1 2 Previous Next 15 Replies Latest reply: Apr 10, 2011 9:01 AM by 854191 RSS

    Cross Realm Authentication using NEGOTIATE protocol (SPNEGO) failed

    843810
      Hi,

      I failed to get Kerberos authentication cross domains. I have User1 in REALMX. I have no problem to get authenticated to access http://machine1.REALMX.COM using use1.REALM.COM. However, if I want to access http service in another domain ( RELAMY.COM), I got KrbException: Message stream modified.

      Can someone shed light on it?

      Thanks,
      Frank Meng



      I am running on Windows platform. All servers are windows servers.

      This is my config file:

      [libdefaults]
      default_realm = REALMX.COM
      udp_preference_limit =1

      default_tkt_enctypes = des-cbc-crc

      default_tgs_enctypes = des-cbc-crc

      [realms]
      REALMX.COM = {
      kdc = dc01.REALMX.COM
      }
      REALMY.COM = {
      kdc = dc02.REALMY.COM

      }

      [domain_realm]
           .REALMX.COM = REALMX.COM
           .REALMY.COM = REALMY.COM

      [capaths]
      REALMY.COM = {
      REALMX.COM = .
      }

      REALMX.COM = {
      REALMY.COM = .
      }


      com.sun.security.jgss.krb5.initiate {
      com.sun.security.auth.module.Krb5LoginModule
      required
      client=TRUE
      debug=true;
      };



      Log:

      Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
                [Krb5LoginModule] user entered username: user1@REALMX.COM

      default etypes for default_tkt_enctypes: 1.
      Acquire TGT using AS Exchange
      default etypes for default_tkt_enctypes: 1.
      KrbAsReq calling createMessage
      KrbAsReq in createMessage
      KrbKdcReq send: kdc=dc01@REALMX.COM TCP:88, timeout=30000, number of retries =3, #bytes=140
      DEBUG: TCPClient reading 181 bytes
      KrbKdcReq send: #bytes read=181
      KrbKdcReq send: #bytes read=181
      KDCRep: init() encoding tag is 126 req type is 11
      KRBError:
           sTime is Mon Mar 23 16:31:53 EDT 2009 1237840313000
           suSec is 853386
           error code is 25
           error Message is Additional pre-authentication required
           realm is REALMX.COM
           sname is krbtgt/REALMX.COM
           eData provided.
           msgType is 30
      Pre-Authentication Data:
           PA-DATA type = 11
           PA-ETYPE-INFO etype = 1
      Pre-Authentication Data:
           PA-DATA type = 2
           PA-ENC-TIMESTAMP
      Pre-Authentication Data:
           PA-DATA type = 15
      AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
      default etypes for default_tkt_enctypes: 1.
      Pre-Authentication: Set preferred etype = 1
      Updated salt from pre-auth = REALMX.COMUser1
      KrbAsReq salt is REALMX.COMUser1
      Pre-Authenticaton: find key for etype = 1
      AS-REQ: Add PA_ENC_TIMESTAMP now
      EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
      crc32: 8b192af0
      crc32: 10001011000110010010101011110000
      KrbAsReq calling createMessage
      KrbAsReq in createMessage
      KrbKdcReq send: kdc=dc01. REALMX.COM TCP:88, timeout=30000, number of retries =3, #bytes=214
      DEBUG: TCPClient reading 1941 bytes
      KrbKdcReq send: #bytes read=1941
      KrbKdcReq send: #bytes read=1941
      EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
      crc32: aaa8b968
      crc32: 10101010101010001011100101101000
      KrbAsRep cons in KrbAsReq.getReply user1
      default etypes for default_tkt_enctypes: 1.
      principal is user1@REALMX.COM
      EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 2A CE 5E 91 CE EF 16 DA
      Commit Succeeded

      Found ticket for user1@REALMX.COM to go to krbtgt/COM@REALMX.COM expiring on Tue Mar 24 02:31:53 EDT 2009
      Entered Krb5Context.initSecContext with state=STATE_NEW
      Service ticket not found in the subject
      Credentials acquireServiceCreds: same realm
      default etypes for default_tgs_enctypes: 1.
      CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
      EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
      crc32: 18f0044
      crc32: 1100011110000000001000100
      KrbKdcReq send: kdc=torgdcw01.PROD.QUEST.CORP TCP:88, timeout=30000, number of retries =3, #bytes=1919
      DEBUG: TCPClient reading 1866 bytes
      KrbKdcReq send: #bytes read=1866
      KrbKdcReq send: #bytes read=1866
      EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
      crc32: 4b85af36
      crc32: 1001011100001011010111100110110
      KrbException: Message stream modified (41)
           at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:48)
           at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:79)
           at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185)
        • 1. Re: Cross Realm Authentication using NEGOTIATE protocol (SPNEGO) failed
          843810
          Credentials acquireServiceCreds: same realm
          This does not look like a cross realm attempt.
          • 2. Re: Cross Realm Authentication using NEGOTIATE protocol (SPNEGO) failed
            843810
            Wangwj , thanks for your quick reply.

            I defined the two realms in the krb5.conf file, default realm is RELAX.ABC.COM. Then I try to access resource in realm REALMY.ABC.COM. In the Authenticator, I provide credential of User1@REALMX.ABC.COM.

            I thought that's all. Did I miss anything?

            Thanks,
            FM
            • 3. Re: Cross Realm Authentication using NEGOTIATE protocol (SPNEGO) failed
              843810
              How does Java determine if it is same realm or different realm?

              I found in log it considers it is same realm if the login user domain is same as the default realm --- user1@REALMX and default realm (REALMX), even the target host is in the different realm REALMY. If the default realm is different with login user domain, it considers it is different realm.
              • 4. Re: Cross Realm Authentication using NEGOTIATE protocol (SPNEGO) failed
                843810
                Have you checked out this Java bug:
                [http://bugs.sun.com/view_bug.do?bug_id=6727246|http://bugs.sun.com/view_bug.do?bug_id=6727246]
                • 5. Re: Cross Realm Authentication using NEGOTIATE protocol (SPNEGO) failed
                  843810
                  Ok, It seems it is the bug giving me such hardtime.

                  Symptoms are exactly same, except my build # is 1.6.0_04-b12.
                  • 6. Re: Cross Realm Authentication using NEGOTIATE protocol (SPNEGO) failed
                    843810
                    More search on Sun bugs site shows this:

                    HTTP/SPNEGO should work across realms
                    http://bugs.sun.com/view_bug.do?bug_id=6670362

                    The description shows "When accessing a web page using HTTP/SPNEGO, the service principal is always assumed to be in the same realm as the client principal", which matches your case. According to the page, the bug was fixed into JDK 7(b26). You might try to download a JDK 7 build on:

                    http://download.java.net/jdk7/binaries/
                    • 7. Re: Cross Realm Authentication using NEGOTIATE protocol (SPNEGO) failed
                      843810
                      Thanks for the information. I tried it on jre7 b51. It did make lots of progress but still failed at last step.



                      Found ticket for user1@REALMX.ABC.COM to go to krbtgt/REALMX.ABC.COM@ REALMX.ABC.COM expiring on Wed Mar 25 21:08:28 EDT 2009
                      Entered Krb5Context.initSecContext with state=STATE_NEW
                      Service ticket not found in the subject
                      Realm doInitialParse: cRealm=[REALMX.ABC.COM], sRealm=[ REALMY.ABC.COM]
                      Realm parseCapaths: loop 1: target= REALMY.ABC.COM
                      Realm parseCapaths: loop 1: no intermediaries
                      Realm parseCapaths [0]= REALMX.ABC.COM
                      Credentials acquireServiceCreds: main loop: [0] tempService=krbtgt/ REALMY.ABC.COM@REALMX.ABC.COM
                      Using builtin default etypes for default_tgs_enctypes
                      default etypes for default_tgs_enctypes: 3 1 23 16 17.
                      CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
                      EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
                      KrbKdcReq send: kdc=dc01.REALMX.ABC.COM TCP:88, timeout=30000, number of retries =3, #bytes=1934
                      DEBUG: TCPClient reading 1877 bytes
                      KrbKdcReq send: #bytes read=1877
                      KrbKdcReq send: #bytes read=1877
                      EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
                      Credentials acquireServiceCreds: got tgt
                      Credentials acquireServiceCreds: got right tgt
                      Credentials acquireServiceCreds: obtaining service creds for HTTP/machine2.REALMY.ABC.COM@REALMX.ABC.COM
                      Using builtin default etypes for default_tgs_enctypes
                      default etypes for default_tgs_enctypes: 3 1 23 16 17.
                      CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
                      EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
                      KrbKdcReq send: kdc= dc02.REALMY.ABC.COM TCP:88, timeout=30000, number of retries =3, #bytes=1929
                      DEBUG: TCPClient reading 1902 bytes
                      KrbKdcReq send: #bytes read=1902
                      KrbKdcReq send: #bytes read=1902
                      EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
                      Credentials acquireServiceCreds: returning creds:
                      DEBUG: ----Credentials----
                           client: user1@REALMX.ABC.COM
                           server: HTTP/ machine2.REALMY.ABC.COM@REALMX.ABC.COM
                           ticket: realm: REALMY.ABC.COM
                      sname: HTTP/ machine2.REALMY.ABC.COM@REALMY.ABC.COM
                           startTime: 1237993709000
                           endTime: 1238029708000
                      ----Credentials end----
                      KrbApReq: APOptions are 00100000 00000000 00000000 00000000
                      EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
                      Krb5Context setting mySeqNumber to: 409360251
                      Created InitSecContextToken:
                      0000: 01 00 6E 82 07 1C 30 82 07 18 A0 03 02 01 05 A1 ..n...0.........
                      0010: 03 02 01 0E A2 07 03 05 00 20 00 00 00 A3 82 06
                      ......... ......... .........
                      ......... some binary data ....
                      ......... ......... .........

                      Entered Krb5Context.initSecContext with state=STATE_IN_PROCESS
                      GSSException: Defective token detected (Mechanism level: AP_REP token id does not match!)
                      Negotiate support cannot continue. Reason:
                           at sun.security.jgss.krb5.AcceptSecContextToken.<init>(Unknown Source)
                           at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
                           at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
                           at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
                      • 8. Re: Cross Realm Authentication using NEGOTIATE protocol (SPNEGO) failed
                        843810
                        Can you post the removed 'some binary data' here?

                        Your error says "AP_REP token id does not match!". Hope the token is shown in the binary data so that we can see what its id is.
                        • 9. Re: Cross Realm Authentication using NEGOTIATE protocol (SPNEGO) failed
                          843810
                          Sure. This is the binary data stuff.
                          DEV.QUEST.CORP is REALMY
                          stldev039.dev.quest.corp is machine1@REALMY

                          Thanks,
                          FM


                          Krb5Context setting mySeqNumber to: 950488333
                          Created InitSecContextToken:
                          0000: 01 00 6E 82 07 1C 30 82 07 18 A0 03 02 01 05 A1 ..n...0.........
                          0010: 03 02 01 0E A2 07 03 05 00 20 00 00 00 A3 82 06 ......... ......
                          0020: 40 61 82 06 3C 30 82 06 38 A0 03 02 01 05 A1 10 @a..<0..8.......
                          0030: 1B 0E 44 45 56 2E 51 55 45 53 54 2E 43 4F 52 50 ..DEV.QUEST.CORP
                          0040: A2 2B 30 29 A0 03 02 01 00 A1 22 30 20 1B 04 48 .+0)......"0 ..H
                          0050: 54 54 50 1B 18 73 74 6C 64 65 76 30 33 39 2E 64 TTP..stldev039.d
                          0060: 65 76 2E 71 75 65 73 74 2E 63 6F 72 70 A3 82 05 ev.quest.corp...
                          0070: F0 30 82 05 EC A0 03 02 01 17 A1 03 02 01 1D A2 .0..............
                          0080: 82 05 DE 04 82 05 DA E3 5F 19 B8 08 4B 66 87 B6 ........_...Kf..
                          0090: 25 5B 5A 50 29 22 1C 47 A1 4D C0 96 C6 B3 25 AA %[ZP)".G.M....%.
                          00A0: 3D E0 30 6E 47 80 22 0E 59 2E 7D 08 A8 C5 CA 36 =.0nG.".Y......6
                          00B0: 12 C4 2D 7C D9 1B 7C 32 2B AD 2C 31 90 35 55 BD ..-....2+.,1.5U.
                          00C0: 3E 0B BF 8B FB B1 DF F0 A9 F2 BA 96 64 FE 75 D0 >...........d.u.
                          00D0: 6A AC E3 30 69 48 44 B5 1A 2D EC 43 2F 21 BC D5 j..0iHD..-.C/!..
                          00E0: 91 DF EA 93 64 45 31 97 6A 94 37 FA A4 A5 14 60 ....dE1.j.7....`
                          00F0: E0 2B 1E 15 15 E0 0E 54 7C 0A 64 F4 22 4D 90 7D .+.....T..d."M..
                          0100: DD 48 8E 2C 83 76 EC 62 5F D7 3E A0 73 7E 73 E8 .H.,.v.b_.>.s.s.
                          0110: E9 A8 B9 22 C8 E1 AE 88 7E 5E 46 03 E5 A3 1F AB ...".....^F.....
                          0120: 15 3E 70 BE 98 29 3C 70 F8 58 A5 7D F0 17 2F 70 .>p..)<p.X..../p
                          0130: 9B 5C DE 70 2D 9E 01 84 82 10 EA 0E 99 7F 84 23 .\.p-..........#
                          0140: 76 34 0A D7 9F 42 6B 54 97 27 13 E4 FF 24 54 F8 v4...BkT.'...$T.
                          0150: 14 11 EE AD 32 50 A6 C1 1E BE 87 49 EC E5 1D 18 ....2P.....I....
                          0160: DC 85 C6 F1 41 70 C6 7A 4C E8 DC 7E 85 B8 38 03 ....Ap.zL.....8.
                          0170: E4 B9 7B 4F 3B DE 6D 9F 07 B4 15 7B 06 2C 7A 22 ...O;.m......,z"
                          0180: 7B 77 DD 59 D8 70 90 3E C7 CB A8 7F 51 91 DD DE .w.Y.p.>....Q...
                          0190: 48 B7 81 3C 27 E1 3F CB 82 98 FE 3C A0 1E 16 A0 H..<'.?....<....
                          01A0: 8D 9B 2A 22 81 20 93 F0 0F 4D 27 05 00 E9 16 82 ..*". ...M'.....
                          01B0: 75 B4 F1 C0 2E F0 C3 C1 A9 36 FF 79 46 59 F5 0F u........6.yFY..
                          01C0: CA 42 5A E0 F7 39 B7 70 9E FD E7 DE E9 A9 CC 86 .BZ..9.p........
                          01D0: 8F A8 34 65 22 2B 50 A3 99 F4 34 A4 A7 3A 68 AC ..4e"+P...4..:h.
                          01E0: 43 14 2E 06 FC 39 09 8B 36 68 FC F2 32 F3 E5 25 C....9..6h..2..%
                          01F0: 75 8D 15 CB D0 DF EB 5D C7 AF 3B A2 B7 CB 18 0F u......]..;.....
                          0200: 3D 32 4F 58 11 07 FA D2 C8 40 C4 6D 26 CE FA 4B =2OX.....@.m&..K
                          0210: BE 64 0D 79 F9 DF 13 9A 84 E6 82 40 CB 64 54 21 .d.y.......@.dT!
                          0220: 9C 54 60 A0 78 78 65 EA E4 D4 C1 6A E4 B1 80 BD .T`.xxe....j....
                          0230: 0B 6B 3A 57 18 58 5E 1C 81 44 B9 F1 B7 FB BB 08 .k:W.X^..D......
                          0240: 04 6C 91 9B 99 D6 60 32 16 90 42 38 CB 47 0C 20 .l....`2..B8.G.
                          0250: 68 8A B3 24 BE E8 7B 8F 30 FB 85 4F 4A 5F 63 18 h..$....0..OJ_c.
                          0260: EB 8F 44 B6 C5 9B 51 B4 7A A0 2F 00 11 C2 53 60 ..D...Q.z./...S`
                          0270: F3 7A 2B 54 B1 DC 4F 1B 62 66 90 5B AA E5 D1 D6 .z+T..O.bf.[....
                          0280: 63 CB 64 4E C1 A0 DE C6 AB 91 A2 C1 65 95 AD 80 c.dN........e...
                          0290: 30 AF 83 AB 8B 3C 70 C9 FE 2A 45 3A C0 41 FB 0A 0....<p..*E:.A..
                          02A0: F8 9F F1 AE 16 40 3C C6 D6 1A 13 91 23 34 F7 53 .....@<.....#4.S
                          02B0: B1 60 95 56 64 25 FE D7 3F 31 7D C5 B7 AD C3 DD .`.Vd%..?1......
                          02C0: 59 A5 69 1C 40 B2 0F 16 4A 47 63 58 5A D1 E5 A1 Y.i.@...JGcXZ...
                          02D0: E9 10 AE AC A7 7D 30 58 5D D0 0D CB 61 48 46 30 ......0X]...aHF0
                          02E0: 05 DB A1 D2 DE A7 DB D0 E9 2E CE 9E 98 F1 FD FC ................
                          02F0: 67 7F C6 A3 35 21 0C 05 C2 DD 8D 58 87 96 E3 AD g...5!.....X....
                          0300: C4 D6 6C 68 29 98 E1 D2 CD 90 AD CF A6 5E 13 A3 ..lh)........^..
                          0310: F7 DF 45 8F A9 15 E3 7F 0C A0 EE 7A 08 C4 9D 2B ..E........z...+
                          0320: CD F3 5D 71 51 84 0A A1 51 57 50 21 EB CB 0F 68 ..]qQ...QWP!...h
                          0330: 1A C5 AE 6D 0D CD 8D 4A D1 D5 4F DF 60 6B 80 76 ...m...J..O.`k.v
                          0340: 34 1E E3 A5 2A 54 FE 2B 0C 1C 06 BE 21 81 E2 59 4...*T.+....!..Y
                          0350: EE 80 55 C5 B4 34 13 8C 21 23 EB D0 B2 B9 B5 E7 ..U..4..!#......
                          0360: 18 EF 68 6C 5D 32 C6 6F 3B A8 47 64 98 0C 65 8C ..hl]2.o;.Gd..e.
                          0370: FB 38 8A B8 0F C0 29 7C 7C C3 44 37 A7 44 5F 56 .8....)...D7.D_V
                          • 10. Re: Cross Realm Authentication using NEGOTIATE protocol (SPNEGO) failed
                            843810
                            ********* this is the second half **********

                            0380: 9B B1 9E B7 2A A1 86 E6 D0 FE 9F DE 42 A0 6A 94 ....*.......B.j.
                            0390: D4 8E 93 35 8A 1C DF 7F C0 EF E9 09 AF BE 09 59 ...5...........Y
                            03A0: C6 C7 63 6B 01 E6 37 CC 95 DE 60 F4 AF 75 DB 8A ..ck..7...`..u..
                            03B0: CF 05 14 33 BA F5 8A 25 2D 98 AA 39 53 CE 0F F7 ...3...%-..9S...
                            03C0: 51 55 4A 27 7C 3A 9B 22 1B 79 CC 61 83 06 B8 43 QUJ'.:.".y.a...C
                            03D0: 50 14 C9 A2 18 E8 88 AF 5B 09 30 88 74 53 70 72 P.......[.0.tSpr
                            03E0: 90 01 AF 6E DB 15 B4 C2 8A 7F 6B DF C2 15 B0 DB ...n......k.....
                            03F0: 1B 45 C3 09 CF 59 62 B1 5B 15 58 B4 8C 44 46 F0 .E...Yb.[.X..DF.
                            0400: FF 88 42 8C 7D D8 B7 63 44 DE 90 7D E7 F9 A4 28 ..B....cD......(
                            0410: F0 95 41 D6 D5 77 75 2A 47 36 1B 15 E8 98 83 7D ..A..wu*G6......
                            0420: C3 5C F9 3C BB 3E 99 B4 C8 CA C2 D9 BF DC 6B 8C .\.<.>........k.
                            0430: 34 D3 12 91 BD 78 79 D7 78 AB E5 4C 10 BB 72 E5 4....xy.x..L..r.
                            0440: 09 FF 4D 1F 7D 14 A6 DE 92 80 43 EA A2 F7 A6 03 ..M.......C.....
                            0450: AA C1 D7 3B 8A 08 51 CC C5 8C 86 11 A5 F1 1A 37 ...;..Q........7
                            0460: CD 56 09 18 7F 00 98 25 38 3E 8E 3D A0 41 A2 60 .V.....%8>.=.A.`
                            0470: 62 16 DF DF 11 0F 09 52 71 F4 9D F8 3F 83 D8 89 b......Rq...?...
                            0480: 41 4C 15 20 98 3B 7E DF EB C3 44 C5 3D 8D 0C BA AL. .;....D.=...
                            0490: 0E C5 01 79 7B 1E 99 D5 E3 92 80 DD 37 79 9C C7 ...y........7y..
                            04A0: CD A4 49 90 AB CE 40 E9 4D AA D5 5D 7E 25 37 66 ..I...@.M..].%7f
                            04B0: C0 2A 05 6E 9B AA 63 8F 2B 8C 64 56 9F 29 91 8F .*.n..c.+.dV.)..
                            04C0: E0 B4 28 7B 9B 85 29 8E B6 7C 69 4A FA E6 FC 7B ..(...)...iJ....
                            04D0: 72 1A 69 F0 32 6C FA 2D 3F 30 71 50 89 09 E8 6E r.i.2l.-?0qP...n
                            04E0: 5B BF 34 96 2C 97 10 C3 BD F7 93 E3 7F 79 EC 5F [.4.,........y._
                            04F0: 3A D1 FE 4B 10 0D A8 6F 19 59 4A 7B 31 4A 90 51 :..K...o.YJ.1J.Q
                            0500: 5C 6A D9 E2 97 E5 A6 CF 2F 19 28 A5 92 3A 67 DB \j....../.(..:g.
                            0510: 64 F2 60 1C 3E FB 3D 16 6E D1 ED 9D 60 93 7E 7C d.`.>.=.n...`...
                            0520: 1E C4 A4 8E DB 47 F3 30 EC E7 05 9D 20 8A 1F A5 .....G.0.... ...
                            0530: DC 28 9B 30 97 47 8E 45 9A 9E B8 7E FB 87 96 B3 .(.0.G.E........
                            0540: 81 90 23 88 D0 24 86 6E 9C 4B 99 1B 91 8D B0 75 ..#..$.n.K.....u
                            0550: AE A4 F2 19 CC BF AD F9 0A 13 A3 93 4B EB 78 1C ............K.x.
                            0560: 89 54 F5 C7 86 CD 53 B3 5E F7 E1 10 DE E7 EF 6F .T....S.^......o
                            0570: 4E DE 50 0F F5 B4 C9 5A 2A 7A B7 2D 29 EB AC 0B N.P....Z*z.-)...
                            0580: 9C 9C BE BF BB FE B6 38 B5 FA 6C 05 F0 27 CF F7 .......8..l..'..
                            0590: FF 0A 8E 0D 2E A7 B3 8B D9 2A D4 1C 81 86 50 39 .........*....P9
                            05A0: C1 90 38 05 02 3E 0E 56 5B DF CE E1 15 8D AE A6 ..8..>.V[.......
                            05B0: 85 5F 96 8E 50 F1 B0 DA 13 76 A8 D9 E9 9D CD C7 ._..P....v......
                            05C0: 5E D6 79 48 D9 CC F2 2D 46 E6 74 37 85 DD 6B 92 ^.yH...-F.t7..k.
                            05D0: 2B 78 70 9F 83 E0 58 B4 08 E7 15 62 2F AE AA E3 +xp...X....b/...
                            05E0: 90 A7 50 6B 27 08 3E E5 EB AE 4B F7 18 A0 F9 6B ..Pk'.>...K....k
                            05F0: 3E CA 80 C0 BD E7 3E A1 F2 42 38 F1 CF 5C 64 B6 >.....>..B8..\d.
                            0600: 3A 05 3A F5 7F 01 CE 01 66 C3 27 BD E4 D1 94 17 :.:.....f.'.....
                            0610: 93 11 B5 64 F9 B2 D4 02 33 EF 73 50 5C CE 18 AA ...d....3.sP\...
                            0620: 77 AA 9A E2 E1 5B C0 60 B7 4C 7B 4B 7D 35 5B 7B w....[.`.L.K.5[.
                            0630: 4A 06 C5 DA 4E 3B 0F 15 DE 5A 2D 3F 4E BD 88 E0 J...N;...Z-?N...
                            0640: 0C A3 CB 17 3A 6E 4F C9 A8 BE 7E 1A D3 4D 6E 08 ....:nO......Mn.
                            0650: 01 24 25 FA 96 0A 99 0B F4 28 BE 27 7E 1F F9 52 .$%......(.'...R
                            0660: 13 A4 81 BE 30 81 BB A0 03 02 01 03 A2 81 B3 04 ....0...........
                            0670: 81 B0 C8 12 10 98 DF 8A E0 9C 43 4C AD BB 32 9E ..........CL..2.
                            0680: DC 10 6B 12 83 EA A3 EF 3F D6 7B B9 5C 6F B7 07 ..k.....?...\o..
                            0690: 63 2D 64 74 34 D0 BE 3D 03 22 7C 28 92 2E 66 01 c-dt4..=.".(..f.
                            06A0: 2F 92 43 B6 43 45 B3 59 04 3A 57 7B 6A 2B B6 0A /.C.CE.Y.:W.j+..
                            06B0: 89 C5 8F AB 8F 02 46 13 69 96 3F B9 8C 14 51 95 ......F.i.?...Q.
                            06C0: 6F 1B F4 5E 72 0F E3 BD 24 6E 15 C5 06 B2 38 29 o..^r...$n....8)
                            06D0: 80 60 4D 2F E7 5D B8 A6 49 E7 BC D8 05 33 80 52 .`M/.]..I....3.R
                            06E0: E5 BC E2 AF 8A E3 19 A9 F2 B6 7A 56 57 A5 C9 29 ..........zVW..)
                            06F0: E4 FE B9 BE 8D 07 2C 88 60 B9 ED 56 9C C2 84 D6 ......,.`..V....
                            0700: DB 1D E3 58 A1 F1 57 3A 92 9B F4 C9 92 BE 0E 79 ...X..W:.......y
                            0710: 76 D8 78 11 A2 74 16 83 74 43 96 93 41 7C 86 30 v.x..t..tC..A..0
                            0720: 57 F8 W.
                            • 11. Re: Cross Realm Authentication using NEGOTIATE protocol (SPNEGO) failed
                              843810
                              Unfortunately this is only the data sent from the client to server, the reply is not printed.

                              Do you have some other way to capture the data sent back by the server? Say, a network sniffer.

                              Edited by: wangwj on Mar 26, 2009 1:30 PM
                              • 12. Re: Cross Realm Authentication using NEGOTIATE protocol (SPNEGO) failed
                                843810
                                Add these lines at the beginning of your code, and you can capture more HTTP info:
                                String HTTPLOG = "sun.net.www.protocol.http.HttpURLConnection";
                                Logger.getLogger(HTTPLOG).setLevel(Level.ALL);
                                Handler h = new ConsoleHandler();
                                h.setLevel(Level.ALL);
                                Logger.getLogger(HTTPLOG).addHandler(h);
                                • 13. Re: Cross Realm Authentication using NEGOTIATE protocol (SPNEGO) failed
                                  843810
                                  Thank you, Wangwj. You led me to the right direction. Now my kerberos code is working cross realms.

                                  In fact, DNS is the culprit for the "AP_REP token id does not match" error. As you suggested, I wiresharked the network traffic, and found that in side of the Kerberos error message, it stated the target server name is different as I provided. For some reason, DNS has two names for the same machine, and it returned a wrong one.

                                  After I change to another machine, everything works fine. But JRE 1.7 is still necessary, because it fixed the samerealm issue.
                                  1 2 Previous Next