0 Replies Latest reply: Apr 27, 2010 1:43 AM by 843810 RSS

    SSO doesn't work when using different JDKs in client and server side

      Hi friends,

      The system is running on a Windows domain environment and we use AD server to store the user information within this domain.
      The server is running on an application server such as jboss or weblogic and the clients are browser-based and RCP application. If the server is running on sun jdk, the sso works fine when the client is either browser or the RCP(running on SUN JDK as well). But If I use ibm jdk(J9) to run the RCP Rich Client, SSO could not work. Note that I have changed the client code accordingly to use the ibm Login Module(com.ibm.security.auth.module.Krb5LoginModule).

      The client communicates with server by web service:
      Client Code:
                              byteToken = i_gssContext.initSecContext(byteToken, 0,
                              ISSOAuthentication ssoService = (ISSOAuthentication)i_service;                                            
                              log("AuthenticationAction() - initSecContext successful"); //$NON-NLS-1$
                              returnToken = ssoService.getToken(byteToken);//*call webservice to get the token from the acceptSecContext() method*
      Server Code:
      public byte[] getToken(byte[] input) throws SecurityException
              //connect to KDC
      //          inBytes = decodeTicket(input);
                  inBytes= input;
                  byte[] token = serverGSSContext.acceptSecContext(inBytes, 0,
                              inBytes.length);//*(This call throws exception, that's what is blocking me)*
                  //build a KerberosTicket from the GSSContext
                  KerberosTicket ticket = buildTicket(serverGSSContext);
      But If the client communicates with server using socket rather than web service on application server, there is no problem(different jdks in server and client side).
      It's really strange. I got the same issue both in jboss and weblogic.

      The exception make me believe there should be something wrong with the configuration rather than my code. But I have no idea what should I configure, the user information in AD or the jaas configuration? Does anyone have idea on this?

      GSSException: Failure unspecified at GSS-API level (Mechanism level: EncryptedData is encrypted using keytype DES CBC mode with MD5 but decryption key is of type NULL)
           at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
           at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
           at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
           at com.rky.security.sso.adapter.KerberosAuthenticator.getToken(KerberosAuthenticator.java:197)
           at com.rky.security.ws.axis.SSOAuthenticationSoapBindingImpl.getToken(SSOAuthenticationSoapBindingImpl.java:35)
           at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
           at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
           at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
           at java.lang.reflect.Method.invoke(Method.java:597)
           at org.apache.axis.providers.java.RPCProvider.invokeMethod(RPCProvider.java:397)
           at org.apache.axis.providers.java.RPCProvider.processMessage(RPCProvider.java:186)
           at org.apache.axis.providers.java.JavaProvider.invoke(JavaProvider.java:323)
           at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32)
           at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118)
           at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83)
           at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:454)
           at org.apache.axis.server.AxisServer.invoke(AxisServer.java:281)
      Caused by: KrbException: EncryptedData is encrypted using keytype DES CBC mode with MD5 but decryption key is of type NULL
      *     at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:160)*
           at sun.security.krb5.KrbCred.<init>(KrbCred.java:137)
           at sun.security.jgss.krb5.InitialToken$OverloadedChecksum.<init>(InitialToken.java:259)
           at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:102)
           at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)

      Ricky Ru