3 Replies Latest reply: Mar 13, 2012 3:21 AM by 915847 RSS

    Java 7 and sun.security.krb5.Credentials.acquireTGTFromCache()

    915847
      Hi!,
      This is my first post, hello everyone.
      I have a problem, a wrote a program to check in what domain currently logged user is on Windows, it work fine on jre6, but it doesn't work on jre7, I check on google, but i couldn't find anything.
      It supposed to acquire Kerberos ticked from cache, in which there supposed to be some credentials with user domain name, e.g. user@domainName. Simple code to show a problem with some comments:
      package ldaptester;
      
      import java.io.BufferedWriter;
      import java.io.File;
      import java.io.FileWriter;
      import java.util.Set;
      import javax.security.auth.Subject;
      import javax.security.auth.kerberos.KerberosTicket;
      import javax.security.auth.login.LoginContext;
      import javax.security.auth.login.LoginException;
      
      /**
      This program should test if the current logged user is in specific domain.
      I'm test it on Windows7 Enterprise 6.1 build 7601
      on
      
      java version "1.6.0_23
      Java(TM) SE Runtime Environment (build 1.6.0_23-b05)
      Java HotSpot(TM) 64-Bit Server VM (build 19.0-b09, mixed mode)
      
      this program returning :
      currentLoggedUserDomainName: <myUserName>@<myDomainName>
      
      and on
      java version "1.7.0_02"
      Java(TM) SE Runtime Environment (build 1.7.0_02-b13)
      Java HotSpot(TM) 64-Bit Server VM (build 22.0-b10, mixed mode)
      
      this program returning
      
      javax.security.auth.login.LoginException: Unable to obtain Princpal Name for authentication
      at com.sun.security.auth.module.Krb5LoginModule.promptForName(Unknown Source)
      at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)
      at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
      at java.lang.reflect.Method.invoke(Unknown Source)
      at javax.security.auth.login.LoginContext.invoke(Unknown Source)
      at javax.security.auth.login.LoginContext.access$000(Unknown Source)
      at javax.security.auth.login.LoginContext$4.run(Unknown Source)
      at javax.security.auth.login.LoginContext$4.run(Unknown Source)
      at java.security.AccessController.doPrivileged(Native Method)
      at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
      at javax.security.auth.login.LoginContext.login(Unknown Source)
      at ldaptester.TestJre7.getSubject(TestJre7.java:144)
      at ldaptester.TestJre7.getSignedOnUserSubject(TestJre7.java:88)
      at ldaptester.TestJre7.main(TestJre7.java:62)
      currentLoggedUserDomainName: null
      
      I dont know why but I'm guessing that it is something wrong with the method
      public static Credentials acquireTGTFromCache(PrincipalName pn, String string) throws KrbException, IOException
      in class sun.security.krb5.Credentials
      which is used from com.sun.security.auth.module.Krb5LoginModule
       */
      public class TestJre7 {
      
          public static void main(String[] args) {
              try {
                  // Domain Name in which user supposed to be, e.g. 'TEST.LOCAL'
                  String strDomainName = "<myDomainName>";
                  String currentLoggedUserDomainName = getSignedOnUserSubject(strDomainName);
                  System.out.println("currentLoggedUserDomainName: " + currentLoggedUserDomainName);
      
              } catch (Exception e) {
                  e.printStackTrace();
              }
          }
      
          public static String getSignedOnUserSubject(String domainName) throws Exception {
      
              File tmpFileForLoginConf = null;
              try {
                  // create tmp file in which is the config to 'Krb5LoginModule'
                  String tmpFileName = System.getProperty("java.io.tmpdir") + "loginConf1";
                  BufferedWriter out = new BufferedWriter(new FileWriter(tmpFileName));
                  out.write("SignedOnUserLoginContext {");
                  out.newLine();
                  out.write("com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true doNotPrompt=true;");
                  out.newLine();
                  out.write("};");
                  out.newLine();
                  out.close();
                  tmpFileForLoginConf = new File(tmpFileName);
      
                  // get the Subject that represents the signed-on user
                  // this method throws LoginException: Unable to obtain Princpal Name for authentication on JRE7
                  Subject signedOnUserSubject = getSubject(domainName, tmpFileForLoginConf, "SignedOnUserLoginContext");
      
                  // rest of code which is unnecessary on JRE7
                  // it checks if domainName from credentials is the same as in param 'domainName'
                  String ret = null;
                  Set<Object> set = signedOnUserSubject.getPrivateCredentials();
                  if (set != null && set.size() > 0) {
                      for (Object obj : set) {
                          if (obj instanceof KerberosTicket) {
                              KerberosTicket kt = (KerberosTicket) obj;
      
                              if (kt.getServer().getRealm().equalsIgnoreCase(domainName)) {
                                  // if domainName == kt.getServer().getRealm() that mean that the user is currently logged to it.
                                  ret = kt.getClient().getName();
                                  break;
                              }
                          }
                      }
                  }
      
                  return ret;
              } catch (javax.security.auth.login.LoginException e1) {
                  if (e1.getMessage() != null && e1.getMessage().equals("Unable to obtain Princpal Name for authentication ")) {
                      // Nie jest zalogowany do domeny najprawdopodobniej
                      e1.printStackTrace();
                      return null;
                  }
                  throw e1;
              } catch (Exception e) {
                  throw e;
              } finally {
                  try {
                      if (tmpFileForLoginConf != null) {
                          tmpFileForLoginConf.delete();
                      }
                  } catch (Exception e) {
                      e.printStackTrace();
                  }
              }
          }
      
          /**
           * Gets javax.security.auth.Subject
           */
          public static Subject getSubject(String domainName, File fileLoginConf, String loginContex) throws LoginException {
      
              System.setProperty("java.security.krb5.realm", domainName);
              System.setProperty("java.security.krb5.kdc", "mydc." + domainName);
      
              // let the security subsystem know the location of the login.conf file
              System.setProperty("java.security.auth.login.config", fileLoginConf.getAbsolutePath());
      
              // create a LoginContext based on the entry in the login.conf file
              LoginContext lc = new LoginContext(loginContex);
      
              // login (effectively populating the Subject)
              lc.login();
      
              // get the Subject that represents the signed-on user
              Subject signedOnUserSubject = lc.getSubject();
              return signedOnUserSubject;
          }
      }
      
      {code}
      
      Is it a bug or I missed something?                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    
        • 1. Re: Java 7 and sun.security.krb5.Credentials.acquireTGTFromCache()
          gimbal2
          You can enable debugging information by passing this command line option to Java:

          -Dsun.security.krb5.debug=true

          Found that by googling the error message, "Unable to obtain Princpal Name for authentication". You might try the same, you'll get some interesting results. Not directly related to Java 7 though, but it is premature to state Java 7 has anything directly to do with it. Many people have experienced problems while upgrading the JDK which in the end still turned out to be a problem in the setup or code which you just didn't happen to be troubled by under the older JDK.
          • 2. Re: Java 7 and sun.security.krb5.Credentials.acquireTGTFromCache()
            915847
            Hi again,
            I have put some debugging info with -Dsun.security.krb5.debug=true and -Dsun.security.jgss.debug=true, when i run code with jdk6 I have:

            Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt true ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
            Acquire TGT from Cache
            KinitOptions cache name is C:\Users\<MY_USERNAME>\krb5cc_<MY_USERNAME>
            Acquire default native Credentials
            Obtained TGT from LSA: Credentials:
            client=<MY_USERNAME>@<myDomainName>
            server=krbtgt/<myDomainName>@<myDomainName>
            authTime=20120312122957Z
            startTime=20120312122957Z
            endTime=20120312222957Z
            renewTill=20120319122957Z
            flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT
            EType (int): 23
            Principal is <MY_USERNAME>@<myDomainName>
            Commit Succeeded

            currentLoggedUserDomainName: <MY_USERNAME>@<myDomainName>


            , but on jdk7 I get:

            Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt true ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
            Acquire TGT from Cache
            KinitOptions cache name is C:\Users\<MY_USERNAME>\krb5cc_<MY_USERNAME>
            Acquire default native Credentials
            Found no TGT's in LSA
            Principal is null
            null credentials from Ticket Cache
                      [Krb5LoginModule] authentication failed
            Unable to obtain Princpal Name for authentication

            currentLoggedUserDomainName: null
            LSA: Found Ticket
            LSA: Made NewWeakGlobalRef
            LSA: Found PrincipalName
            LSA: Made NewWeakGlobalRef
            LSA: Found DerValue
            LSA: Made NewWeakGlobalRef
            LSA: Found EncryptionKey
            LSA: Made NewWeakGlobalRef
            LSA: Found TicketFlags
            LSA: Made NewWeakGlobalRef
            LSA: Found KerberosTime
            LSA: Made NewWeakGlobalRef
            LSA: Found String
            LSA: Made NewWeakGlobalRef
            LSA: Found DerValue constructor
            LSA: Found Ticket constructor
            LSA: Found PrincipalName constructor
            LSA: Found EncryptionKey constructor
            LSA: Found TicketFlags constructor
            LSA: Found KerberosTime constructor
            LSA: Finished OnLoad processing
            LSA: Found KrbCreds constructor
            LSA: Got handle to Kerberos package
            LSA: Response size is 1357
            LSA: Principal domain is <myDomainName>
            LSA: Name type is 1
            LSA: Name count is 1
            LSA: Principal domain is <myDomainName>
            LSA: Name type is 2
            LSA: Name count is 2
            LSA: Session key all zero. Stop.
            javax.security.auth.login.LoginException: Unable to obtain Princpal Name for authentication
                 at com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:796)
                 at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:667)
                 at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:580)
                 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
                 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
                 at java.lang.reflect.Method.invoke(Method.java:601)
                 at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
                 at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
                 at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
                 at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
                 at java.security.AccessController.doPrivileged(Native Method)
                 at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)
                 at javax.security.auth.login.LoginContext.login(LoginContext.java:594)
                 at ldaptester.TestJre7.getSubject(TestJre7.java:147)
                 at ldaptester.TestJre7.getSignedOnUserSubject(TestJre7.java:90)
                 at ldaptester.TestJre7.main(TestJre7.java:64)


            I would like to know whot's going one in native method acquireDefaultNativeCreds() in sun.security.krb5.Credentials but I don't know hot to get this native code, from the debug info I guessing that it cannot get ticked from the cache , but when i run 'klist tgt' in cmd it returns:



            Service Name : krbtgt
            Target element name . (SPN): krbtgt
            Client Name : <MY_USERNAME>
            Domain name : <myDomainName>
            Target Domain name .: <myDomainName>
            Alt. target domain name.: <myDomainName>
            flags : 0x40e00000 -> forwardable renewable initial pre_authent
            session key : key type 0x17 - RSADSI RC4-HMAC(NT)
            : key length 16 - 00 00 00 00 00 00 00 00 00 00 00 00 00
            00 00 00
            begin time : 3/12/2012 12:52:18 (lokalne)
            end time : 3/12/2012 22:52:18 (lokalne)
            Odnawianie do : 3/19/2012 12:52:18 (lokalne)
            TimeSkew : + 0:00 min
            Zakodowany bilet : (rozmiar: 953)
            0000 61 82 03 b5 30 82 03 b1:a0 03 02 01 05 a1 0c 1b a...0...........
            0010 0a 5a 45 54 4f 2e 4c 4f:43 41 4c a2 1f 30 1d a0 .<myDomainName>..0..
            0020 03 02 01 02 a1 16 30 14:1b 06 6b 72 62 74 67 74 ......0...krbtgt
            0030 1b 0a 5a 45 54 4f 2e 4c:4f 43 41 4c a3 82 03 79 ..<myDomainName>...y
            0040 30 82 03 75 a0 03 02 01:17 a1 03 02 01 02 a2 82 0..u............
            0050 03 67 04 82 03 63 b1 1d:48 9d a3 cb 53 7f 88 bc .g...c..H...S...

            (some data is in polish sorry)

            Do someone has something similar to this , or can help?
            • 3. Re: Java 7 and sun.security.krb5.Credentials.acquireTGTFromCache()
              915847
              OK, it's fixed, there was my mistake,
              from the beginning there should be a key in windows registry :

              HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

              allowtgtsessionkey REG_DWORD (1)

              I read that it should be from the beginning , that is in java6 , but since when it was working, I didn't set it up, in java7 it is actually used.
              I think that it supposed to be also used in java6, probably a bug?