This discussion is archived
6 Replies Latest reply: Jul 19, 2010 12:05 PM by 843810 RSS

Windows SSO problem with GSS - looking for help in understanding it

843810 Newbie
Currently Being Moderated
Hello,
I'm working on a project where ultimately I'm looking to connect to a Postgres Database through Kerberos from a windows XP client.
I've been able to get a 'Subject' instance from a LoginContext. However, when I try get to authenticate with the JDBC driver I get various exceptions. Essentially the code that is being executed is:
LoginContext loginContext = new LoginContext("LoginJaas", new TextCallbackHandler());
 loginContext.login();
org.ietf.jgss.Oid[] desiredMechs = new org.ietf.jgss.Oid[1];
            desiredMechs[0] = new org.ietf.jgss.Oid("1.2.840.113554.1.2.2");
            GSSManager manager = GSSManager.getInstance();
            GSSName clientName = manager.createName("bryan", GSSName.NT_USER_NAME);
            GSSCredential clientCreds = manager.createCredential(clientName, 8 * 3600, desiredMechs, GSSCredential.INITIATE_ONLY);
            GSSName serverName = manager.createName("HTTP"  +"@"+ server.lab2k.net", GSSName.NT_HOSTBASED_SERVICE);
            GSSContext secContext = manager.createContext(serverName, desiredMechs[0], clientCreds, GSSContext.DEFAULT_LIFETIME);
            secContext.requestMutualAuth(true);{code}
Running the code with the options: -Djava.security.auth.login.config="jaas.config" -Djava.security.krb5.realm=LAB2K.NET -Djava.security.krb5.kdc=ad.lab2k.net results in:
{code}
Username we'll connect as since we haven't supplied one: bryan
Debug is  true storeKey false useTicketCache true useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
Principal is Bryan@LAB2K.NET
Commit Succeeded 

GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
        at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:130)
        at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:106)
        at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:178)
        at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:384)
        at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:57)
        at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:145)
        at javaapplication1.LoginJaas.main2(LoginJaas.java:83)
{code}
If I run the program with the option  -Djavax.security.auth.useSubjectCredsOnly=false I get:
{code}Username we'll connect as since we haven't supplied one: bryan
Debug is  true storeKey false useTicketCache true useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
Principal is Bryan@LAB2K.NET
Commit Succeeded 

Jul 12, 2010 3:44:37 PM javaapplication1.LoginJaas main2
SEVERE: null
GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))
        at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Krb5InitCredential.java:333)
        at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:128)
        at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:106)
        at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:178)
        at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:384)
        at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:57)
        at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:145)
        at javaapplication1.LoginJaas.main2(LoginJaas.java:85)
        at javaapplication1.LoginJaas.main(LoginJaas.java:33)
Caused by: javax.security.auth.login.LoginException: No LoginModules configured for 
        at javax.security.auth.login.LoginContext.init(LoginContext.java:256)
        at javax.security.auth.login.LoginContext.<init>(LoginContext.java:499)
        at sun.security.jgss.GSSUtil.login(GSSUtil.java:244)
        at sun.security.jgss.krb5.Krb5Util.getTicket(Krb5Util.java:136)
        at sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCredential.java:328)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Krb5InitCredential.java:325)
        ... 8 more{code}

I've been reading different things on the web trying to get a better understanding of the kerberos / gss api / jaas process but I still feel like I'm floundering around a lot! I have set the registry setting for allowtgtsessionkey - which I think is reflected when I print out the Private Credentials:
{code}user =Bryan@LAB2K.NET

Client Principal = Bryan@LAB2K.NET
Server Principal = krbtgt/LAB2K.NET@LAB2K.NET
Session Key = EncryptionKey: keyType=3 keyBytes (hex dump)=
0000: 9E 32 4F 64 94 B6 73 D5   

Forwardable Ticket true
Forwarded Ticket false
Proxiable Ticket false
Proxy Ticket false
Postdated Ticket false
Renewable Ticket true
Initial Ticket true
Auth Time = Mon Jul 12 15:48:40 EDT 2010
Start Time = Mon Jul 12 15:48:40 EDT 2010
End Time = Mon Jul 12 19:37:18 EDT 2010
Renew Till = Mon Jul 19 09:37:18 EDT 2010{code}

I appreciate any help in getting this working!

Thanks,
Bryan.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    
  • 1. Re: Windows SSO problem with GSS - looking for help in understanding it
    843810 Newbie
    Currently Being Moderated
    If you want to call JGSS directly, you need to provide -Djavax.security.auth.useSubjectCredsOnly=false and make sure the JAAS config file includes an entry named com.sun.security.jgss.krb5.initiate.

    If you want to use JAAS to login first, the JAAS config file needs an entry named "LoginJaas" (the name in your new LoginContext(*)). After login(), you must call commit(), and save getSubject(), and then call JGSS using subject.doAs().
  • 2. Re: Windows SSO problem with GSS - looking for help in understanding it
    843810 Newbie
    Currently Being Moderated
    Ahh, thanks. That helps, and gives me something to work with. I added a section in to my JAAS config file for com.sun.security.jgss.krb5.initiate, and now whether I have -Djavax.security.auth.useSubjectCredsOnly set to true or false, I get the exception
    GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt
    I wonder if there is some setting I should apply to say where to cache?

    At least I have a new direction to explore.

    Thanks - Bryan.
  • 3. Re: Windows SSO problem with GSS - looking for help in understanding it
    843810 Newbie
    Currently Being Moderated
    Do you plan to use the cache? If you're on Windows, make sure login as a domain account, or, run kinit before trying out the Java program. Also, the JAAS config file entry should have useTicketCache=true.

    You might add -Dsun.security.krb5.debug=true to the command line to see some debug outputs.

    And here is the official doc on how to run JGSS without LoginContext:
    http://download.oracle.com/docs/cd/E17409_01/javase/6/docs/technotes/guides/security/jgss/tutorials/BasicClientServer.html
  • 4. Re: Windows SSO problem with GSS - looking for help in understanding it
    843810 Newbie
    Currently Being Moderated
    Thanks for the pointer. I'll take a look through the documentation there.
    Config name: C:\WINDOWS\krb5.ini
    Debug is  true storeKey false useTicketCache true useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
    Acquire TGT from Cache
    
    KinitOptions cache name is C:\Documents and Settings\bryan\krb5cc_bryan
    Acquire default native Credentials
    Obtained TGT from LSA: Credentials:
    client=bryan@LAB2K.NET server=krbtgt/LAB2K.NET@LAB2K.NET authTime=20100714135711Z startTime=20100714135711Z endTime=20100714162030Z renewTill=20100720210027Z flags: FORWARDABLE;RENEWABLE;PRE-AUTHENT EType (int): 3 Principal is bryan@LAB2K.NET Commit Succeeded Found ticket for bryan@LAB2K.NET to go to krbtgt/LAB2K.NET@LAB2K.NET expiring on Wed Jul 14 12:20:30 EDT 2010 Jul 14, 2010 9:57:11 AM javaapplication1.LoginJaas main2 SEVERE: null GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)         at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:130)         at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:106)         at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:178)         at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:384)         at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:57)         at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:145)         at javaapplication1.LoginJaas.main2(LoginJaas.java:86)         at javaapplication1.LoginJaas.main(LoginJaas.java:33)
    I wonder if the message is slightly misleading at this point? Or maybe I'm just misreading the process but the debug text says 'Obtained TGT from LSA'. It then has found ticket to go to krbtgt and wonder if it is failing there for some reason?

    The line that produces the bulk of this output, and the exception is the line below. At this point I don't have any source code to dig in to this method any further. Maybe reading the documentation will help.
    GSSCredential clientCreds = manager.createCredential(clientName, 8 * 3600, desiredMechs, GSSCredential.INITIATE_ONLY);

    Thanks again - Bryan.
  • 5. Re: Windows SSO problem with GSS - looking for help in understanding it
    843810 Newbie
    Currently Being Moderated
    wangwj wrote:
    Do you plan to use the cache? If you're on Windows, make sure login as a domain account, or, run kinit before trying out the Java program. Also, the JAAS config file entry should have useTicketCache=true.

    You might add -Dsun.security.krb5.debug=true to the command line to see some debug outputs.

    And here is the official doc on how to run JGSS without LoginContext:
    http://download.oracle.com/docs/cd/E17409_01/javase/6/docs/technotes/guides/security/jgss/tutorials/BasicClientServer.html
    I went through the tutorial while I had some spare time. I was able to run the sample server and client application on the same machine that I've been using without any problem - using my credentials for both the server and client.

    I did notice that the sample code doesn't use the GSSManager createCredentials method that the jdbc driver is using ... something for me to dig further into tomorrow.

    Bryan.
  • 6. Re: Windows SSO problem with GSS - looking for help in understanding it
    843810 Newbie
    Currently Being Moderated
    As
    manager.createCredential(clientName, 8 * 3600, desiredMechs[0], GSSCredential.INITIATE_ONLY)
    was causing problems I just tried createCredential( GSSCredential.INITIATE_ONLY).

    Doing this I changed my name for the createName method from bryan to Bryan@LAB2K.NET - after that the call to createCredential worked.

    However, now I'm getting another set of exceptions ...
    KrbException: Server not found in Kerberos database (7)
    Caused by: KrbException: Identifier doesn't match expected value (906)

    It seems that this is an Active Directory initiated error from my googling. The one thing I see here is in the debug messages:
    sname is HTTP/172.16.118.89
    Not sure why it has the ip address and not the hostname?
    The service name HTTP has been mapped to the windows account for poe3b.

    Any thoughts on getting past this issue?

    Thanks - Bryan.
    Entered Krb5Context.initSecContext with state=STATE_NEW
    Service ticket not found in the subject
    
    Credentials acquireServiceCreds: same realm
    Using builtin default etypes for default_tgs_enctypes default etypes for default_tgs_enctypes: 3 1 23 16 17.
    CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
    EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
    KrbKdcReq send: kdc=labad2.lab2k.net UDP:88, timeout=30000, number of retries =3, #bytes=1270
    KDCCommunication: kdc=labad2.lab2k.net UDP:88, timeout=30000,Attempt =1, #bytes=1270
    KrbKdcReq send: #bytes read=92
    KrbKdcReq send: #bytes read=92
    KDCRep: init() encoding tag is 126 req type is 13
    KRBError:
             sTime is Mon Jul 19 14:19:07 EDT 2010 1279563547000          suSec is 899497          error code is 7          error Message is Server not found in Kerberos database          realm is LAB2K.NET          sname is HTTP/172.16.118.89          msgType is 30 KrbException: Server not found in Kerberos database (7)         at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:61)         at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185)         at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294)         at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106)         at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:562)         at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594)         at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)         at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)         at org.postgresql.gss.GssAction.run(MakeGSS.java:106)         at java.security.AccessController.doPrivileged(Native Method)         at javax.security.auth.Subject.doAs(Subject.java:337)         at org.postgresql.gss.MakeGSS.authenticate(MakeGSS.java:48)         at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:378)         at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:108)         at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:66)         at org.postgresql.jdbc2.AbstractJdbc2Connection.<init>(AbstractJdbc2Connection.java:125)         at org.postgresql.jdbc3.AbstractJdbc3Connection.<init>(AbstractJdbc3Connection.java:30)         at org.postgresql.jdbc3g.AbstractJdbc3gConnection.<init>(AbstractJdbc3gConnection.java:22)         at org.postgresql.jdbc4.AbstractJdbc4Connection.<init>(AbstractJdbc4Connection.java:30)         at org.postgresql.jdbc4.Jdbc4Connection.<init>(Jdbc4Connection.java:24)         at org.postgresql.Driver.makeConnection(Driver.java:393)         at org.postgresql.Driver.connect(Driver.java:267)         at java.sql.DriverManager.getConnection(DriverManager.java:582)         at java.sql.DriverManager.getConnection(DriverManager.java:154)         at javaapplication1.LoginJaas.main2(LoginJaas.java:114)         at javaapplication1.LoginJaas.main(LoginJaas.java:37) Caused by: KrbException: Identifier doesn't match expected value (906)         at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)         at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58)         at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53)         at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46)         ... 25 more org.postgresql.util.PSQLException: GSS Authentication failed