This discussion is archived
1 2 3 Previous Next 30 Replies Latest reply: Aug 17, 2010 6:05 AM by 843810 RSS

GSSContext initialization failing when context.requestMutualAuth(true)

843810 Newbie
Currently Being Moderated
Hi,

I'm trying to use GSSAPI authentication (using Kerberos) for a CVS server.

Here's the code I'm using (it's basically a slight modification of SampleClient of a Sun tutorial):
import org.ietf.jgss.*;
import java.net.Socket;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.io.EOFException;
import java.io.File;
import java.io.FileOutputStream;
import java.io.FileWriter;
import java.io.IOException;
import java.io.DataInputStream;
import java.io.DataOutputStream;
import java.io.InputStream;
import java.io.OutputStream;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;

public class Client {

     public static void main(String[] args) throws IOException, GSSException {

          // Obtain the command-line arguments and parse the port number

          if (args.length < 3) {
               System.err.println("Usage: java <options> SampleCallbackHandler Client "
                         + " <server> <hostName> <port>");
               System.exit(-1);
          }

          String server = args[0];
          String hostName = args[1];
          int port = Integer.parseInt(args[2]);

          Socket socket = new Socket(hostName, port);
          OutputStream out = socket.getOutputStream();
          InputStream in = socket.getInputStream();
          DataOutputStream outStream = new DataOutputStream(out);
          DataInputStream inStream = new DataInputStream(in);
          StringBuffer request = new StringBuffer();
          request.append("BEGIN GSSAPI REQUEST");
          request.append("\n");
          outStream.write(request.toString().getBytes());
          outStream.flush();

          System.out.println("Connected to server " + socket.getInetAddress());

          // 1. Log in (to Kerberos)
          SampleCallbackHandler authenticator = new SampleCallbackHandler();
          LoginContext lc = null;
          try {
               lc = new LoginContext("Login",
                         authenticator);
               // Attempt authentication
               lc.login();
          } catch (LoginException le) {
               le.printStackTrace();
          }
          Subject subject = lc.getSubject();
          Subject.doAs(subject, new MyClientAction(socket));
          socket.close();
     }

}

class MyClientAction implements PrivilegedAction<Object> {
     
     private InputStream in;
     private OutputStream out;
     private DataInputStream inStream;
     private DataOutputStream outStream;
     
     public MyClientAction(Socket s) {
          try {
               this.in = s.getInputStream();
               this.out = s.getOutputStream();
          } catch (IOException e) {
               // TODO Auto-generated catch block
               e.printStackTrace();
          }
          this.inStream = new DataInputStream(this.in);
          this.outStream = new DataOutputStream(this.out);
     }
     
    public Object run() {
         
         byte[] token = null;
         
        try {
               GSSManager manager = GSSManager.getInstance();
               Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2");//$NON-NLS-1$
               GSSName serverName = manager.createName("cvs@server.com",
                         GSSName.NT_HOSTBASED_SERVICE, krb5Mechanism);

               // Get the context for authentication
               GSSContext context = manager.createContext(serverName, krb5Mechanism,
                         null, GSSContext.DEFAULT_LIFETIME);
               context.requestMutualAuth(true);     // Request mutual authentication
               context.requestConf(true);               // Request confidentiality
               
              // Do the context eastablishment loop
              token = new byte[0];              
              while (!context.isEstablished()) {
                   
                   token = context.initSecContext(token, 0, token.length);
              
                   // Send a token to the server if one was generated by
                   // initSecContext
                   if (token != null) {
                        System.out.println("Will send token of size " + token.length
                                  + " from initSecContext.");
                        outStream.writeInt(token.length);
                        outStream.write(token);
                        outStream.flush();
                   }

                   // If the client is done with context establishment
                   // then there will be no more tokens to read in this loop
                   if (!context.isEstablished()) {
                        token = new byte[inStream.readInt()];
                             inStream.readFully(token);
                   }
              }

              System.out.println("Context Established! ");
              System.out.println("Client is " + context.getSrcName());
              System.out.println("Server is " + context.getTargName());
              System.out.println("Lifetime: " + context.getLifetime());
              
              /*
               * If mutual authentication did not take place, then only the client was
               * authenticated to the server. Otherwise, both client and server were
               * authenticated to each other.
               */
              if (context.getMutualAuthState())
                   System.out.println("Mutual authentication took place!");
                            
              byte[] messageBytes = "END AUTH REQUEST\n".getBytes();

              /*
               * The first MessageProp argument is 0 to request the default
               * Quality-of-Protection. The second argument is true to request privacy
               * (encryption of the message).
               */
              MessageProp prop = new MessageProp(0, true);

              /*
               * Encrypt the data and send it across. Integrity protection is always
               * applied, irrespective of confidentiality (i.e., encryption). You can
               * use the same token (byte array) as that used when establishing the
               * context.
               */

              token = context.wrap(messageBytes, 0, messageBytes.length, prop);
              System.out.println("Will send wrap token of size " + token.length);
              outStream.writeInt(token.length);
              outStream.write(token);
              outStream.flush();

              /*
               * Now we will allow the server to decrypt the message, calculate a MIC
               * on the decrypted message and send it back to us for verification.
               * This is unnecessary, but done here for illustration.
               */
              context.verifyMIC(token, 0, token.length, messageBytes, 0,
                        messageBytes.length, prop);
    
              System.out.println("Verified received MIC for message.");

              System.out.println("Exiting...");
              context.dispose();
        } catch (GSSException e) {
             e.printStackTrace();
        } catch (IOException e) {
             e.printStackTrace();
        }
        return token;
    }
}
When I run this, I'm getting the following error:

GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)

I'm able to establish the context if I set context.requestMutualAuth(false). But then, if I send wrapped messages to the server it fails with the same error. Does anybody know what I'm doing wrong?

Thank you!
  • 1. Re: GSSContext initialization failing when context.requestMutualAuth(true)
    843810 Newbie
    Currently Being Moderated
    On which line is the exception thrown? Can you show the full exception stack info.

    In your program, you send the length of token before sending the token itself. Are you sure this is how the CVS server works? Some token contains the length info inside so probably it's not necessary to send the length explicitly.

    If you can find a CVS client that can communicate with the server correctly, you can use a packet capturer (say, wireshark) to study what the protocol looks like.
  • 2. Re: GSSContext initialization failing when context.requestMutualAuth(true)
    843810 Newbie
    Currently Being Moderated
    Thanks for your response. I'm providing requested details below.

    Note: The below captures/traces have been anonymized.

    Here is where CVS GSSAPI authentication is described: http://www.delorie.com/gnu/docs/cvs/cvsclient_3.html

    Below is the output I'm getting on the
    console. Note that I'm getting this out-of-memory error, since it tries to
    read an int from the socket, whereas "[cvs :pserver] could not verify
    credentials" (or similar) is returned.

    --------------------------------------------------------------------------
    Connected to server cvs.test.example.com/10.10.36.74
    Config name: /etc/krb5.conf
    Kerberos username [myprincipal]:
    Kerberos password for myprincipal:
    default etypes for default_tkt_enctypes: 18 16 23 1 3.
    default etypes for default_tkt_enctypes: 18 16 23 1 3.
    KrbAsReq calling createMessage
    KrbAsReq in createMessage
    KrbKdcReq send: kdc=kerberos.internal.example.com UDP:88, timeout=30000, number of retries =3, #bytes=145
    KDCCommunication: kdc=kerberos.internal.example.com UDP:88, timeout=30000,Attempt =1, #bytes=145
    KrbKdcReq send: #bytes read=567
    KrbKdcReq send: #bytes read=567
    EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
    KrbAsRep cons in KrbAsReq.getReply myprincipal
    default etypes for default_tkt_enctypes: 18 16 23 1 3.
    Found ticket for myprincipal@EXAMPLE.COM to go to krbtgt/EXAMPLE.COM@EXAMPLE.COM expiring on Wed Aug 11 18:39:37 EDT 2010
    Entered Krb5Context.initSecContext with state=STATE_NEW
    Found ticket for myprincipal@EXAMPLE.COM to go to krbtgt/EXAMPLE.COM@EXAMPLE.COM expiring on Wed Aug 11 18:39:37 EDT 2010
    Service ticket not found in the subject
    Credentials acquireServiceCreds: same realm
    default etypes for default_tgs_enctypes: 18 16 23 1 3.
    CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
    EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
    KrbKdcReq send: kdc=kerberos.internal.example.com UDP:88, timeout=30000, number of retries =3, #bytes=589
    KDCCommunication: kdc=kerberos.internal.example.com UDP:88, timeout=30000,Attempt =1, #bytes=589
    KrbKdcReq send: #bytes read=535
    KrbKdcReq send: #bytes read=535
    EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
    KrbApReq: APOptions are 00100000 00000000 00000000 00000000
    EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
    crc32: b25c43f1
    crc32: 10110010010111000100001111110001
    Krb5Context setting mySeqNumber to: 876966219
    Created InitSecContextToken:
    0000: 01 00 6E 82 01 C2 30 82 01 BE A0 03 02 01 05 A1 ..n...0.........
    0010: 03 02 01 0E A2 07 03 05 00 20 00 00 00 A3 81 F7 ......... ......
    0020: 61 81 F4 30 81 F1 A0 03 02 01 05 A1 0C 1B 0A 52 a..0...........EX
    0030: 45 44 48 41 54 2E 43 4F 4D A2 26 30 24 A0 03 02 AMPLE.COM.&0$...
    0040: 01 00 A1 1D 30 1B 1B 03 63 76 73 1B 14 63 76 73 ....0...cvs..cvs
    0050: 2E 64 65 76 65 6C 2E 72 65 64 68 61 74 2E 63 6F .test.example.co
    0060: 6D A3 81 B3 30 81 B0 A0 03 02 01 01 A1 03 02 01 m...0...........
    0070: 03 A2 81 A3 04 81 A0 B8 34 6F 79 61 69 C9 70 A5 ........4oyai.p.
    0080: 66 BE D2 65 EB 56 0C AC 1E AB 84 0B A5 D9 59 64 f..e.V........Yd
    0090: 6A 57 B2 85 0F 4D 19 C8 80 16 00 14 98 4A 44 0B jW...M.......JD.
    00A0: 45 5E 6D 27 C8 BC F1 37 62 FA 00 28 05 95 9C D5 E^m'...7b..(....
    00B0: 02 83 82 4D 4B FF 6D 64 30 0D CB 1F 98 BE 79 E2 ...MK.md0.....y.
    00C0: B1 04 2F 46 BC A6 EA 3B D0 43 B0 78 E2 76 E7 D5 ../F...;.C.x.v..
    00D0: AA E5 48 C2 53 1C 34 E6 A1 37 AC D0 DB 71 DD E7 ..H.S.4..7...q..
    00E0: D5 5B 47 24 0D BF 67 93 0F 22 70 2D 37 91 29 45 .[G$..g.."p-7.)E
    00F0: C8 FD A1 C9 17 D2 6A C3 6A A4 EF A6 06 4A A9 F3 ......j.j....J..
    0100: 00 59 91 E9 5B 61 4D 11 24 86 89 A3 36 16 81 AC .Y..[aM.$...6...
    0110: FD 33 4E C8 DD 05 E5 A4 81 AE 30 81 AB A0 03 02 .3N.......0.....
    0120: 01 01 A2 81 A3 04 81 A0 01 A7 96 A7 42 83 2C 47 ............B.,G
    0130: 2E 8A E7 BF 5E 81 3B D6 B2 54 86 89 D5 6F 24 48 ....^.;..T...o$H
    0140: F9 DF 58 7C CA 58 DD 7F 94 78 07 5E 25 34 63 40 ..X..X...x.^%4c@
    0150: 49 3B 12 C5 56 99 17 FD 87 8B 59 3F 1A A0 59 94 I;..V.....Y?..Y.
    0160: 5A 0F 81 B4 25 CC 84 29 C2 5E C7 9F 0B CD FA DA Z...%..).^......
    0170: ED DE DF 5A BE 83 24 51 26 1F 53 43 49 34 E2 17 ...Z..$Q&.SCI4..
    0180: 89 88 74 A8 EE D5 9F AE 5F 3A 39 BB A3 16 BA 82 ..t....._:9.....
    0190: C1 13 8F 96 B7 E0 4F 04 7F BB 19 5A 1B CF 37 05 ......O....Z..7.
    01A0: 33 CB CD 16 32 90 F7 46 B9 DC A5 8E A8 A5 05 A9 3...2..F........
    01B0: 1B 17 DA E0 38 68 9A 3B 67 67 1F 55 DF 11 A2 3B ....8h.;gg.U...;
    01C0: CE F4 34 FF AE 07 98 95 ..4.....

    Will send token of size 471 from initSecContext.
    Exception in thread "main" java.lang.OutOfMemoryError: Java heap space
    at MyClientAction.run(Client.java:128)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAs(Subject.java:357)
    at Client.main(Client.java:67)>

    ----------------------------------

    Edited by: Severin_G on Aug 13, 2010 6:58 AM
  • 3. Re: GSSContext initialization failing when context.requestMutualAuth(true)
    843810 Newbie
    Currently Being Moderated
    The sniffed network traffic (Kerberos exchange) from this is as follows:

    ----------------------------------
    No.     Time                       Source                Destination           Protocol Info
      28211 2010-08-11 08:39:04.105321 10.15.16.120          10.5.0.11             KRB5     AS-REQ
    
    Frame 28211 (187 bytes on wire, 187 bytes captured)
        Arrival Time: Aug 11, 2010 08:39:04.105321000
        [Time delta from previous captured frame: 0.027807000 seconds]
        [Time delta from previous displayed frame: 31.941427000 seconds]
        [Time since reference or first frame: 31.941427000 seconds]
        Frame Number: 28211
        Frame Length: 187 bytes
        Capture Length: 187 bytes
        [Frame is marked: False]
        [Protocols in frame: eth:ip:udp:kerberos]
        [Coloring Rule Name: UDP]
        [Coloring Rule String: udp]
    Ethernet II, Src: Dell_85:47:69 (00:18:8b:85:47:69), Dst: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
        Destination: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
            Address: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
            .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
            .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        Source: Dell_85:47:69 (00:18:8b:85:47:69)
            Address: Dell_85:47:69 (00:18:8b:85:47:69)
            .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
            .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        Type: IP (0x0800)
    Internet Protocol, Src: 10.15.16.120 (10.15.16.120), Dst: 10.5.0.11 (10.5.0.11)
        Version: 4
        Header length: 20 bytes
        Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
            0000 00.. = Differentiated Services Codepoint: Default (0x00)
            .... ..0. = ECN-Capable Transport (ECT): 0
            .... ...0 = ECN-CE: 0
        Total Length: 173
        Identification: 0x0000 (0)
        Flags: 0x02 (Don't Fragment)
            0.. = Reserved bit: Not Set
            .1. = Don't fragment: Set
            ..0 = More fragments: Not Set
        Fragment offset: 0
        Time to live: 64
        Protocol: UDP (0x11)
        Header checksum: 0x15aa [correct]
            [Good: True]
            [Bad : False]
        Source: 10.15.16.120 (10.15.16.120)
        Destination: 10.5.0.11 (10.5.0.11)
    User Datagram Protocol, Src Port: 48056 (48056), Dst Port: kerberos (88)
        Source port: 48056 (48056)
        Destination port: kerberos (88)
        Length: 153
        Checksum: 0x2541 [validation disabled]
            [Good Checksum: False]
            [Bad Checksum: False]
    Kerberos AS-REQ
        Pvno: 5
        MSG Type: AS-REQ (10)
        KDC_REQ_BODY
            Padding: 0
            KDCOptions: 00000000
                .0.. .... .... .... .... .... .... .... = Forwardable: Do NOT use forwardable tickets
                ..0. .... .... .... .... .... .... .... = Forwarded: This is NOT a forwarded ticket
                ...0 .... .... .... .... .... .... .... = Proxiable: Do NOT use proxiable tickets
                .... 0... .... .... .... .... .... .... = Proxy: This ticket has NOT been proxied
                .... .0.. .... .... .... .... .... .... = Allow Postdate: We do NOT allow the ticket to be postdated
                .... ..0. .... .... .... .... .... .... = Postdated: This ticket is NOT postdated
                .... .... 0... .... .... .... .... .... = Renewable: This ticket is NOT renewable
                .... .... ...0 .... .... .... .... .... = Opt HW Auth: False
                .... .... .... ..0. .... .... .... .... = Constrained Delegation: This is a normal request (no constrained delegation)
                .... .... .... ...0 .... .... .... .... = Canonicalize: This is NOT a canonicalized ticket request
                .... .... .... .... .... .... ..0. .... = Disable Transited Check: Transited checking is NOT disabled
                .... .... .... .... .... .... ...0 .... = Renewable OK: We do NOT accept renewed tickets
                .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do NOT encrypt the tkt inside the skey
                .... .... .... .... .... .... .... ..0. = Renew: This is NOT a request to renew a ticket
                .... .... .... .... .... .... .... ...0 = Validate: This is NOT a request to validate a postdated ticket
            Client Name (Principal): myprincipal
                Name-type: Principal (1)
                Name: myprincipal
            Realm: EXAMPLE.COM
            Server Name (Service and Instance): krbtgt/EXAMPLE.COM
                Name-type: Service and Instance (2)
                Name: krbtgt
                Name: EXAMPLE.COM
            till: 1970-01-01 00:00:00 (UTC)
            Nonce: 219522633
            Encryption Types: aes256-cts-hmac-sha1-96 des3-cbc-sha1 rc4-hmac des-cbc-crc des-cbc-md5
                Encryption type: aes256-cts-hmac-sha1-96 (18)
                Encryption type: des3-cbc-sha1 (16)
                Encryption type: rc4-hmac (23)
                Encryption type: des-cbc-crc (1)
                Encryption type: des-cbc-md5 (3)
  • 4. Re: GSSContext initialization failing when context.requestMutualAuth(true)
    843810 Newbie
    Currently Being Moderated
    No.     Time                       Source                Destination           Protocol Info
      28213 2010-08-11 08:39:04.186793 10.5.0.11             10.15.16.120          KRB5     AS-REP
    
    Frame 28213 (609 bytes on wire, 609 bytes captured)
        Arrival Time: Aug 11, 2010 08:39:04.186793000
        [Time delta from previous captured frame: 0.013459000 seconds]
        [Time delta from previous displayed frame: 0.081472000 seconds]
        [Time since reference or first frame: 32.022899000 seconds]
        Frame Number: 28213
        Frame Length: 609 bytes
        Capture Length: 609 bytes
        [Frame is marked: False]
        [Protocols in frame: eth:ip:udp:kerberos]
        [Coloring Rule Name: UDP]
        [Coloring Rule String: udp]
    Ethernet II, Src: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f), Dst: Dell_85:47:69 (00:18:8b:85:47:69)
        Destination: Dell_85:47:69 (00:18:8b:85:47:69)
            Address: Dell_85:47:69 (00:18:8b:85:47:69)
            .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
            .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        Source: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
            Address: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
            .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
            .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        Type: IP (0x0800)
    Internet Protocol, Src: 10.5.0.11 (10.5.0.11), Dst: 10.15.16.120 (10.15.16.120)
        Version: 4
        Header length: 20 bytes
        Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
            0000 00.. = Differentiated Services Codepoint: Default (0x00)
            .... ..0. = ECN-Capable Transport (ECT): 0
            .... ...0 = ECN-CE: 0
        Total Length: 595
        Identification: 0x0000 (0)
        Flags: 0x02 (Don't Fragment)
            0.. = Reserved bit: Not Set
            .1. = Don't fragment: Set
            ..0 = More fragments: Not Set
        Fragment offset: 0
        Time to live: 58
        Protocol: UDP (0x11)
        Header checksum: 0x1a04 [correct]
            [Good: True]
            [Bad : False]
        Source: 10.5.0.11 (10.5.0.11)
        Destination: 10.15.16.120 (10.15.16.120)
    User Datagram Protocol, Src Port: kerberos (88), Dst Port: 48056 (48056)
        Source port: kerberos (88)
        Destination port: 48056 (48056)
        Length: 575
        Checksum: 0xa870 [validation disabled]
            [Good Checksum: False]
            [Bad Checksum: False]
    Kerberos AS-REP
        Pvno: 5
        MSG Type: AS-REP (11)
        padata: PA-ENCTYPE-INFO2
            Type: PA-ENCTYPE-INFO2 (19)
                Value: 30073005A003020112 aes256-cts-hmac-sha1-96
                    Encryption type: aes256-cts-hmac-sha1-96 (18)
        Client Realm: EXAMPLE.COM
        Client Name (Principal): myprincipal
            Name-type: Principal (1)
            Name: myprincipal
        Ticket
            Tkt-vno: 5
            Realm: EXAMPLE.COM
            Server Name (Service and Instance): krbtgt/EXAMPLE.COM
                Name-type: Service and Instance (2)
                Name: krbtgt
                Name: EXAMPLE.COM
            enc-part aes256-cts-hmac-sha1-96
                Encryption type: aes256-cts-hmac-sha1-96 (18)
                Kvno: 2
                enc-part: 500D340BEAADD9750D0312E3BDD828626B8CB0F19BA3FAEC...
        enc-part aes256-cts-hmac-sha1-96
            Encryption type: aes256-cts-hmac-sha1-96 (18)
            enc-part: 549AA940C63E487DE9A425E624A7517FACF38D548D0FBD65...
  • 5. Re: GSSContext initialization failing when context.requestMutualAuth(true)
    843810 Newbie
    Currently Being Moderated
    No.     Time                       Source                Destination           Protocol Info
      28537 2010-08-11 08:39:40.570437 10.15.16.120          10.5.0.11             KRB5     AS-REQ
    
    Frame 28537 (187 bytes on wire, 187 bytes captured)
        Arrival Time: Aug 11, 2010 08:39:40.570437000
        [Time delta from previous captured frame: 0.003338000 seconds]
        [Time delta from previous displayed frame: 36.383644000 seconds]
        [Time since reference or first frame: 68.406543000 seconds]
        Frame Number: 28537
        Frame Length: 187 bytes
        Capture Length: 187 bytes
        [Frame is marked: False]
        [Protocols in frame: eth:ip:udp:kerberos]
        [Coloring Rule Name: UDP]
        [Coloring Rule String: udp]
    Ethernet II, Src: Dell_85:47:69 (00:18:8b:85:47:69), Dst: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
        Destination: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
            Address: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
            .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
            .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        Source: Dell_85:47:69 (00:18:8b:85:47:69)
            Address: Dell_85:47:69 (00:18:8b:85:47:69)
            .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
            .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        Type: IP (0x0800)
    Internet Protocol, Src: 10.15.16.120 (10.15.16.120), Dst: 10.5.0.11 (10.5.0.11)
        Version: 4
        Header length: 20 bytes
        Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
            0000 00.. = Differentiated Services Codepoint: Default (0x00)
            .... ..0. = ECN-Capable Transport (ECT): 0
            .... ...0 = ECN-CE: 0
        Total Length: 173
        Identification: 0x0000 (0)
        Flags: 0x02 (Don't Fragment)
            0.. = Reserved bit: Not Set
            .1. = Don't fragment: Set
            ..0 = More fragments: Not Set
        Fragment offset: 0
        Time to live: 64
        Protocol: UDP (0x11)
        Header checksum: 0x15aa [correct]
            [Good: True]
            [Bad : False]
        Source: 10.15.16.120 (10.15.16.120)
        Destination: 10.5.0.11 (10.5.0.11)
    User Datagram Protocol, Src Port: 47224 (47224), Dst Port: kerberos (88)
        Source port: 47224 (47224)
        Destination port: kerberos (88)
        Length: 153
        Checksum: 0x2541 [validation disabled]
            [Good Checksum: False]
            [Bad Checksum: False]
    Kerberos AS-REQ
        Pvno: 5
        MSG Type: AS-REQ (10)
        KDC_REQ_BODY
            Padding: 0
            KDCOptions: 00000000
                .0.. .... .... .... .... .... .... .... = Forwardable: Do NOT use forwardable tickets
                ..0. .... .... .... .... .... .... .... = Forwarded: This is NOT a forwarded ticket
                ...0 .... .... .... .... .... .... .... = Proxiable: Do NOT use proxiable tickets
                .... 0... .... .... .... .... .... .... = Proxy: This ticket has NOT been proxied
                .... .0.. .... .... .... .... .... .... = Allow Postdate: We do NOT allow the ticket to be postdated
                .... ..0. .... .... .... .... .... .... = Postdated: This ticket is NOT postdated
                .... .... 0... .... .... .... .... .... = Renewable: This ticket is NOT renewable
                .... .... ...0 .... .... .... .... .... = Opt HW Auth: False
                .... .... .... ..0. .... .... .... .... = Constrained Delegation: This is a normal request (no constrained delegation)
                .... .... .... ...0 .... .... .... .... = Canonicalize: This is NOT a canonicalized ticket request
                .... .... .... .... .... .... ..0. .... = Disable Transited Check: Transited checking is NOT disabled
                .... .... .... .... .... .... ...0 .... = Renewable OK: We do NOT accept renewed tickets
                .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do NOT encrypt the tkt inside the skey
                .... .... .... .... .... .... .... ..0. = Renew: This is NOT a request to renew a ticket
                .... .... .... .... .... .... .... ...0 = Validate: This is NOT a request to validate a postdated ticket
            Client Name (Principal): myprincipal
                Name-type: Principal (1)
                Name: myprincipal
            Realm: EXAMPLE.COM
            Server Name (Service and Instance): krbtgt/EXAMPLE.COM
                Name-type: Service and Instance (2)
                Name: krbtgt
                Name: EXAMPLE.COM
            till: 1970-01-01 00:00:00 (UTC)
            Nonce: 1901426187
            Encryption Types: aes256-cts-hmac-sha1-96 des3-cbc-sha1 rc4-hmac des-cbc-crc des-cbc-md5
                Encryption type: aes256-cts-hmac-sha1-96 (18)
                Encryption type: des3-cbc-sha1 (16)
                Encryption type: rc4-hmac (23)
                Encryption type: des-cbc-crc (1)
                Encryption type: des-cbc-md5 (3)
  • 6. Re: GSSContext initialization failing when context.requestMutualAuth(true)
    843810 Newbie
    Currently Being Moderated
    No.     Time                       Source                Destination           Protocol Info
      28538 2010-08-11 08:39:40.649676 10.5.0.11             10.15.16.120          KRB5     AS-REP
    
    Frame 28538 (609 bytes on wire, 609 bytes captured)
        Arrival Time: Aug 11, 2010 08:39:40.649676000
        [Time delta from previous captured frame: 0.079239000 seconds]
        [Time delta from previous displayed frame: 0.079239000 seconds]
        [Time since reference or first frame: 68.485782000 seconds]
        Frame Number: 28538
        Frame Length: 609 bytes
        Capture Length: 609 bytes
        [Frame is marked: False]
        [Protocols in frame: eth:ip:udp:kerberos]
        [Coloring Rule Name: UDP]
        [Coloring Rule String: udp]
    Ethernet II, Src: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f), Dst: Dell_85:47:69 (00:18:8b:85:47:69)
        Destination: Dell_85:47:69 (00:18:8b:85:47:69)
            Address: Dell_85:47:69 (00:18:8b:85:47:69)
            .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
            .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        Source: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
            Address: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
            .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
            .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        Type: IP (0x0800)
    Internet Protocol, Src: 10.5.0.11 (10.5.0.11), Dst: 10.15.16.120 (10.15.16.120)
        Version: 4
        Header length: 20 bytes
        Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
            0000 00.. = Differentiated Services Codepoint: Default (0x00)
            .... ..0. = ECN-Capable Transport (ECT): 0
            .... ...0 = ECN-CE: 0
        Total Length: 595
        Identification: 0x0000 (0)
        Flags: 0x02 (Don't Fragment)
            0.. = Reserved bit: Not Set
            .1. = Don't fragment: Set
            ..0 = More fragments: Not Set
        Fragment offset: 0
        Time to live: 58
        Protocol: UDP (0x11)
        Header checksum: 0x1a04 [correct]
            [Good: True]
            [Bad : False]
        Source: 10.5.0.11 (10.5.0.11)
        Destination: 10.15.16.120 (10.15.16.120)
    User Datagram Protocol, Src Port: kerberos (88), Dst Port: 47224 (47224)
        Source port: kerberos (88)
        Destination port: 47224 (47224)
        Length: 575
        Checksum: 0xb923 [validation disabled]
            [Good Checksum: False]
            [Bad Checksum: False]
    Kerberos AS-REP
        Pvno: 5
        MSG Type: AS-REP (11)
        padata: PA-ENCTYPE-INFO2
            Type: PA-ENCTYPE-INFO2 (19)
                Value: 30073005A003020112 aes256-cts-hmac-sha1-96
                    Encryption type: aes256-cts-hmac-sha1-96 (18)
        Client Realm: EXAMPLE.COM
        Client Name (Principal): myprincipal
            Name-type: Principal (1)
            Name: myprincipal
        Ticket
            Tkt-vno: 5
            Realm: EXAMPLE.COM
            Server Name (Service and Instance): krbtgt/EXAMPLE.COM
                Name-type: Service and Instance (2)
                Name: krbtgt
                Name: EXAMPLE.COM
            enc-part aes256-cts-hmac-sha1-96
                Encryption type: aes256-cts-hmac-sha1-96 (18)
                Kvno: 2
                enc-part: 0C2CDAB6A9F9D1EF20465505CE5C79A1B05BA66CF8108CAB...
        enc-part aes256-cts-hmac-sha1-96
            Encryption type: aes256-cts-hmac-sha1-96 (18)
            enc-part: 29AC0C9E998723631A8A66C4389A2E0426962B3791944B8C...
  • 7. Re: GSSContext initialization failing when context.requestMutualAuth(true)
    843810 Newbie
    Currently Being Moderated
    No.     Time                       Source                Destination           Protocol Info
      28547 2010-08-11 08:39:40.865350 10.15.16.120          10.5.0.11             KRB5     TGS-REQ
    
    Frame 28547 (631 bytes on wire, 631 bytes captured)
        Arrival Time: Aug 11, 2010 08:39:40.865350000
        [Time delta from previous captured frame: 0.043476000 seconds]
        [Time delta from previous displayed frame: 0.215674000 seconds]
        [Time since reference or first frame: 68.701456000 seconds]
        Frame Number: 28547
        Frame Length: 631 bytes
        Capture Length: 631 bytes
        [Frame is marked: False]
        [Protocols in frame: eth:ip:udp:kerberos]
        [Coloring Rule Name: UDP]
        [Coloring Rule String: udp]
    Ethernet II, Src: Dell_85:47:69 (00:18:8b:85:47:69), Dst: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
        Destination: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
            Address: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
            .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
            .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        Source: Dell_85:47:69 (00:18:8b:85:47:69)
            Address: Dell_85:47:69 (00:18:8b:85:47:69)
            .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
            .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        Type: IP (0x0800)
    Internet Protocol, Src: 10.15.16.120 (10.15.16.120), Dst: 10.5.0.11 (10.5.0.11)
        Version: 4
        Header length: 20 bytes
        Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
            0000 00.. = Differentiated Services Codepoint: Default (0x00)
            .... ..0. = ECN-Capable Transport (ECT): 0
            .... ...0 = ECN-CE: 0
        Total Length: 617
        Identification: 0x0000 (0)
        Flags: 0x02 (Don't Fragment)
            0.. = Reserved bit: Not Set
            .1. = Don't fragment: Set
            ..0 = More fragments: Not Set
        Fragment offset: 0
        Time to live: 64
        Protocol: UDP (0x11)
        Header checksum: 0x13ee [correct]
            [Good: True]
            [Bad : False]
        Source: 10.15.16.120 (10.15.16.120)
        Destination: 10.5.0.11 (10.5.0.11)
    User Datagram Protocol, Src Port: 41618 (41618), Dst Port: kerberos (88)
        Source port: 41618 (41618)
        Destination port: kerberos (88)
        Length: 597
        Checksum: 0x26fd [validation disabled]
            [Good Checksum: False]
            [Bad Checksum: False]
    Kerberos TGS-REQ
        Pvno: 5
        MSG Type: TGS-REQ (12)
        padata: PA-TGS-REQ
            Type: PA-TGS-REQ (1)
                Value: 6E8201AD308201A9A003020105A10302010EA20703050000... AP-REQ
                    Pvno: 5
                    MSG Type: AP-REQ (14)
                    Padding: 0
                    APOptions: 00000000
                        .0.. .... .... .... .... .... .... .... = Use Session Key: Do NOT use the session key to encrypt the ticket
                        ..0. .... .... .... .... .... .... .... = Mutual required: Mutual authentication is NOT required
                    Ticket
                        Tkt-vno: 5
                        Realm: EXAMPLE.COM
                        Server Name (Service and Instance): krbtgt/EXAMPLE.COM
                            Name-type: Service and Instance (2)
                            Name: krbtgt
                            Name: EXAMPLE.COM
                        enc-part aes256-cts-hmac-sha1-96
                            Encryption type: aes256-cts-hmac-sha1-96 (18)
                            Kvno: 2
                            enc-part: 0C2CDAB6A9F9D1EF20465505CE5C79A1B05BA66CF8108CAB...
                    Authenticator aes256-cts-hmac-sha1-96
                        Encryption type: aes256-cts-hmac-sha1-96 (18)
                        Authenticator data: BF837B10906C4CAE0775AA9BBBFC927AEC282B6A7651CBA8...
        KDC_REQ_BODY
            Padding: 0
            KDCOptions: 00000000
                .0.. .... .... .... .... .... .... .... = Forwardable: Do NOT use forwardable tickets
                ..0. .... .... .... .... .... .... .... = Forwarded: This is NOT a forwarded ticket
                ...0 .... .... .... .... .... .... .... = Proxiable: Do NOT use proxiable tickets
                .... 0... .... .... .... .... .... .... = Proxy: This ticket has NOT been proxied
                .... .0.. .... .... .... .... .... .... = Allow Postdate: We do NOT allow the ticket to be postdated
                .... ..0. .... .... .... .... .... .... = Postdated: This ticket is NOT postdated
                .... .... 0... .... .... .... .... .... = Renewable: This ticket is NOT renewable
                .... .... ...0 .... .... .... .... .... = Opt HW Auth: False
                .... .... .... ..0. .... .... .... .... = Constrained Delegation: This is a normal request (no constrained delegation)
                .... .... .... ...0 .... .... .... .... = Canonicalize: This is NOT a canonicalized ticket request
                .... .... .... .... .... .... ..0. .... = Disable Transited Check: Transited checking is NOT disabled
                .... .... .... .... .... .... ...0 .... = Renewable OK: We do NOT accept renewed tickets
                .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do NOT encrypt the tkt inside the skey
                .... .... .... .... .... .... .... ..0. = Renew: This is NOT a request to renew a ticket
                .... .... .... .... .... .... .... ...0 = Validate: This is NOT a request to validate a postdated ticket
            Realm: EXAMPLE.COM
            Server Name (Unknown): cvs/cvs.test.example.com
                Name-type: Unknown (0)
                Name: cvs
                Name: cvs.test.example.com
            till: 1970-01-01 00:00:00 (UTC)
            Nonce: 772940195
            Encryption Types: aes256-cts-hmac-sha1-96 des3-cbc-sha1 rc4-hmac des-cbc-crc des-cbc-md5
                Encryption type: aes256-cts-hmac-sha1-96 (18)
                Encryption type: des3-cbc-sha1 (16)
                Encryption type: rc4-hmac (23)
                Encryption type: des-cbc-crc (1)
                Encryption type: des-cbc-md5 (3)
  • 8. Re: GSSContext initialization failing when context.requestMutualAuth(true)
    843810 Newbie
    Currently Being Moderated
    No.     Time                       Source                Destination           Protocol Info
      28548 2010-08-11 08:39:40.952776 10.5.0.11             10.15.16.120          KRB5     TGS-REP
    
    Frame 28548 (577 bytes on wire, 577 bytes captured)
        Arrival Time: Aug 11, 2010 08:39:40.952776000
        [Time delta from previous captured frame: 0.087426000 seconds]
        [Time delta from previous displayed frame: 0.087426000 seconds]
        [Time since reference or first frame: 68.788882000 seconds]
        Frame Number: 28548
        Frame Length: 577 bytes
        Capture Length: 577 bytes
        [Frame is marked: False]
        [Protocols in frame: eth:ip:udp:kerberos]
        [Coloring Rule Name: UDP]
        [Coloring Rule String: udp]
    Ethernet II, Src: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f), Dst: Dell_85:47:69 (00:18:8b:85:47:69)
        Destination: Dell_85:47:69 (00:18:8b:85:47:69)
            Address: Dell_85:47:69 (00:18:8b:85:47:69)
            .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
            .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        Source: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
            Address: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
            .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
            .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        Type: IP (0x0800)
    Internet Protocol, Src: 10.5.0.11 (10.5.0.11), Dst: 10.15.16.120 (10.15.16.120)
        Version: 4
        Header length: 20 bytes
        Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
            0000 00.. = Differentiated Services Codepoint: Default (0x00)
            .... ..0. = ECN-Capable Transport (ECT): 0
            .... ...0 = ECN-CE: 0
        Total Length: 563
        Identification: 0x0000 (0)
        Flags: 0x02 (Don't Fragment)
            0.. = Reserved bit: Not Set
            .1. = Don't fragment: Set
            ..0 = More fragments: Not Set
        Fragment offset: 0
        Time to live: 58
        Protocol: UDP (0x11)
        Header checksum: 0x1a24 [correct]
            [Good: True]
            [Bad : False]
        Source: 10.5.0.11 (10.5.0.11)
        Destination: 10.15.16.120 (10.15.16.120)
    User Datagram Protocol, Src Port: kerberos (88), Dst Port: 41618 (41618)
        Source port: kerberos (88)
        Destination port: 41618 (41618)
        Length: 543
        Checksum: 0xfd86 [validation disabled]
            [Good Checksum: False]
            [Bad Checksum: False]
    Kerberos TGS-REP
        Pvno: 5
        MSG Type: TGS-REP (13)
        Client Realm: EXAMPLE.COM
        Client Name (Principal): myprincipal
            Name-type: Principal (1)
            Name: myprincipal
        Ticket
            Tkt-vno: 5
            Realm: EXAMPLE.COM
            Server Name (Unknown): cvs/cvs.test.example.com
                Name-type: Unknown (0)
                Name: cvs
                Name: cvs.test.example.com
            enc-part des-cbc-crc
                Encryption type: des-cbc-crc (1)
                Kvno: 3
                enc-part: B8346F796169C970A566BED265EB560CAC1EAB840BA5D959...
        enc-part aes256-cts-hmac-sha1-96
            Encryption type: aes256-cts-hmac-sha1-96 (18)
            enc-part: 4481315477DE6534CAA5A1435A053554F2E8CDB12D5811B0...
  • 9. Re: GSSContext initialization failing when context.requestMutualAuth(true)
    843810 Newbie
    Currently Being Moderated
    Now, compare this to a network trace where Kerberos exchanges succeed.

    --------------------------------------
    No.     Time                       Source                Destination           Protocol Info
        141 2010-08-11 08:48:24.575697 10.15.16.120          10.5.0.11             KRB5     AS-REQ
    
    Frame 141 (227 bytes on wire, 227 bytes captured)
        Arrival Time: Aug 11, 2010 08:48:24.575697000
        [Time delta from previous captured frame: 0.000149000 seconds]
        [Time delta from previous displayed frame: 18.658561000 seconds]
        [Time since reference or first frame: 18.658561000 seconds]
        Frame Number: 141
        Frame Length: 227 bytes
        Capture Length: 227 bytes
        [Frame is marked: False]
        [Protocols in frame: eth:ip:udp:kerberos]
        [Coloring Rule Name: UDP]
        [Coloring Rule String: udp]
    Ethernet II, Src: Dell_85:47:69 (00:18:8b:85:47:69), Dst: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
        Destination: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
            Address: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
            .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
            .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        Source: Dell_85:47:69 (00:18:8b:85:47:69)
            Address: Dell_85:47:69 (00:18:8b:85:47:69)
            .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
            .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        Type: IP (0x0800)
    Internet Protocol, Src: 10.15.16.120 (10.15.16.120), Dst: 10.5.0.11 (10.5.0.11)
        Version: 4
        Header length: 20 bytes
        Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
            0000 00.. = Differentiated Services Codepoint: Default (0x00)
            .... ..0. = ECN-Capable Transport (ECT): 0
            .... ...0 = ECN-CE: 0
        Total Length: 213
        Identification: 0x2c5e (11358)
        Flags: 0x02 (Don't Fragment)
            0.. = Reserved bit: Not Set
            .1. = Don't fragment: Set
            ..0 = More fragments: Not Set
        Fragment offset: 0
        Time to live: 64
        Protocol: UDP (0x11)
        Header checksum: 0xe923 [correct]
            [Good: True]
            [Bad : False]
        Source: 10.15.16.120 (10.15.16.120)
        Destination: 10.5.0.11 (10.5.0.11)
    User Datagram Protocol, Src Port: 39656 (39656), Dst Port: kerberos (88)
        Source port: 39656 (39656)
        Destination port: kerberos (88)
        Length: 193
        Checksum: 0x2569 [validation disabled]
            [Good Checksum: False]
            [Bad Checksum: False]
    Kerberos AS-REQ
        Pvno: 5
        MSG Type: AS-REQ (10)
        padata: Unknown:149
            Type: Unknown (149)
                Value: <MISSING>
        KDC_REQ_BODY
            Padding: 0
            KDCOptions: 40010010 (Forwardable, Canonicalize, Renewable OK)
                .1.. .... .... .... .... .... .... .... = Forwardable: FORWARDABLE tickets are allowed/requested
                ..0. .... .... .... .... .... .... .... = Forwarded: This is NOT a forwarded ticket
                ...0 .... .... .... .... .... .... .... = Proxiable: Do NOT use proxiable tickets
                .... 0... .... .... .... .... .... .... = Proxy: This ticket has NOT been proxied
                .... .0.. .... .... .... .... .... .... = Allow Postdate: We do NOT allow the ticket to be postdated
                .... ..0. .... .... .... .... .... .... = Postdated: This ticket is NOT postdated
                .... .... 0... .... .... .... .... .... = Renewable: This ticket is NOT renewable
                .... .... ...0 .... .... .... .... .... = Opt HW Auth: False
                .... .... .... ..0. .... .... .... .... = Constrained Delegation: This is a normal request (no constrained delegation)
                .... .... .... ...1 .... .... .... .... = Canonicalize: This is a request for a CANONICALIZED ticket
                .... .... .... .... .... .... ..0. .... = Disable Transited Check: Transited checking is NOT disabled
                .... .... .... .... .... .... ...1 .... = Renewable OK: We accept RENEWED tickets
                .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do NOT encrypt the tkt inside the skey
                .... .... .... .... .... .... .... ..0. = Renew: This is NOT a request to renew a ticket
                .... .... .... .... .... .... .... ...0 = Validate: This is NOT a request to validate a postdated ticket
            Client Name (Principal): myprincipal
                Name-type: Principal (1)
                Name: myprincipal
            Realm: EXAMPLE.COM
            Server Name (Unknown): krbtgt/EXAMPLE.COM
                Name-type: Unknown (0)
                Name: krbtgt
                Name: EXAMPLE.COM
            from: 2010-08-11 12:48:24 (UTC)
            till: 2010-08-12 12:48:24 (UTC)
            Nonce: 1093728284
            Encryption Types: aes256-cts-hmac-sha1-96 des3-cbc-sha1 rc4-hmac des-cbc-crc des-cbc-md5 des-cbc-md4
                Encryption type: aes256-cts-hmac-sha1-96 (18)
                Encryption type: des3-cbc-sha1 (16)
                Encryption type: rc4-hmac (23)
                Encryption type: des-cbc-crc (1)
                Encryption type: des-cbc-md5 (3)
                Encryption type: des-cbc-md4 (2)
  • 10. Re: GSSContext initialization failing when context.requestMutualAuth(true)
    843810 Newbie
    Currently Being Moderated
    No.     Time                       Source                Destination           Protocol Info
        142 2010-08-11 08:48:24.661614 10.5.0.11             10.15.16.120          KRB5     AS-REP
    
    Frame 142 (649 bytes on wire, 649 bytes captured)
        Arrival Time: Aug 11, 2010 08:48:24.661614000
        [Time delta from previous captured frame: 0.085917000 seconds]
        [Time delta from previous displayed frame: 0.085917000 seconds]
        [Time since reference or first frame: 18.744478000 seconds]
        Frame Number: 142
        Frame Length: 649 bytes
        Capture Length: 649 bytes
        [Frame is marked: False]
        [Protocols in frame: eth:ip:udp:kerberos]
        [Coloring Rule Name: UDP]
        [Coloring Rule String: udp]
    Ethernet II, Src: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f), Dst: Dell_85:47:69 (00:18:8b:85:47:69)
        Destination: Dell_85:47:69 (00:18:8b:85:47:69)
            Address: Dell_85:47:69 (00:18:8b:85:47:69)
            .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
            .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        Source: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
            Address: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
            .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
            .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        Type: IP (0x0800)
    Internet Protocol, Src: 10.5.0.11 (10.5.0.11), Dst: 10.15.16.120 (10.15.16.120)
        Version: 4
        Header length: 20 bytes
        Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
            0000 00.. = Differentiated Services Codepoint: Default (0x00)
            .... ..0. = ECN-Capable Transport (ECT): 0
            .... ...0 = ECN-CE: 0
        Total Length: 635
        Identification: 0x0000 (0)
        Flags: 0x02 (Don't Fragment)
            0.. = Reserved bit: Not Set
            .1. = Don't fragment: Set
            ..0 = More fragments: Not Set
        Fragment offset: 0
        Time to live: 58
        Protocol: UDP (0x11)
        Header checksum: 0x19dc [correct]
            [Good: True]
            [Bad : False]
        Source: 10.5.0.11 (10.5.0.11)
        Destination: 10.15.16.120 (10.15.16.120)
    User Datagram Protocol, Src Port: kerberos (88), Dst Port: 39656 (39656)
        Source port: kerberos (88)
        Destination port: 39656 (39656)
        Length: 615
        Checksum: 0x267e [validation disabled]
            [Good Checksum: False]
            [Bad Checksum: False]
    Kerberos AS-REP
        Pvno: 5
        MSG Type: AS-REP (11)
        padata: PA-ENCTYPE-INFO2
            Type: PA-ENCTYPE-INFO2 (19)
                Value: 30073005A003020112 aes256-cts-hmac-sha1-96
                    Encryption type: aes256-cts-hmac-sha1-96 (18)
        Client Realm: EXAMPLE.COM
        Client Name (Principal): myprincipal
            Name-type: Principal (1)
            Name: myprincipal
        Ticket
            Tkt-vno: 5
            Realm: EXAMPLE.COM
            Server Name (Unknown): krbtgt/EXAMPLE.COM
                Name-type: Unknown (0)
                Name: krbtgt
                Name: EXAMPLE.COM
            enc-part aes256-cts-hmac-sha1-96
                Encryption type: aes256-cts-hmac-sha1-96 (18)
                Kvno: 2
                enc-part: 965F746441DBACDD329CFE30D8BF67A40DCBE3FCDCA9CF57...
        enc-part aes256-cts-hmac-sha1-96
            Encryption type: aes256-cts-hmac-sha1-96 (18)
            enc-part: 60B6D1BD59D62795AA0986B8FBF43CD1D5DE8117E033022F...
  • 11. Re: GSSContext initialization failing when context.requestMutualAuth(true)
    843810 Newbie
    Currently Being Moderated
    No.     Time                       Source                Destination           Protocol Info
        268 2010-08-11 08:48:39.601024 10.15.16.120          10.5.0.11             KRB5     TGS-REQ
    
    Frame 268 (698 bytes on wire, 698 bytes captured)
        Arrival Time: Aug 11, 2010 08:48:39.601024000
        [Time delta from previous captured frame: 0.000113000 seconds]
        [Time delta from previous displayed frame: 14.939410000 seconds]
        [Time since reference or first frame: 33.683888000 seconds]
        Frame Number: 268
        Frame Length: 698 bytes
        Capture Length: 698 bytes
        [Frame is marked: False]
        [Protocols in frame: eth:ip:udp:kerberos]
        [Coloring Rule Name: UDP]
        [Coloring Rule String: udp]
    Ethernet II, Src: Dell_85:47:69 (00:18:8b:85:47:69), Dst: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
        Destination: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
            Address: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
            .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
            .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        Source: Dell_85:47:69 (00:18:8b:85:47:69)
            Address: Dell_85:47:69 (00:18:8b:85:47:69)
            .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
            .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        Type: IP (0x0800)
    Internet Protocol, Src: 10.15.16.120 (10.15.16.120), Dst: 10.5.0.11 (10.5.0.11)
        Version: 4
        Header length: 20 bytes
        Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
            0000 00.. = Differentiated Services Codepoint: Default (0x00)
            .... ..0. = ECN-Capable Transport (ECT): 0
            .... ...0 = ECN-CE: 0
        Total Length: 684
        Identification: 0x670f (26383)
        Flags: 0x02 (Don't Fragment)
            0.. = Reserved bit: Not Set
            .1. = Don't fragment: Set
            ..0 = More fragments: Not Set
        Fragment offset: 0
        Time to live: 64
        Protocol: UDP (0x11)
        Header checksum: 0xac9b [correct]
            [Good: True]
            [Bad : False]
        Source: 10.15.16.120 (10.15.16.120)
        Destination: 10.5.0.11 (10.5.0.11)
    User Datagram Protocol, Src Port: 47471 (47471), Dst Port: kerberos (88)
        Source port: 47471 (47471)
        Destination port: kerberos (88)
        Length: 664
        Checksum: 0x2740 [validation disabled]
            [Good Checksum: False]
            [Bad Checksum: False]
    Kerberos TGS-REQ
        Pvno: 5
        MSG Type: TGS-REQ (12)
        padata: PA-TGS-REQ
            Type: PA-TGS-REQ (1)
                Value: 6E8201ED308201E9A003020105A10302010EA20703050000... AP-REQ
                    Pvno: 5
                    MSG Type: AP-REQ (14)
                    Padding: 0
                    APOptions: 00000000
                        .0.. .... .... .... .... .... .... .... = Use Session Key: Do NOT use the session key to encrypt the ticket
                        ..0. .... .... .... .... .... .... .... = Mutual required: Mutual authentication is NOT required
                    Ticket
                        Tkt-vno: 5
                        Realm: EXAMPLE.COM
                        Server Name (Unknown): krbtgt/EXAMPLE.COM
                            Name-type: Unknown (0)
                            Name: krbtgt
                            Name: EXAMPLE.COM
                        enc-part aes256-cts-hmac-sha1-96
                            Encryption type: aes256-cts-hmac-sha1-96 (18)
                            Kvno: 2
                            enc-part: 965F746441DBACDD329CFE30D8BF67A40DCBE3FCDCA9CF57...
                    Authenticator aes256-cts-hmac-sha1-96
                        Encryption type: aes256-cts-hmac-sha1-96 (18)
                        Authenticator data: BB71EA777A4F89398F8D393CDB171D3154236273FD348407...
        KDC_REQ_BODY
            Padding: 0
            KDCOptions: 40810000 (Forwardable, Renewable, Canonicalize)
                .1.. .... .... .... .... .... .... .... = Forwardable: FORWARDABLE tickets are allowed/requested
                ..0. .... .... .... .... .... .... .... = Forwarded: This is NOT a forwarded ticket
                ...0 .... .... .... .... .... .... .... = Proxiable: Do NOT use proxiable tickets
                .... 0... .... .... .... .... .... .... = Proxy: This ticket has NOT been proxied
                .... .0.. .... .... .... .... .... .... = Allow Postdate: We do NOT allow the ticket to be postdated
                .... ..0. .... .... .... .... .... .... = Postdated: This ticket is NOT postdated
                .... .... 1... .... .... .... .... .... = Renewable: This ticket is RENEWABLE
                .... .... ...0 .... .... .... .... .... = Opt HW Auth: False
                .... .... .... ..0. .... .... .... .... = Constrained Delegation: This is a normal request (no constrained delegation)
                .... .... .... ...1 .... .... .... .... = Canonicalize: This is a request for a CANONICALIZED ticket
                .... .... .... .... .... .... ..0. .... = Disable Transited Check: Transited checking is NOT disabled
                .... .... .... .... .... .... ...0 .... = Renewable OK: We do NOT accept renewed tickets
                .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do NOT encrypt the tkt inside the skey
                .... .... .... .... .... .... .... ..0. = Renew: This is NOT a request to renew a ticket
                .... .... .... .... .... .... .... ...0 = Validate: This is NOT a request to validate a postdated ticket
            Realm: EXAMPLE.COM
            Server Name (Service and Host): cvs/cvs.test.example.com
                Name-type: Service and Host (3)
                Name: cvs
                Name: cvs.test.example.com
            till: 2010-08-11 22:48:21 (UTC)
            Nonce: 1281530907
            Encryption Types: aes256-cts-hmac-sha1-96 des3-cbc-sha1 rc4-hmac des-cbc-crc des-cbc-md5 des-cbc-md4
                Encryption type: aes256-cts-hmac-sha1-96 (18)
                Encryption type: des3-cbc-sha1 (16)
                Encryption type: rc4-hmac (23)
                Encryption type: des-cbc-crc (1)
                Encryption type: des-cbc-md5 (3)
                Encryption type: des-cbc-md4 (2)
  • 12. Re: GSSContext initialization failing when context.requestMutualAuth(true)
    843810 Newbie
    Currently Being Moderated
    No.     Time                       Source                Destination           Protocol Info
        270 2010-08-11 08:48:39.689031 10.5.0.11             10.15.16.120          KRB5     TGS-REP
    
    Frame 270 (615 bytes on wire, 615 bytes captured)
        Arrival Time: Aug 11, 2010 08:48:39.689031000
        [Time delta from previous captured frame: 0.062874000 seconds]
        [Time delta from previous displayed frame: 0.088007000 seconds]
        [Time since reference or first frame: 33.771895000 seconds]
        Frame Number: 270
        Frame Length: 615 bytes
        Capture Length: 615 bytes
        [Frame is marked: False]
        [Protocols in frame: eth:ip:udp:kerberos]
        [Coloring Rule Name: UDP]
        [Coloring Rule String: udp]
    Ethernet II, Src: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f), Dst: Dell_85:47:69 (00:18:8b:85:47:69)
        Destination: Dell_85:47:69 (00:18:8b:85:47:69)
            Address: Dell_85:47:69 (00:18:8b:85:47:69)
            .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
            .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        Source: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
            Address: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
            .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
            .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        Type: IP (0x0800)
    Internet Protocol, Src: 10.5.0.11 (10.5.0.11), Dst: 10.15.16.120 (10.15.16.120)
        Version: 4
        Header length: 20 bytes
        Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
            0000 00.. = Differentiated Services Codepoint: Default (0x00)
            .... ..0. = ECN-Capable Transport (ECT): 0
            .... ...0 = ECN-CE: 0
        Total Length: 601
        Identification: 0x0000 (0)
        Flags: 0x02 (Don't Fragment)
            0.. = Reserved bit: Not Set
            .1. = Don't fragment: Set
            ..0 = More fragments: Not Set
        Fragment offset: 0
        Time to live: 58
        Protocol: UDP (0x11)
        Header checksum: 0x19fe [correct]
            [Good: True]
            [Bad : False]
        Source: 10.5.0.11 (10.5.0.11)
        Destination: 10.15.16.120 (10.15.16.120)
    User Datagram Protocol, Src Port: kerberos (88), Dst Port: 47471 (47471)
        Source port: kerberos (88)
        Destination port: 47471 (47471)
        Length: 581
        Checksum: 0xb1bf [validation disabled]
            [Good Checksum: False]
            [Bad Checksum: False]
    Kerberos TGS-REP
        Pvno: 5
        MSG Type: TGS-REP (13)
        Client Realm: EXAMPLE.COM
        Client Name (Principal): myprincipal
            Name-type: Principal (1)
            Name: myprincipal
        Ticket
            Tkt-vno: 5
            Realm: EXAMPLE.COM
            Server Name (Service and Host): cvs/cvs.test.example.com
                Name-type: Service and Host (3)
                Name: cvs
                Name: cvs.test.example.com
            enc-part des-cbc-crc
                Encryption type: des-cbc-crc (1)
                Kvno: 3
                enc-part: 313842868669488163D7A869686D1FAE08C5AF0BCA05EE8B...
        enc-part aes256-cts-hmac-sha1-96
            Encryption type: aes256-cts-hmac-sha1-96 (18)
            enc-part: 0355CF787484A4384BD0C83623D370CF880502470529832C...
  • 13. Re: GSSContext initialization failing when context.requestMutualAuth(true)
    843810 Newbie
    Currently Being Moderated
    Note that the last exchange trace was sniffed when using a working native client. I realize that there are differences in KDCOptions, till time and cvs service name (which in the Java trace is "unknown"). I don't know how to set KDCOptions in a Java program?! Any more thoughts on this? Help is hugely appreciated!

    Sorry about the spam, but Oracle forums don't allow single posts to be longer than 7K something characters :-(

    Thanks!

    Edited by: Severin_G on Aug 13, 2010 7:16 AM
  • 14. Re: GSSContext initialization failing when context.requestMutualAuth(true)
    843810 Newbie
    Currently Being Moderated
    Your traced packets do not provide much info. These are AS and TGS messages between the client and the KDC, not JGSS tokens. JGSS tokens are transferred between the application (here, cvs) client and server.

    The exception thrown in your app is OutOfMemoryError. It's quite likely that the "token = new byte[inStream.readInt()];" line has a problem. I guess the server has not sent the length at all. Please try directly calling initSecContext on the stream itself:

    http://download.java.net/jdk7/docs/api/org/ietf/jgss/GSSContext.html#initSecContext(java.io.InputStream, java.io.OutputStream)
1 2 3 Previous Next