user
  2011-03-30 11:33:21,846 DEBUG [org.jboss.security.negotiation.NegotiationAuthenticator] (http-0.0.0.0-8888-1) Header - Negotiate 2011-03-30 11:33:21,847 TRACE [org.jboss.security.negotiation.common.MessageTrace.Request.Base64] (http-0.0.0.0-8888-1) 2011-03-30 11:33:21,847 TRACE [org.jboss.security.negotiation.common.MessageTrace.Request.Hex] (http-0.0.0.0-8888-1)2011-03-30 11:33:21,848 TRACE [org.jboss.security.negotiation.common.NegotiationContext] (http-0.0.0.0-8888-1) associate 176127440
  2011-03-30 11:33:21,850 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.SPNEGO] (http-0.0.0.0-8888-1) Begin isValid, principal:FFE8282EB0A470619839BBD7EDF16A5E, cache info: null
  2011-03-30 11:33:21,850 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.SPNEGO] (http-0.0.0.0-8888-1) defaultLogin, principal=FFE8282EB0A470619839BBD7EDF16A5E
  2011-03-30 11:33:21,850 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-0.0.0.0-8888-1) Begin getAppConfigurationEntry(SPNEGO), size=13
  2011-03-30 11:33:21,850 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-0.0.0.0-8888-1) End getAppConfigurationEntry(SPNEGO), authInfo=AppConfigurationEntry[]:
  [0]
  LoginModule Class: org.jboss.security.negotiation.spnego.SPNEGOLoginModule
  ControlFlag: LoginModuleControlFlag: requisite
  Options:
  name=serverSecurityDomain, value=host
  name=password-stacking, value=useFirstPass
  [1]
  LoginModule Class: org.jboss.security.auth.spi.UsersRolesLoginModule
  ControlFlag: LoginModuleControlFlag: required
  Options:
  name=usersProperties, value=props/spnego-users.properties
  name=rolesProperties, value=props/spnego-roles.properties
  name=password-stacking, value=useFirstPass
  2011-03-30 11:33:21,850 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) initialize
  2011-03-30 11:33:21,850 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) Security domain: SPNEGO
  2011-03-30 11:33:21,850 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) serverSecurityDomain=host
  2011-03-30 11:33:21,850 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) login
  2011-03-30 11:33:21,850 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-0.0.0.0-8888-1) Begin getAppConfigurationEntry(host), size=13
  2011-03-30 11:33:21,850 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-0.0.0.0-8888-1) End getAppConfigurationEntry(host), authInfo=AppConfigurationEntry[]:
  [0]
  LoginModule Class: com.sun.security.auth.module.Krb5LoginModule
  ControlFlag: LoginModuleControlFlag: required
  Options:
  name=principal, value=host/[email protected]
  name=useKeyTab, value=true
  name=storeKey, value=true
  name=keyTab, value=/DATA/jbossserver.host.keytab
  name=debug, value=true
  name=doNotPrompt, value=true
  2011-03-30 11:33:21,850 INFO [STDOUT] (http-0.0.0.0-8888-1) Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /DATA/jbossserver.host.keytab refreshKrb5Config is false principal is host/[email protected] tryFirstPass is false useFirstPass is false storePass is false clearPass is false
  2011-03-30 11:33:21,850 INFO [STDOUT] (http-0.0.0.0-8888-1) KeyTab instance already exists
  2011-03-30 11:33:21,850 INFO [STDOUT] (http-0.0.0.0-8888-1) Added key: 23version: 4
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) Ordering keys wrt default_tkt_enctypes list
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) Using builtin default etypes for default_tkt_enctypes
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) default etypes for default_tkt_enctypes:
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 3
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 1
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 23
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 16
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 17
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) .
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) principal's key obtained from the keytab
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) Acquire TGT using AS Exchange
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) Using builtin default etypes for default_tkt_enctypes
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) default etypes for default_tkt_enctypes:
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 3
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 1
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 23
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 16
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) 17
  2011-03-30 11:33:21,851 INFO [STDOUT] (http-0.0.0.0-8888-1) .
  2011-03-30 11:33:21,852 INFO [STDOUT] (http-0.0.0.0-8888-1) >>> KrbAsReq calling createMessage
  2011-03-30 11:33:21,852 INFO [STDOUT] (http-0.0.0.0-8888-1) >>> KrbAsReq in createMessage
  2011-03-30 11:33:21,852 INFO [STDOUT] (http-0.0.0.0-8888-1) >>> KrbKdcReq send: kdc=rm-hq-dc1.shipyard.local UDP:88, timeout=30000, number of retries =3, #bytes=158
  2011-03-30 11:33:21,852 INFO [STDOUT] (http-0.0.0.0-8888-1) >>> KDCCommunication: kdc=rm-hq-dc1.shipyard.local UDP:88, timeout=30000,Attempt =1, #bytes=158
  2011-03-30 11:33:21,853 INFO [STDOUT] (http-0.0.0.0-8888-1) >>> KrbKdcReq send: #bytes read=633
  2011-03-30 11:33:21,854 INFO [STDOUT] (http-0.0.0.0-8888-1) >>> KrbKdcReq send: #bytes read=633
  2011-03-30 11:33:21,854 INFO [STDOUT] (http-0.0.0.0-8888-1) >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
  2011-03-30 11:33:21,854 INFO [STDOUT] (http-0.0.0.0-8888-1) >>> KrbAsRep cons in KrbAsReq.getReply host/jbossserver
  2011-03-30 11:33:21,855 INFO [STDOUT] (http-0.0.0.0-8888-1) principal is host/[email protected]
  2011-03-30 11:33:21,855 INFO [STDOUT] (http-0.0.0.0-8888-1) EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 4F C6 44 97 D0 B8 9C 96 A9 79 5B 87 EB 44 71 33 O.D......y[..Dq3
  2011-03-30 11:33:21,855 INFO [STDOUT] (http-0.0.0.0-8888-1) Added server's keyKerberos Principal host/[email protected] Version 4key EncryptionKey: keyType=23 keyBytes (hex dump)=
  0000: 4F C6 44 97 D0 B8 9C 96 A9 79 5B 87 EB 44 71 33 O.D......y[..Dq3
  2011-03-30 11:33:21,855 INFO [STDOUT] (http-0.0.0.0-8888-1)           [Krb5LoginModule] added Krb5Principal host/[email protected] to Subject
  2011-03-30 11:33:21,855 INFO [STDOUT] (http-0.0.0.0-8888-1) Commit Succeeded
  2011-03-30 11:33:21,858 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) Subject = Subject:
       Principal: host/[email protected]
       Private Credential: Ticket (hex) =
  0000: 61 82 01 1F 30 82 01 1B A0 03 02 01 05 A1 13 1B a...0...........
  0120: 9E 96 D4 ...
  Client Principal = host/[email protected]
  Server Principal = krbtgt/[email protected]
  Session Key = EncryptionKey: keyType=23 keyBytes (hex dump)=
  0000: 81 5B 77 9E C3 74 46 AC 87 26 B0 00 5C B6 56 6E .[w..tF..&..\.Vn
  Forwardable Ticket false
  Forwarded Ticket false
  Proxiable Ticket false
  Proxy Ticket false
  Postdated Ticket false
  Renewable Ticket false
  Initial Ticket false
  Auth Time = Wed Mar 30 11:33:17 CEST 2011
  Start Time = Wed Mar 30 11:33:17 CEST 2011
  End Time = Wed Mar 30 21:33:17 CEST 2011
  Renew Till = null
  Client Addresses Null
       Private Credential: Kerberos Principal host/[email protected] Version 4key EncryptionKey: keyType=23 keyBytes (hex dump)=
  0000: 4F C6 44 97 D0 B8 9C 96 A9 79 5B 87 EB 44 71 33 O.D......y[..Dq3
  2011-03-30 11:33:21,858 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) Logged in 'host' LoginContext
  2011-03-30 11:33:21,858 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) Creating new GSSContext.
  2011-03-30 11:33:21,866 INFO [STDOUT] (http-0.0.0.0-8888-1) Found key for host/[email protected](23)
  2011-03-30 11:33:21,867 INFO [STDOUT] (http-0.0.0.0-8888-1) Entered Krb5Context.acceptSecContext with state=STATE_NEW
  2011-03-30 11:33:21,868 INFO [STDOUT] (http-0.0.0.0-8888-1) >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
  2011-03-30 11:33:21,869 ERROR [STDERR] (http-0.0.0.0-8888-1) Checksum failed !
  2011-03-30 11:33:21,870 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) Result - GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
  2011-03-30 11:33:21,870 ERROR [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) Unable to authenticate
  GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
       at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
       at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
       at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
       at org.jboss.security.negotiation.spnego.SPNEGOLoginModule$AcceptSecContext.run(SPNEGOLoginModule.java:294)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.Subject.doAs(Subject.java:337)
       at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:118)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
       at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
       at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
       at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
       at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:552)
       at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:486)
       at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)
       at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)
       at org.jboss.web.tomcat.security.JBossWebRealm.authenticate(JBossWebRealm.java:384)
       at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:127)
       at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)
       at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
       at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
       at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
       at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
       at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
       at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
       at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
       at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
       at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
       at java.lang.Thread.run(Thread.java:619)
  Caused by: KrbException: Checksum failed
       at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:85)
       at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:77)
       at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
       at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:267)
       at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
       at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
       at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
       ... 35 more
  Caused by: java.security.GeneralSecurityException: Checksum failed
       at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCrypto.java:388)
       at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(ArcFourHmac.java:74)
       at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:83)
       ... 41 more
  2011-03-30 11:33:21,871 INFO [STDOUT] (http-0.0.0.0-8888-1)           [Krb5LoginModule]: Entering logout
  2011-03-30 11:33:21,871 INFO [STDOUT] (http-0.0.0.0-8888-1)           [Krb5LoginModule]: logged out Subject
  2011-03-30 11:33:21,872 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-8888-1) abort
  2011-03-30 11:33:21,872 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8888-1) initialize
  2011-03-30 11:33:21,872 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8888-1) Security domain: SPNEGO
  2011-03-30 11:33:21,872 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8888-1) findResource: null
  2011-03-30 11:33:21,872 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8888-1) Properties file=vfsfile:/DATA/jboss-5.1.0.GA/server/default/conf/props/spnego-users.properties, defaults=null
  2011-03-30 11:33:21,872 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8888-1) Loaded properties, users=[]
  2011-03-30 11:33:21,872 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8888-1) findResource: null
  2011-03-30 11:33:21,872 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8888-1) Properties file=vfsfile:/DATA/jboss-5.1.0.GA/server/default/conf/props/spnego-roles.properties, defaults=null
  2011-03-30 11:33:21,872 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8888-1) Loaded properties, users=[[email protected], [email protected]]
  2011-03-30 11:33:21,872 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-0.0.0.0-8888-1) abort
  2011-03-30 11:33:21,872 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.SPNEGO] (http-0.0.0.0-8888-1) Login failure
  javax.security.auth.login.LoginException: Unable to authenticate - Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
       at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:141)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
       at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
       at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
       at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
       at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:552)
       at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:486)
       at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)
       at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)
       at org.jboss.web.tomcat.security.JBossWebRealm.authenticate(JBossWebRealm.java:384)
       at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:127)
       at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)
       at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
       at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
       at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
       at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
       at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
       at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
       at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
       at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
       at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
       at java.lang.Thread.run(Thread.java:619)
  2011-03-30 11:33:21,873 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.SPNEGO] (http-0.0.0.0-8888-1) End isValid, false
  2011-03-30 11:33:21,873 TRACE [org.jboss.security.negotiation.common.NegotiationContext] (http-0.0.0.0-8888-1) clear 176127440
  2011-03-30 11:33:21,873 TRACE [org.jboss.security.SecurityRolesAssociation] (http-0.0.0.0-8888-1) Setting threadlocal:null
  2011-03-30 11:33:21,873 TRACE [org.jboss.security.SecurityRolesAssociation] (http-0.0.0.0-8888-1) Setting threadlocal:null

  Thanks! That did the trick.
  For those who aren't sure what we're talking about, here are the details. In the inspector tab of the user's record in Workgroup Manager, there's an item called AuthenticationAuthority. For servers that use Kerberos, it should have at least two attributes, one for ApplePasswordServer and one for Kerberos.
  The Kerberos entry should look something like this:
  ;Kerberosv5;0x4de7dafb19f92bf00000008b0000207c;[email protected];
  MYSERVER.MYDOMAIN.COM;1024 35 1501888096699469040706569854027123220425732604738787130135110270232071940183724 3
  78199029604219894640418726569868666187867257570714183982184166144733112632082318
  21356466533532379022305132046121848691642928615842396713606475071069113591094835
  025483043226511805720826544139932983788313141311383927555379596135211 [email protected]:123.45.67.89
  When you copy the attribute from a working user, there are two items that need to be changed (assuming you have only one kerberos realm). The first item is the long string of letters and numbers after ;Kerberosv5; in the first line. That's the user's UUID. The second is the user's short name ("fred" in the example above). The easiest way to make the changes is to paste the attribute into a text editor (TextEdit, or TextWrangler if you have it). Copy the user's UUID from the problematic account, and paste it over the one in the text you previously copied and pasted. Then change the short name to match the problematic user. Then copy the entire block from your text editor, select AuthenticationAuthority and click the New Value button. Click in the Text: field and paste. The Hex field will take care of itself. Click OK, then Save your changes.
  Of course before you start making changes like this to your directory, make sure you have a good back up to revert back to in case something gets messed up.

• Terrible error with kerberos, win2003 - Checksum failed!

  Now i'm trying to use CAS SSO with kerberos for authentication.
  I done all settings by instruction, see this tutorial http://www.ja-sig.org/wiki/display/CASUM/SPNEGO.
  So, the error is: Failure unspecified at GSS-API level (Mechanism level: Checksum failed).
  I guess, there is a problem with encryption type, but i don't know how to resolve it. Please help
  My stacktrace shown below:
  Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level:
  Checksum failed)
          at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:
  741)
          at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java
  :323)
          at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java
  :267)
          ... 75 more
  Caused by: KrbException: Checksum failed
          at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHma
  cEType.java:85)
          at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHma
  cEType.java:77)
          at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
          at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:267)
          at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
          at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken
  .java:79)
          at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:
  724)
          ... 77 more
  Caused by: java.security.GeneralSecurityException: Checksum failed
          at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCry
  pto.java:388)
          at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(ArcFourHmac.jav
  a:74)
          at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHma
  cEType.java:83)
          ... 83 more

  Thank you for advice, my friend.
  I have analyzed info in TGS-REQ request, but i could not find any SPN in it.
  Please see this screenshot and say me: where is needed SPN in ticket?
  Here is my full configuration:
  [logging]
  [libdefaults]
  ticket_lifetime = 24000
  default_realm = MYCORP.KUBA
  dns_lookup_kdc = true
  dns_lookup_realm = true
  default_tkt_enctypes = rc4-hmac des3-hmac-sha1 des-cbc-crc
  default_tgs_enctypes = rc4-hmac des3-hmac-sha1 des-cbc-crc
  [realms]
  MYCORP.KUBA = {
  kdc = mycorp.kuba:88
  admin_server = mycorp.kuba:749
  default_domain = mycorp.kuba
  [domain_realm]
  .mycorp.kuba = MYCORP.KUBA
  mycorp.kuba = MYCORP.KUBA
  [domain_realm]
  .mycorp.kuba = MYCORP.KUBA
  [appdefaults]
  autologin = true
  forward = true
  forwardable = true
  encrypt = true
  <bean class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig"
            p:jcifsDomainController="xxx"
            p:jcifsNetbiosWins="xxx"
            p:jcifsServicePrincipal="HTTP/MYUSER.mycorp.kuba"
            p:jcifsServicePassword="secret"
            p:useSubjectCredsOnly="true"
            p:kerberosDebug="true"
            p:kerberosRealm="MYCORP.KUBA"
            p:kerberosKdc="xxx"
            p:kerberosConf="c:/winnt/krb5.conf"
            p:loginConf="C:/mypath/WEB-INF/login.conf"
       />
  jcifs.spnego.initiate {
     com.sun.security.auth.module.Krb5LoginModule
     required
     debug=true
     realm="MYCORP.KUBA"
     principal="HTTP/MYUSER.mycorp.kuba"
     storeKey=true
     doNotPrompt=false
     client=true
     refreshKrb5Config=true
     storePass=true
     isInitiator=false
     useKeyTab=true
     useTicketCache=false
     keyTab="c:\a.keytab"
  jcifs.spnego.accept {
     com.sun.security.auth.module.Krb5LoginModule
     required
     debug=true
     realm="MYCORP.KUBA"
     principal="HTTP/MYUSER.mycorp.kuba"
     storeKey=true
     doNotPrompt=false
     client=true
     refreshKrb5Config=true
     storePass=true
     isInitiator=false
     useKeyTab=true
     useTicketCache=false
     keyTab="c:\a.keytab"
  setspn -A HTTP/MYUSER.mycorp.kuba myuser
  ktpass -out a.keytab -princ HTTP/[email protected] -pass secret -mapuser [email protected] -ptype krb5_nt_principal -crypto RC4-HMAC-NTWhat is wrong with it? Please correct it if you can?

• ASO - checksum fail with JDBC thin client on Windows

  I'm trying to configure Oracle Advanced Security for SQL Developer. I'm using SQL Developer 1.5.1 (downloaded with the included JDK). When configuring the connection I select Connection Type: Advanced. My JDBC URL is:
  jdbc:oracle:thin:@(description=(address=(protocol=tcp)(host=hostname.com)(port=1234))(connect_data=(service_name=DVLP)(SQLNET.ENCRYPTION_CLIENT=REQUESTED)(SQLNET.ENCRYPTION_TYPES_CLIENT=AES256)(SQLNET.CRYPTO_CHECKSUM_CLIENT=REQUESTED)(SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT=MD5)))
  This works great in Linux. But on a fully patched Windows XP machine when I try to connect I get "Io exception: Checksum fail Vendor code 17002"
  Note that this is only a problem with the thin client. If I use the OCI client (jdbc:oracle:oci:@....) it works fine.
  Also note that the db to which I'm trying to connect is a 10g database with these sqlnet.ora parameters:
  #ASO Encryption
  sqlnet.encryption_server=required
  sqlnet.encryption_client=required
  sqlnet.encryption_types_server=(AES256,3DES168,3DES112)
  sqlnet.encryption_types_client=(AES256,3DES168,3DES112)
  #ASO Checksum
  sqlnet.crypto_checksum_server=requested
  sqlnet.crypto_checksum_client=requested
  sqlnet.crypto_checksum_types_server = (MD5)
  sqlnet.crypto_checksum_types_client = (MD5)
  SQLNET.INBOUND_CONNECT_TIMEOUT_LSNR1251=120
  # Require clients to be Oracle 10g or higher
  SQLNET.ALLOWED_LOGON_VERSION = 10
  Has anyone else seen this?
  Thanks for your help!

  As a test I created a simple Java program to connect to the db. I used the same ojdbc5.jar that is shipped with sql developer. My test program ran fine. So it would seem the problem is SQL Developer specific.
  The class:
  import java.sql.*;
  public class testJDBC_ASO {
  public static void main(String[] args) throws SQLException {
  DriverManager.registerDriver (new oracle.jdbc.OracleDriver());
  Connection conn = DriverManager.getConnection
  ("jdbc:oracle:thin:@(description=(address=(protocol=tcp)(host=hostname.com)(port=1234))(connect_data=(service_name=DVLP)(SQLNET.ENCRYPTION_CLIENT=REQUESTED)(SQLNET.ENCRYPTION_TYPES_CLIENT=AES256)(SQLNET.CRYPTO_CHECKSUM_CLIENT=REQUESTED)(SQLNET.CRYPTO_CHECKSUM_TYPES_CLIENT=MD5)))",
  "username", "password");
  Statement stmt = conn.createStatement();
  ResultSet rset = stmt.executeQuery("select BANNER from SYS.V_$VERSION");
  while (rset.next())
  System.out.println (rset.getString(1)); /
  stmt.close();
  The output:
  C:>java -cp ojdbc5.jar;. testJDBC_ASO
  Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - 64bi
  PL/SQL Release 10.2.0.3.0 - Production
  CORE 10.2.0.3.0 Production
  TNS for Solaris: Version 10.2.0.3.0 - Production
  NLSRTL Version 10.2.0.3.0 - Production
  Edited by: RichardJQ on Oct 31, 2008 1:52 PM

• RABAX: level LEV_RX_WRITE_SNAP failed

  Hello,
  I am performing some tests in our SAP system on HP UX, Oracle. One of this test includes cancelling a wp with core so it generates an ABAP dump. The WP gets cancelled, but No dump information is being written. In the WP trace file, I see this information. Something to do with RABAX and LEV_RX_WRITE_SNAP failed. I also deleted some entries from SNAP table using standard background job, but that did not help either.
  PLEASE help!
  ======================
  M  PfStatDisconnect: disconnect statistics                                                           
  M  Entering TH_CALLHOOKS                                                                             
  M  ThCallHooks: call hook >SAP-Trace buffer write< for event BEFORE_DUMP                             
  M  TrThHookFunc: called for WP dump                                                                  
  M  ThCallHooks: call hook >ThrSaveSPAFields< for event BEFORE_DUMP                                   
  M  ThrSaveSPAFields: save spa fields                                                                 
  M  Entering ThSetStatError                                                                           
  M  ThIErrHandle: don't try rollback again                                                            
  M  ThIErrHandle: call ThrCoreInfo                                                                    
  A  RABAX in unkown environment: task_type=0, run level=8, rabax state=80000000 ztta_task_type=0      
  ( 0)  0x40000000017503ec   CTrcStack2 + 0x2bc  [dw.sapRP1_DVEBMGS10]
  ( 1)  0x4000000001750120   CTrcStack + 0x18  [dw.sapRP1_DVEBMGS10]
  ( 2)  0x4000000001db5c78   rabax_CStackSave__Fv + 0x100  [dw.sapRP1_DVEBMGS10]
  ( 3)  0x4000000001dc22bc   ab_rabax + 0x1e1c  [dw.sapRP1_DVEBMGS10]
  ( 4)  0x4000000001db5734   ab_CoreInfo + 0xd4  [dw.sapRP1_DVEBMGS10]
  ( 5)  0x4000000000e90e34   ThrCoreInfo + 0x14  [dw.sapRP1_DVEBMGS10]
  ( 6)  0x4000000001041818   ThIErrHandle + 0x15e8  [dw.sapRP1_DVEBMGS10]
  ( 7)  0x400000000104021c   ThErrHandle + 0x24  [dw.sapRP1_DVEBMGS10]
  ( 8)  0x400000000112a3e4   ThSigHandler + 0xa4  [dw.sapRP1_DVEBMGS10]
  ( 9)  0x4000000000b3d790   SigIGenAction + 0x668  [dw.sapRP1_DVEBMGS10]
  (10)  0xc0000000002f9398   sigreturn  [/usr/lib/pa2064/libc.2]
  (11)  0xc0000000002ff2ec   semopsys + 0x2c  [/usr/lib/pa20_64/libc.2]
  (12)  0xc000000000306ecc   semop + 0xcc  [/usr/lib/pa2064/libc.2]
  (13)  0x4000000000ee5348   WtRstOsEvt + 0x68  [dw.sapRP1_DVEBMGS10]
  (14)  0x4000000000ee5c4c   EvtWtRst + 0xcc  [dw.sapRP1_DVEBMGS10]
  (15)  0x4000000001054eb8   ThRqWaitFor + 0x3a0  [dw.sapRP1_DVEBMGS10]
  (16)  0x40000000010305dc   ThRqAccept + 0x200c  [dw.sapRP1_DVEBMGS10]
  (17)  0x400000000103421c   ThReceive + 0x57c  [dw.sapRP1_DVEBMGS10]
  (18)  0x4000000001028fdc   TskhLoop + 0x13dc  [dw.sapRP1_DVEBMGS10]
  (19)  0x4000000001021ba8   tskhstart + 0x1e0  [dw.sapRP1_DVEBMGS10]
  (20)  0x4000000000dccfe4   DpMain + 0x484  [dw.sapRP1_DVEBMGS10]
  (21)  0x4000000002276bfc   nlsui_main + 0x14  [dw.sapRP1_DVEBMGS10]
  (22)  0x4000000000a38154   main + 0x14  [dw.sapRP1_DVEBMGS10]
  (23)  0xc00000000000a770   $START$ + 0xa0  [/usr/lib/pa20_64/dld.sl]            
  A  TH VERBOSE LEVEL FULL                                                         
  M  SigIRegisterRoutine: handler for signal 11 installed (ab_catch_dumperror)     
  M  SigIRegisterRoutine: handler for signal 10 installed (ab_catch_dumperror)     
  A  ** RABAX: level LEV_RX_WRITE_SYSLOG entered.                                 
  A  ** RABAX: level LEV_RX_WRITE_SYSLOG completed.                          
  A  ** RABAX: level LEV_RX_WRITE_SNAP entered.                              
  M  SigIRegisterRoutine: handler for signal 10 installed (ab_catch_dumperror)
  A  ** RABAX: level LEV_RX_WRITE_SNAP failed.
  ============================================

  Hello,
  No one has come across this error?
  It is only that the SYSTEM_CORE_DUMPED error does not get registered, other Dumps are visible. What is the core dump doing different that the others?
  Please help with this error
  Thanks

• SPNEGO(Checksum Failed), wfetch succeed

  I have tried to visit my web server, SPNEGO enabled with JAAS.
  If I connect with wfetch, it always work.
  if I try to connect by IE, sometimes it work, sometimes it failed.
  I don't have any idea now, I need help, it is urgent!
  Caused by: KrbException: Checksum failed
  at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHma
  cEType.java:85)
  at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHma
  cEType.java:77)
  at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
  at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:267)
  at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
  at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken
  .java:79)
  at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:
  724)
  ... 49 more
  Caused by: java.security.GeneralSecurityException: Checksum failed
  at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCry
  pto.java:388)
  at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(ArcFourHmac.jav
  a:74)
  at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHma
  cEType.java:83)
  ... 55 more

  JAAS login always succeed, but action fails and report "checksum failed".
  If the quest is sent from wfetch, then action succeed, so I had guessed there must be difference between the request sent from IE and from wfetch.wfetch work means there is not big mistake, I create account, set spn , generate keytab file with Microsoft ktpass or Java ktab, I had checked everything quite carefully and sometimes it did work for IE, but sometimes It failed. Even I did not make any change, just restart the tomcat, the result may change from success to failure.
  Is there anybody who did get the JAAS work properly with Microsoft domain and IE?
  Edited by: waynelou on Mar 19, 2009 7:22 PM

• Webutil get error wut-115 checksum failed

  We are trying to use the file upload function from the webutil package. We are trying to upload a simple text file into a blob failed and we get the following error wut-115 checksum failed. we have initialized the blob field to an empty blob but we still get the error. what causes this error to occurr and what is the best way to try to resolve the issue.
  regards,
  Robert

  Duncan:
  we tried the package in the reverse direction and everything works fine. We are able to take a file stored in a blob column and download it to the client machine. However we still can not upload a file to a blob column in the database from a client machine. We tried this on multiple pc's. We have a webutil schema and in that schema we have the webutil_db package. this compiles fine. when we invoke our forms we log in as the webutil user. our webutil.cfg file is enabled true to allow database downloads. We are able to get every other functionality to work so far in the webutil package that we tried except for this one. Do you have any suggestions or would even take the time to direct connect in to see the problem?
  Also we will need this package to work in the JVM environment currently we have webutil working using jinit. We do alot of work for the navy and army and JVM is the only allowed method we can use for our forms. I have heard that this package is not supported in the native JVM environment. This will hurt the prospects of many military and governmental applications due to them not allowing software installed on the client machine. After all that is why we are using java servlets and oracle over the web for them to access their application.
  Regards,
  Robert

• Decrypting encPart  example?  Checksum failed

  I'm trying to decrypt the encrypted data part of the Kerberos ticket. My understanding of the algorithm is where I believe I'm mixed up somewhere (all code is server side):
  1) The login context on the server side provides a Subject which contains the private key of the server when storeKey=true in the configuration, of type KerberosKey. This is the key that can be used to decrypt the EncryptedPart of the client's ticket.
  LoginContext lc = new LoginContext(LCONF_SVR, new TextCallbackHandler());
  lc.login();
  Subject sub = lc.getSubject();
  // Get KerberosKey from private creds
  for (Iterator i = sub.getPrivateCredentials().iterator(); i.hasNext();) {
      Object o = i.next();
      if (o instanceof KerberosKey) {
          svrPrivKey = (KerberosKey)o;
          break;
  }2) This KerberosKey can be used to create an EncryptionKey:
  EncryptionKey privKey = new EncryptionKey(svrPrivKey.getEncoded(),
                                            svrPrivKey.getKeyType(),
                                            svrPrivKey.getVersionNumber());2) When con.requestCredDeleg(true) on the client side, after con.isEstablished()==true, con.getDelegCred() on the server side returns a GSSCredentials which, along with con.getSrcName(), can create a Subject the contains the client's KerberosTicket in it's private credentials.
  Subject delegSub = GSSUtil.getSubject(con.getSrcName(), con.getDelegCred());
  Set<KerberosTicket> tickets = delegSub.getPrivateCredentials(KerberosTicket.class);3) The KerberosTicket EncryptedPart can be decrypted using the server's EncryptedKey above, with "usage = 2":
  for (Iterator ti = tickets.iterator(); ti.hasNext();) {
    KerberosTicket kbrTicket = (KerberosTicket)ti.next();
    Ticket ticket = new Ticket(kbrTicket.getEncoded());
    encTicketPart = new EncTicketPart(ticket.encPart.decrypt(privKey, 2));
  }There's something wrong with my understanding, as I am always getting "KrbException: Checksum Failed." from the decrypt, from down in sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt. (Where can I get the source for sun.security.krb5 packages for debugging, btw?).
  Where am I going wrong? Can someone point me to example code that shows how to get from a KerberosTicket to a EncTicketPart?
  Thanks!
  B Atkins

  Here is how I get the AP-REQ out of the byte[] received on the socket from the Client:
     * Parses the token received from the Client
     * (GSS-API InitialContextToken)
     * Encoding: ASN.1 DER
    private byte[] parseToken(byte[] token) throws Exception {
      DerInputStream dis = new DerInputStream(token);
      // get the GSS sequence (set is the same, and has constructed flag)
      DerValue[] values = dis.getSet(token.length, true);
      // Look for the AP_REQ tag [APPLICATION 14] (constructed)
      for (int i=0; i<values.length; i++) {
        DerValue value = values;
  if (value.isConstructed((byte)14)) {
  value.resetTag(DerValue.tag_Set);
  return parseApReq(value.toDerInputStream(), value.length());
  throw new Exception("No AP-REQ found in GSS InitialContextToken");
  }Here's the parsing of that AP-REQ: /**
  * Parses tne AP-REQ PDU, which is the innerContextToken of
  * the GSS InitialToken.
  * Encoding: ASN.1/DER
  private byte[] parseApReq(DerInputStream dis, int len) throws Exception {
  // get the AP_REQ sequence (set is the same, and has constructed flag)
  byte apOptions = 0;
  DerValue ticket = null;
  DerValue[] values = dis.getSet(len, true);
  for (int i=0; i<values.length; i++) {
  DerValue value = values[i];
  if (value.isContextSpecific((byte)2)) {
  // Get the bit string encapsulated in the
  // context specific outter element.
  apOptions = value.getData().getDerValue().getBitString()[0];
  else if (value.isContextSpecific((byte)3)) {
  // Get the value encapsulated in the
  // context specific outter element.
  ticket = value.getData().getDerValue();
  if (ticket == null)
  throw new Exception("No Ticket found in AP-REQ PDU");
  return getAuthorizationData(new Ticket(ticket), serverSub, apOptions);
  }Here's the part that extracts the encPart and decrypts it.  The server subject passed in is from the LoginContext.getSubject() on the server side, after lc.login(). /**
  * Decrypt the EncryptedData into EncTicketPart
  * Encoding: ASN.1/DER
  private byte[] getAuthorizationData(Ticket ticket, Subject svrSub, byte ops)
  throws Exception {
  EncryptionKey key;
  if (useSessionKey(ops))
  key = getSessionKey(svrSub);
  else
  key = getPrivateKey(svrSub);
  byte[] cleartext = ticket.encPart.decrypt(key, 2);
  if (cleartext.length <= 0)
  throw new Exception("zero length decrypt");
  EncTicketPart encPart = new EncTicketPart(cleartext);
  byte[] authPac = parseAuthData(encPart.authorizationData.asn1Encode(), 1);
  return parseAuthData(authPac, 128);
  Here's the key handling part, where *both* the Session and Private keys are acquired: private EncryptionKey getSessionKey(Subject sub) throws Exception {
  KerberosCreds creds = getKrbCreds(sub);
  SecretKey secKey = creds.ticket.getSessionKey();
  return new EncryptionKey(secKey.getEncoded(), 23, new Integer(2));
  private EncryptionKey getPrivateKey(Subject sub) throws Exception {
  KerberosCreds creds = getKrbCreds(sub);
  return new EncryptionKey(creds.key.getEncoded(),
  creds.key.getKeyType(),
  new Integer(2));
  * Get credentials (KerberosKey and/or KerberosTicket) from a
  * Subject
  private KerberosCreds getKrbCreds(Subject sub) {
  // Get the Client's Kerberos ticket from the private credentials
  // of the subject.
  KerberosCreds ret = new KerberosCreds();
  Set<Object> creds = sub.getPrivateCredentials(Object.class);
  for (Iterator<Object> i = creds.iterator(); i.hasNext();) {
  Object cred = i.next();
  if (cred instanceof KerberosTicket)
  ret.ticket = (KerberosTicket)cred;
  if (cred instanceof KerberosKey)
  ret.key = (KerberosKey)cred;
  return ret;
  }As you can see, this has turned a GSS implementation into something that's very Kerberos (and AD, for that matter) specific.
  Edited by: batkins on Feb 22, 2008 12:14 PM
  Edited by: batkins on Feb 22, 2008 12:17 PM                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           

• Verification failed / checksum failed

  Hi,
  This problem started just yesterday. I wanted to download (and later install) Firefox 4. When I downloaded the dmg, it says (in the "download manager window"): verfication failed. Or when I tried it with Chrome, it said: checksum failed.
  So I thought I'd download a new Safari. But I get the same problem...
  Anyone any ideas?

  Try [repairing the hard drive with Disk Utility|http://support.apple.com/kb/TS1417].

• How to replace message in the forms when table level constraint fails!!

  Hello all,
  I have table level constraint in database.
  when constraint fails i get message in the forms like
  "ORA-00001 : UInique Constraint (CYAN.FA_JV_DTL_PK) violated"
  I know i can replace this message by using trigger on-error.
  but for this I have to write on-error trigger in my all the forms.
  is there any short cut at database level?
  so i can map my messages for each and every constraint.
  by doing that database should send user defined message to the form instead of in-built database messages.
  From
  Chirag Patel
  Nairobi

  Chirag,
  I think this is english. I couldnt understand what exactly you want. Can you explain by not using short words and right spellings. I might help you.
  Thanks
  Ghulam

• Error - MLB Boot ROM FFFE0000 Checksum failed

  I managed to get hold of Apples testing software and ran some over night tests on my Mac Pro 2008 model.
  I have the same 12 errors from 17 passes but haven't had a chance to examin the manual.
  Does anyone know what the error means?
  error - MLB Boot ROM FFFE0000 Checksum failed

  Mac Pro EFI Firmware Update 1.3
  http://netkas.org

• Item-level targeting failing intermittantly

  We have an OU with a GPP that pushes autologon keys for our KIOSKS.  The gpp works by initially logging in with a kiosk user account that matches the
  name of the computer account and then the GPP sets the autologon keys and after a reboot or logoff the machine auto-logs on after that.  It has worked great for many months.
  Since we recently increase our password security, we could no longer use the shorter password for
  new kiosks without a painful work-around for our enduser support group.
  To make things easy, we added an additional GPP reg key for defaultpassword and utilized “Item-Level Targeting” within the existing GPO/GPP (see images below).
  Last week we tested this change successfully by adding new kiosk and rebooting both new and existing PCs.   All existing kiosk accounts were members of
  the PasswordComplexityDisabled group.  This group is our Fine-grained password policy that permits legacy complexity and password length.
  On Monday we got flooded with calls that the autologon wasn't working.  I revert the item-level targeting entries and put the GPO back to its original state and the calls
  subsided.  Before doing so however, when we investigated problem machines, the strange thing we noticed was that we could login with the original shorter password if we supplied it manually and after that autologon worked fine.  We also check
  that the account in question was a member of the passwordcomplexitydisabled group.  We are at a loss as to why the key seems to have been blanked or set with the wrong key even though a member of the correct group and the ILT logic was correct. 
  Any ideas. 
  David W King

  > There is nothing in the computer scope of the GPO that could have
  > conflicted (we also link this same KIOSK GPO to the Computer OU) so I'm
  > at a loss at what could have affected this defaultpassword key.  Again
  > the strange thing is that once the older/shorter password was supplied
  > manually/interactively the GPP processed and then autologon resumed
  > working.
  One thing that comes to mind: The defaultpassword entry has to be
  written to the registry BEFORE the user logs on, so if you try to change
  it through a user policy, it will not really work...
  Maybe carefully examining a RSoP results or modeling report will reveal
  what was going on?
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• _root level methods failing when using movieClipLoader

  man wouldn't have a clue why, using onloadInit BELOW, doesn't
  listen to simple button methods addressed to the _root movieClip,
  the script for this frame on the root mc is below, any help please
  It works fine offline, but when on server the button response
  just doesn't work
  www.kevindauth.com and go to port Folio/ then top right
  graphic to load animation, try pressing the right buttons as it
  loads, it just fails, maybe best to check code below first thanks
  kD:-)
  stop();
  var heartPlacer = this.createEmptyMovieClip("container2",
  "101");
  var heart_mc:MovieClipLoader = new MovieClipLoader();
  var preload2 = new Object();
  heart_mc.addListener(preload2);
  preload2.onLoadStart = function(targetMC) {
  heartPlacer._x=95;
  trace("started loading "+targetMC);
  container2._visible = false;
  bar_mc._visible = true;
  preload2.onLoadProgress = function(targetMC, lBytes, tBytes)
  bar_mc._width = (lBytes/tBytes)*100;
  preload2.onLoadComplete = function(targetMC) {
  text._visible = false;
  bar_mc._visible = false;
  container2._visible = true;
  loadingNow._visible = false;
  oneToUnload._visible=false;
  trace(targetMC+" finished");
  heart_mc.loadClip("heartSpinning.swf", "container2");
  _root.arrow_btn.onRelease=function(){
  trace("tjisjao");
  //preload2.onLoadInit = function(target:MovieClip) {
  _root.sun2_btn.onRelease=function(){ //fails
  heart_mc.unloadClip(target); //fails
  var newVar:MovieClipLoader = new MovieClipLoader(); //fails
  newVar.loadClip("workExNew.swf","targetMC"); //FAILS
  //_root.med_btn.onRelease=function(){
  //getURL("
  http://66.7.197.27/~kevindau/meditation.htm","_blank");

  Just answered that one:
  http://www.adobe.com/cfusion/webforums/forum/messageview.cfm?forumid=15&catid=288&threadid =1192673&enterthread=y
  But in your case: you need an object to listen for the
  MovieClipLoader events. So, use the current object as a listener...
  in the constructor:
  myloader = new MovieClipLoader();
  myloader.addListener(this);
  Then use private methods to capture the events:
  private method onLoadInit(target:MovieClip){
  and so on.

• RMAN 0 level backup failed while releasing channels at end.

  In RMAN 0 level backup, when it's about to finish, reports an error as releasing channels. It backed up about 98% datafiles.
  Is this backup is usable. As we can not affort to take backup again as it's a big terabyte databse.
  Please suggest.
  Thanks in advance.
  Aj.

  Do you have release stmts in the script
  From 9i onwards oracle Release the channels automatically upon backing up, so you can remove the release channel lines if you have and try it