6 Replies Latest reply: Jul 19, 2010 2:05 PM by 843810 RSS

    Windows SSO problem with GSS - looking for help in understanding it

    843810
      Hello,
      I'm working on a project where ultimately I'm looking to connect to a Postgres Database through Kerberos from a windows XP client.
      I've been able to get a 'Subject' instance from a LoginContext. However, when I try get to authenticate with the JDBC driver I get various exceptions. Essentially the code that is being executed is:
      LoginContext loginContext = new LoginContext("LoginJaas", new TextCallbackHandler());
       loginContext.login();
      org.ietf.jgss.Oid[] desiredMechs = new org.ietf.jgss.Oid[1];
                  desiredMechs[0] = new org.ietf.jgss.Oid("1.2.840.113554.1.2.2");
                  GSSManager manager = GSSManager.getInstance();
                  GSSName clientName = manager.createName("bryan", GSSName.NT_USER_NAME);
                  GSSCredential clientCreds = manager.createCredential(clientName, 8 * 3600, desiredMechs, GSSCredential.INITIATE_ONLY);
                  GSSName serverName = manager.createName("HTTP"  +"@"+ server.lab2k.net", GSSName.NT_HOSTBASED_SERVICE);
                  GSSContext secContext = manager.createContext(serverName, desiredMechs[0], clientCreds, GSSContext.DEFAULT_LIFETIME);
                  secContext.requestMutualAuth(true);{code}
      Running the code with the options: -Djava.security.auth.login.config="jaas.config" -Djava.security.krb5.realm=LAB2K.NET -Djava.security.krb5.kdc=ad.lab2k.net results in:
      {code}
      Username we'll connect as since we haven't supplied one: bryan
      Debug is  true storeKey false useTicketCache true useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
      Acquire TGT from Cache
      Principal is Bryan@LAB2K.NET
      Commit Succeeded 
      
      GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
              at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:130)
              at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:106)
              at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:178)
              at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:384)
              at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:57)
              at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:145)
              at javaapplication1.LoginJaas.main2(LoginJaas.java:83)
      {code}
      If I run the program with the option  -Djavax.security.auth.useSubjectCredsOnly=false I get:
      {code}Username we'll connect as since we haven't supplied one: bryan
      Debug is  true storeKey false useTicketCache true useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
      Acquire TGT from Cache
      Principal is Bryan@LAB2K.NET
      Commit Succeeded 
      
      Jul 12, 2010 3:44:37 PM javaapplication1.LoginJaas main2
      SEVERE: null
      GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))
              at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Krb5InitCredential.java:333)
              at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:128)
              at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:106)
              at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:178)
              at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:384)
              at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:57)
              at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:145)
              at javaapplication1.LoginJaas.main2(LoginJaas.java:85)
              at javaapplication1.LoginJaas.main(LoginJaas.java:33)
      Caused by: javax.security.auth.login.LoginException: No LoginModules configured for 
              at javax.security.auth.login.LoginContext.init(LoginContext.java:256)
              at javax.security.auth.login.LoginContext.<init>(LoginContext.java:499)
              at sun.security.jgss.GSSUtil.login(GSSUtil.java:244)
              at sun.security.jgss.krb5.Krb5Util.getTicket(Krb5Util.java:136)
              at sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCredential.java:328)
              at java.security.AccessController.doPrivileged(Native Method)
              at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Krb5InitCredential.java:325)
              ... 8 more{code}
      
      I've been reading different things on the web trying to get a better understanding of the kerberos / gss api / jaas process but I still feel like I'm floundering around a lot! I have set the registry setting for allowtgtsessionkey - which I think is reflected when I print out the Private Credentials:
      {code}user =Bryan@LAB2K.NET
      
      Client Principal = Bryan@LAB2K.NET
      Server Principal = krbtgt/LAB2K.NET@LAB2K.NET
      Session Key = EncryptionKey: keyType=3 keyBytes (hex dump)=
      0000: 9E 32 4F 64 94 B6 73 D5   
      
      Forwardable Ticket true
      Forwarded Ticket false
      Proxiable Ticket false
      Proxy Ticket false
      Postdated Ticket false
      Renewable Ticket true
      Initial Ticket true
      Auth Time = Mon Jul 12 15:48:40 EDT 2010
      Start Time = Mon Jul 12 15:48:40 EDT 2010
      End Time = Mon Jul 12 19:37:18 EDT 2010
      Renew Till = Mon Jul 19 09:37:18 EDT 2010{code}
      
      I appreciate any help in getting this working!
      
      Thanks,
      Bryan.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    
        • 1. Re: Windows SSO problem with GSS - looking for help in understanding it
          843810
          If you want to call JGSS directly, you need to provide -Djavax.security.auth.useSubjectCredsOnly=false and make sure the JAAS config file includes an entry named com.sun.security.jgss.krb5.initiate.

          If you want to use JAAS to login first, the JAAS config file needs an entry named "LoginJaas" (the name in your new LoginContext(*)). After login(), you must call commit(), and save getSubject(), and then call JGSS using subject.doAs().
          • 2. Re: Windows SSO problem with GSS - looking for help in understanding it
            843810
            Ahh, thanks. That helps, and gives me something to work with. I added a section in to my JAAS config file for com.sun.security.jgss.krb5.initiate, and now whether I have -Djavax.security.auth.useSubjectCredsOnly set to true or false, I get the exception
            GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt
            I wonder if there is some setting I should apply to say where to cache?

            At least I have a new direction to explore.

            Thanks - Bryan.
            • 3. Re: Windows SSO problem with GSS - looking for help in understanding it
              843810
              Do you plan to use the cache? If you're on Windows, make sure login as a domain account, or, run kinit before trying out the Java program. Also, the JAAS config file entry should have useTicketCache=true.

              You might add -Dsun.security.krb5.debug=true to the command line to see some debug outputs.

              And here is the official doc on how to run JGSS without LoginContext:
              http://download.oracle.com/docs/cd/E17409_01/javase/6/docs/technotes/guides/security/jgss/tutorials/BasicClientServer.html
              • 4. Re: Windows SSO problem with GSS - looking for help in understanding it
                843810
                Thanks for the pointer. I'll take a look through the documentation there.
                Config name: C:\WINDOWS\krb5.ini
                Debug is  true storeKey false useTicketCache true useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
                Acquire TGT from Cache
                
                KinitOptions cache name is C:\Documents and Settings\bryan\krb5cc_bryan
                Acquire default native Credentials
                Obtained TGT from LSA: Credentials:
                client=bryan@LAB2K.NET server=krbtgt/LAB2K.NET@LAB2K.NET authTime=20100714135711Z startTime=20100714135711Z endTime=20100714162030Z renewTill=20100720210027Z flags: FORWARDABLE;RENEWABLE;PRE-AUTHENT EType (int): 3 Principal is bryan@LAB2K.NET Commit Succeeded Found ticket for bryan@LAB2K.NET to go to krbtgt/LAB2K.NET@LAB2K.NET expiring on Wed Jul 14 12:20:30 EDT 2010 Jul 14, 2010 9:57:11 AM javaapplication1.LoginJaas main2 SEVERE: null GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)         at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:130)         at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:106)         at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:178)         at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:384)         at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:57)         at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:145)         at javaapplication1.LoginJaas.main2(LoginJaas.java:86)         at javaapplication1.LoginJaas.main(LoginJaas.java:33)
                I wonder if the message is slightly misleading at this point? Or maybe I'm just misreading the process but the debug text says 'Obtained TGT from LSA'. It then has found ticket to go to krbtgt and wonder if it is failing there for some reason?

                The line that produces the bulk of this output, and the exception is the line below. At this point I don't have any source code to dig in to this method any further. Maybe reading the documentation will help.
                GSSCredential clientCreds = manager.createCredential(clientName, 8 * 3600, desiredMechs, GSSCredential.INITIATE_ONLY);

                Thanks again - Bryan.
                • 5. Re: Windows SSO problem with GSS - looking for help in understanding it
                  843810
                  wangwj wrote:
                  Do you plan to use the cache? If you're on Windows, make sure login as a domain account, or, run kinit before trying out the Java program. Also, the JAAS config file entry should have useTicketCache=true.

                  You might add -Dsun.security.krb5.debug=true to the command line to see some debug outputs.

                  And here is the official doc on how to run JGSS without LoginContext:
                  http://download.oracle.com/docs/cd/E17409_01/javase/6/docs/technotes/guides/security/jgss/tutorials/BasicClientServer.html
                  I went through the tutorial while I had some spare time. I was able to run the sample server and client application on the same machine that I've been using without any problem - using my credentials for both the server and client.

                  I did notice that the sample code doesn't use the GSSManager createCredentials method that the jdbc driver is using ... something for me to dig further into tomorrow.

                  Bryan.
                  • 6. Re: Windows SSO problem with GSS - looking for help in understanding it
                    843810
                    As
                    manager.createCredential(clientName, 8 * 3600, desiredMechs[0], GSSCredential.INITIATE_ONLY)
                    was causing problems I just tried createCredential( GSSCredential.INITIATE_ONLY).

                    Doing this I changed my name for the createName method from bryan to Bryan@LAB2K.NET - after that the call to createCredential worked.

                    However, now I'm getting another set of exceptions ...
                    KrbException: Server not found in Kerberos database (7)
                    Caused by: KrbException: Identifier doesn't match expected value (906)

                    It seems that this is an Active Directory initiated error from my googling. The one thing I see here is in the debug messages:
                    sname is HTTP/172.16.118.89
                    Not sure why it has the ip address and not the hostname?
                    The service name HTTP has been mapped to the windows account for poe3b.

                    Any thoughts on getting past this issue?

                    Thanks - Bryan.
                    Entered Krb5Context.initSecContext with state=STATE_NEW
                    Service ticket not found in the subject
                    
                    Credentials acquireServiceCreds: same realm
                    Using builtin default etypes for default_tgs_enctypes default etypes for default_tgs_enctypes: 3 1 23 16 17.
                    CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
                    EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
                    KrbKdcReq send: kdc=labad2.lab2k.net UDP:88, timeout=30000, number of retries =3, #bytes=1270
                    KDCCommunication: kdc=labad2.lab2k.net UDP:88, timeout=30000,Attempt =1, #bytes=1270
                    KrbKdcReq send: #bytes read=92
                    KrbKdcReq send: #bytes read=92
                    KDCRep: init() encoding tag is 126 req type is 13
                    KRBError:
                             sTime is Mon Jul 19 14:19:07 EDT 2010 1279563547000          suSec is 899497          error code is 7          error Message is Server not found in Kerberos database          realm is LAB2K.NET          sname is HTTP/172.16.118.89          msgType is 30 KrbException: Server not found in Kerberos database (7)         at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:61)         at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185)         at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294)         at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106)         at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:562)         at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594)         at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)         at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)         at org.postgresql.gss.GssAction.run(MakeGSS.java:106)         at java.security.AccessController.doPrivileged(Native Method)         at javax.security.auth.Subject.doAs(Subject.java:337)         at org.postgresql.gss.MakeGSS.authenticate(MakeGSS.java:48)         at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:378)         at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:108)         at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:66)         at org.postgresql.jdbc2.AbstractJdbc2Connection.<init>(AbstractJdbc2Connection.java:125)         at org.postgresql.jdbc3.AbstractJdbc3Connection.<init>(AbstractJdbc3Connection.java:30)         at org.postgresql.jdbc3g.AbstractJdbc3gConnection.<init>(AbstractJdbc3gConnection.java:22)         at org.postgresql.jdbc4.AbstractJdbc4Connection.<init>(AbstractJdbc4Connection.java:30)         at org.postgresql.jdbc4.Jdbc4Connection.<init>(Jdbc4Connection.java:24)         at org.postgresql.Driver.makeConnection(Driver.java:393)         at org.postgresql.Driver.connect(Driver.java:267)         at java.sql.DriverManager.getConnection(DriverManager.java:582)         at java.sql.DriverManager.getConnection(DriverManager.java:154)         at javaapplication1.LoginJaas.main2(LoginJaas.java:114)         at javaapplication1.LoginJaas.main(LoginJaas.java:37) Caused by: KrbException: Identifier doesn't match expected value (906)         at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)         at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58)         at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53)         at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46)         ... 25 more org.postgresql.util.PSQLException: GSS Authentication failed