This discussion is archived
1 2 Previous Next 15 Replies Latest reply: Apr 10, 2011 7:01 AM by 854191 RSS

Cross Realm Authentication using NEGOTIATE protocol (SPNEGO) failed

843810 Newbie
Currently Being Moderated
Hi,

I failed to get Kerberos authentication cross domains. I have User1 in REALMX. I have no problem to get authenticated to access http://machine1.REALMX.COM using use1.REALM.COM. However, if I want to access http service in another domain ( RELAMY.COM), I got KrbException: Message stream modified.

Can someone shed light on it?

Thanks,
Frank Meng



I am running on Windows platform. All servers are windows servers.

This is my config file:

[libdefaults]
default_realm = REALMX.COM
udp_preference_limit =1

default_tkt_enctypes = des-cbc-crc

default_tgs_enctypes = des-cbc-crc

[realms]
REALMX.COM = {
kdc = dc01.REALMX.COM
}
REALMY.COM = {
kdc = dc02.REALMY.COM

}

[domain_realm]
     .REALMX.COM = REALMX.COM
     .REALMY.COM = REALMY.COM

[capaths]
REALMY.COM = {
REALMX.COM = .
}

REALMX.COM = {
REALMY.COM = .
}


com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule
required
client=TRUE
debug=true;
};



Log:

Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
          [Krb5LoginModule] user entered username: user1@REALMX.COM

default etypes for default_tkt_enctypes: 1.
Acquire TGT using AS Exchange
default etypes for default_tkt_enctypes: 1.
KrbAsReq calling createMessage
KrbAsReq in createMessage
KrbKdcReq send: kdc=dc01@REALMX.COM TCP:88, timeout=30000, number of retries =3, #bytes=140
DEBUG: TCPClient reading 181 bytes
KrbKdcReq send: #bytes read=181
KrbKdcReq send: #bytes read=181
KDCRep: init() encoding tag is 126 req type is 11
KRBError:
     sTime is Mon Mar 23 16:31:53 EDT 2009 1237840313000
     suSec is 853386
     error code is 25
     error Message is Additional pre-authentication required
     realm is REALMX.COM
     sname is krbtgt/REALMX.COM
     eData provided.
     msgType is 30
Pre-Authentication Data:
     PA-DATA type = 11
     PA-ETYPE-INFO etype = 1
Pre-Authentication Data:
     PA-DATA type = 2
     PA-ENC-TIMESTAMP
Pre-Authentication Data:
     PA-DATA type = 15
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
default etypes for default_tkt_enctypes: 1.
Pre-Authentication: Set preferred etype = 1
Updated salt from pre-auth = REALMX.COMUser1
KrbAsReq salt is REALMX.COMUser1
Pre-Authenticaton: find key for etype = 1
AS-REQ: Add PA_ENC_TIMESTAMP now
EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
crc32: 8b192af0
crc32: 10001011000110010010101011110000
KrbAsReq calling createMessage
KrbAsReq in createMessage
KrbKdcReq send: kdc=dc01. REALMX.COM TCP:88, timeout=30000, number of retries =3, #bytes=214
DEBUG: TCPClient reading 1941 bytes
KrbKdcReq send: #bytes read=1941
KrbKdcReq send: #bytes read=1941
EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
crc32: aaa8b968
crc32: 10101010101010001011100101101000
KrbAsRep cons in KrbAsReq.getReply user1
default etypes for default_tkt_enctypes: 1.
principal is user1@REALMX.COM
EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 2A CE 5E 91 CE EF 16 DA
Commit Succeeded

Found ticket for user1@REALMX.COM to go to krbtgt/COM@REALMX.COM expiring on Tue Mar 24 02:31:53 EDT 2009
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
Credentials acquireServiceCreds: same realm
default etypes for default_tgs_enctypes: 1.
CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
crc32: 18f0044
crc32: 1100011110000000001000100
KrbKdcReq send: kdc=torgdcw01.PROD.QUEST.CORP TCP:88, timeout=30000, number of retries =3, #bytes=1919
DEBUG: TCPClient reading 1866 bytes
KrbKdcReq send: #bytes read=1866
KrbKdcReq send: #bytes read=1866
EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
crc32: 4b85af36
crc32: 1001011100001011010111100110110
KrbException: Message stream modified (41)
     at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:48)
     at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:79)
     at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185)
  • 1. Re: Cross Realm Authentication using NEGOTIATE protocol (SPNEGO) failed
    843810 Newbie
    Currently Being Moderated
    Credentials acquireServiceCreds: same realm
    This does not look like a cross realm attempt.
  • 2. Re: Cross Realm Authentication using NEGOTIATE protocol (SPNEGO) failed
    843810 Newbie
    Currently Being Moderated
    Wangwj , thanks for your quick reply.

    I defined the two realms in the krb5.conf file, default realm is RELAX.ABC.COM. Then I try to access resource in realm REALMY.ABC.COM. In the Authenticator, I provide credential of User1@REALMX.ABC.COM.

    I thought that's all. Did I miss anything?

    Thanks,
    FM
  • 3. Re: Cross Realm Authentication using NEGOTIATE protocol (SPNEGO) failed
    843810 Newbie
    Currently Being Moderated
    How does Java determine if it is same realm or different realm?

    I found in log it considers it is same realm if the login user domain is same as the default realm --- user1@REALMX and default realm (REALMX), even the target host is in the different realm REALMY. If the default realm is different with login user domain, it considers it is different realm.
  • 4. Re: Cross Realm Authentication using NEGOTIATE protocol (SPNEGO) failed
    843810 Newbie
    Currently Being Moderated
    Have you checked out this Java bug:
    [http://bugs.sun.com/view_bug.do?bug_id=6727246|http://bugs.sun.com/view_bug.do?bug_id=6727246]
  • 5. Re: Cross Realm Authentication using NEGOTIATE protocol (SPNEGO) failed
    843810 Newbie
    Currently Being Moderated
    Ok, It seems it is the bug giving me such hardtime.

    Symptoms are exactly same, except my build # is 1.6.0_04-b12.
  • 6. Re: Cross Realm Authentication using NEGOTIATE protocol (SPNEGO) failed
    843810 Newbie
    Currently Being Moderated
    More search on Sun bugs site shows this:

    HTTP/SPNEGO should work across realms
    http://bugs.sun.com/view_bug.do?bug_id=6670362

    The description shows "When accessing a web page using HTTP/SPNEGO, the service principal is always assumed to be in the same realm as the client principal", which matches your case. According to the page, the bug was fixed into JDK 7(b26). You might try to download a JDK 7 build on:

    http://download.java.net/jdk7/binaries/
  • 7. Re: Cross Realm Authentication using NEGOTIATE protocol (SPNEGO) failed
    843810 Newbie
    Currently Being Moderated
    Thanks for the information. I tried it on jre7 b51. It did make lots of progress but still failed at last step.



    Found ticket for user1@REALMX.ABC.COM to go to krbtgt/REALMX.ABC.COM@ REALMX.ABC.COM expiring on Wed Mar 25 21:08:28 EDT 2009
    Entered Krb5Context.initSecContext with state=STATE_NEW
    Service ticket not found in the subject
    Realm doInitialParse: cRealm=[REALMX.ABC.COM], sRealm=[ REALMY.ABC.COM]
    Realm parseCapaths: loop 1: target= REALMY.ABC.COM
    Realm parseCapaths: loop 1: no intermediaries
    Realm parseCapaths [0]= REALMX.ABC.COM
    Credentials acquireServiceCreds: main loop: [0] tempService=krbtgt/ REALMY.ABC.COM@REALMX.ABC.COM
    Using builtin default etypes for default_tgs_enctypes
    default etypes for default_tgs_enctypes: 3 1 23 16 17.
    CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
    EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
    KrbKdcReq send: kdc=dc01.REALMX.ABC.COM TCP:88, timeout=30000, number of retries =3, #bytes=1934
    DEBUG: TCPClient reading 1877 bytes
    KrbKdcReq send: #bytes read=1877
    KrbKdcReq send: #bytes read=1877
    EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
    Credentials acquireServiceCreds: got tgt
    Credentials acquireServiceCreds: got right tgt
    Credentials acquireServiceCreds: obtaining service creds for HTTP/machine2.REALMY.ABC.COM@REALMX.ABC.COM
    Using builtin default etypes for default_tgs_enctypes
    default etypes for default_tgs_enctypes: 3 1 23 16 17.
    CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
    EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
    KrbKdcReq send: kdc= dc02.REALMY.ABC.COM TCP:88, timeout=30000, number of retries =3, #bytes=1929
    DEBUG: TCPClient reading 1902 bytes
    KrbKdcReq send: #bytes read=1902
    KrbKdcReq send: #bytes read=1902
    EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
    Credentials acquireServiceCreds: returning creds:
    DEBUG: ----Credentials----
         client: user1@REALMX.ABC.COM
         server: HTTP/ machine2.REALMY.ABC.COM@REALMX.ABC.COM
         ticket: realm: REALMY.ABC.COM
    sname: HTTP/ machine2.REALMY.ABC.COM@REALMY.ABC.COM
         startTime: 1237993709000
         endTime: 1238029708000
    ----Credentials end----
    KrbApReq: APOptions are 00100000 00000000 00000000 00000000
    EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
    Krb5Context setting mySeqNumber to: 409360251
    Created InitSecContextToken:
    0000: 01 00 6E 82 07 1C 30 82 07 18 A0 03 02 01 05 A1 ..n...0.........
    0010: 03 02 01 0E A2 07 03 05 00 20 00 00 00 A3 82 06
    ......... ......... .........
    ......... some binary data ....
    ......... ......... .........

    Entered Krb5Context.initSecContext with state=STATE_IN_PROCESS
    GSSException: Defective token detected (Mechanism level: AP_REP token id does not match!)
    Negotiate support cannot continue. Reason:
         at sun.security.jgss.krb5.AcceptSecContextToken.<init>(Unknown Source)
         at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
         at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
         at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
  • 8. Re: Cross Realm Authentication using NEGOTIATE protocol (SPNEGO) failed
    843810 Newbie
    Currently Being Moderated
    Can you post the removed 'some binary data' here?

    Your error says "AP_REP token id does not match!". Hope the token is shown in the binary data so that we can see what its id is.
  • 9. Re: Cross Realm Authentication using NEGOTIATE protocol (SPNEGO) failed
    843810 Newbie
    Currently Being Moderated
    Sure. This is the binary data stuff.
    DEV.QUEST.CORP is REALMY
    stldev039.dev.quest.corp is machine1@REALMY

    Thanks,
    FM


    Krb5Context setting mySeqNumber to: 950488333
    Created InitSecContextToken:
    0000: 01 00 6E 82 07 1C 30 82 07 18 A0 03 02 01 05 A1 ..n...0.........
    0010: 03 02 01 0E A2 07 03 05 00 20 00 00 00 A3 82 06 ......... ......
    0020: 40 61 82 06 3C 30 82 06 38 A0 03 02 01 05 A1 10 @a..<0..8.......
    0030: 1B 0E 44 45 56 2E 51 55 45 53 54 2E 43 4F 52 50 ..DEV.QUEST.CORP
    0040: A2 2B 30 29 A0 03 02 01 00 A1 22 30 20 1B 04 48 .+0)......"0 ..H
    0050: 54 54 50 1B 18 73 74 6C 64 65 76 30 33 39 2E 64 TTP..stldev039.d
    0060: 65 76 2E 71 75 65 73 74 2E 63 6F 72 70 A3 82 05 ev.quest.corp...
    0070: F0 30 82 05 EC A0 03 02 01 17 A1 03 02 01 1D A2 .0..............
    0080: 82 05 DE 04 82 05 DA E3 5F 19 B8 08 4B 66 87 B6 ........_...Kf..
    0090: 25 5B 5A 50 29 22 1C 47 A1 4D C0 96 C6 B3 25 AA %[ZP)".G.M....%.
    00A0: 3D E0 30 6E 47 80 22 0E 59 2E 7D 08 A8 C5 CA 36 =.0nG.".Y......6
    00B0: 12 C4 2D 7C D9 1B 7C 32 2B AD 2C 31 90 35 55 BD ..-....2+.,1.5U.
    00C0: 3E 0B BF 8B FB B1 DF F0 A9 F2 BA 96 64 FE 75 D0 >...........d.u.
    00D0: 6A AC E3 30 69 48 44 B5 1A 2D EC 43 2F 21 BC D5 j..0iHD..-.C/!..
    00E0: 91 DF EA 93 64 45 31 97 6A 94 37 FA A4 A5 14 60 ....dE1.j.7....`
    00F0: E0 2B 1E 15 15 E0 0E 54 7C 0A 64 F4 22 4D 90 7D .+.....T..d."M..
    0100: DD 48 8E 2C 83 76 EC 62 5F D7 3E A0 73 7E 73 E8 .H.,.v.b_.>.s.s.
    0110: E9 A8 B9 22 C8 E1 AE 88 7E 5E 46 03 E5 A3 1F AB ...".....^F.....
    0120: 15 3E 70 BE 98 29 3C 70 F8 58 A5 7D F0 17 2F 70 .>p..)<p.X..../p
    0130: 9B 5C DE 70 2D 9E 01 84 82 10 EA 0E 99 7F 84 23 .\.p-..........#
    0140: 76 34 0A D7 9F 42 6B 54 97 27 13 E4 FF 24 54 F8 v4...BkT.'...$T.
    0150: 14 11 EE AD 32 50 A6 C1 1E BE 87 49 EC E5 1D 18 ....2P.....I....
    0160: DC 85 C6 F1 41 70 C6 7A 4C E8 DC 7E 85 B8 38 03 ....Ap.zL.....8.
    0170: E4 B9 7B 4F 3B DE 6D 9F 07 B4 15 7B 06 2C 7A 22 ...O;.m......,z"
    0180: 7B 77 DD 59 D8 70 90 3E C7 CB A8 7F 51 91 DD DE .w.Y.p.>....Q...
    0190: 48 B7 81 3C 27 E1 3F CB 82 98 FE 3C A0 1E 16 A0 H..<'.?....<....
    01A0: 8D 9B 2A 22 81 20 93 F0 0F 4D 27 05 00 E9 16 82 ..*". ...M'.....
    01B0: 75 B4 F1 C0 2E F0 C3 C1 A9 36 FF 79 46 59 F5 0F u........6.yFY..
    01C0: CA 42 5A E0 F7 39 B7 70 9E FD E7 DE E9 A9 CC 86 .BZ..9.p........
    01D0: 8F A8 34 65 22 2B 50 A3 99 F4 34 A4 A7 3A 68 AC ..4e"+P...4..:h.
    01E0: 43 14 2E 06 FC 39 09 8B 36 68 FC F2 32 F3 E5 25 C....9..6h..2..%
    01F0: 75 8D 15 CB D0 DF EB 5D C7 AF 3B A2 B7 CB 18 0F u......]..;.....
    0200: 3D 32 4F 58 11 07 FA D2 C8 40 C4 6D 26 CE FA 4B =2OX.....@.m&..K
    0210: BE 64 0D 79 F9 DF 13 9A 84 E6 82 40 CB 64 54 21 .d.y.......@.dT!
    0220: 9C 54 60 A0 78 78 65 EA E4 D4 C1 6A E4 B1 80 BD .T`.xxe....j....
    0230: 0B 6B 3A 57 18 58 5E 1C 81 44 B9 F1 B7 FB BB 08 .k:W.X^..D......
    0240: 04 6C 91 9B 99 D6 60 32 16 90 42 38 CB 47 0C 20 .l....`2..B8.G.
    0250: 68 8A B3 24 BE E8 7B 8F 30 FB 85 4F 4A 5F 63 18 h..$....0..OJ_c.
    0260: EB 8F 44 B6 C5 9B 51 B4 7A A0 2F 00 11 C2 53 60 ..D...Q.z./...S`
    0270: F3 7A 2B 54 B1 DC 4F 1B 62 66 90 5B AA E5 D1 D6 .z+T..O.bf.[....
    0280: 63 CB 64 4E C1 A0 DE C6 AB 91 A2 C1 65 95 AD 80 c.dN........e...
    0290: 30 AF 83 AB 8B 3C 70 C9 FE 2A 45 3A C0 41 FB 0A 0....<p..*E:.A..
    02A0: F8 9F F1 AE 16 40 3C C6 D6 1A 13 91 23 34 F7 53 .....@<.....#4.S
    02B0: B1 60 95 56 64 25 FE D7 3F 31 7D C5 B7 AD C3 DD .`.Vd%..?1......
    02C0: 59 A5 69 1C 40 B2 0F 16 4A 47 63 58 5A D1 E5 A1 Y.i.@...JGcXZ...
    02D0: E9 10 AE AC A7 7D 30 58 5D D0 0D CB 61 48 46 30 ......0X]...aHF0
    02E0: 05 DB A1 D2 DE A7 DB D0 E9 2E CE 9E 98 F1 FD FC ................
    02F0: 67 7F C6 A3 35 21 0C 05 C2 DD 8D 58 87 96 E3 AD g...5!.....X....
    0300: C4 D6 6C 68 29 98 E1 D2 CD 90 AD CF A6 5E 13 A3 ..lh)........^..
    0310: F7 DF 45 8F A9 15 E3 7F 0C A0 EE 7A 08 C4 9D 2B ..E........z...+
    0320: CD F3 5D 71 51 84 0A A1 51 57 50 21 EB CB 0F 68 ..]qQ...QWP!...h
    0330: 1A C5 AE 6D 0D CD 8D 4A D1 D5 4F DF 60 6B 80 76 ...m...J..O.`k.v
    0340: 34 1E E3 A5 2A 54 FE 2B 0C 1C 06 BE 21 81 E2 59 4...*T.+....!..Y
    0350: EE 80 55 C5 B4 34 13 8C 21 23 EB D0 B2 B9 B5 E7 ..U..4..!#......
    0360: 18 EF 68 6C 5D 32 C6 6F 3B A8 47 64 98 0C 65 8C ..hl]2.o;.Gd..e.
    0370: FB 38 8A B8 0F C0 29 7C 7C C3 44 37 A7 44 5F 56 .8....)...D7.D_V
  • 10. Re: Cross Realm Authentication using NEGOTIATE protocol (SPNEGO) failed
    843810 Newbie
    Currently Being Moderated
    ********* this is the second half **********

    0380: 9B B1 9E B7 2A A1 86 E6 D0 FE 9F DE 42 A0 6A 94 ....*.......B.j.
    0390: D4 8E 93 35 8A 1C DF 7F C0 EF E9 09 AF BE 09 59 ...5...........Y
    03A0: C6 C7 63 6B 01 E6 37 CC 95 DE 60 F4 AF 75 DB 8A ..ck..7...`..u..
    03B0: CF 05 14 33 BA F5 8A 25 2D 98 AA 39 53 CE 0F F7 ...3...%-..9S...
    03C0: 51 55 4A 27 7C 3A 9B 22 1B 79 CC 61 83 06 B8 43 QUJ'.:.".y.a...C
    03D0: 50 14 C9 A2 18 E8 88 AF 5B 09 30 88 74 53 70 72 P.......[.0.tSpr
    03E0: 90 01 AF 6E DB 15 B4 C2 8A 7F 6B DF C2 15 B0 DB ...n......k.....
    03F0: 1B 45 C3 09 CF 59 62 B1 5B 15 58 B4 8C 44 46 F0 .E...Yb.[.X..DF.
    0400: FF 88 42 8C 7D D8 B7 63 44 DE 90 7D E7 F9 A4 28 ..B....cD......(
    0410: F0 95 41 D6 D5 77 75 2A 47 36 1B 15 E8 98 83 7D ..A..wu*G6......
    0420: C3 5C F9 3C BB 3E 99 B4 C8 CA C2 D9 BF DC 6B 8C .\.<.>........k.
    0430: 34 D3 12 91 BD 78 79 D7 78 AB E5 4C 10 BB 72 E5 4....xy.x..L..r.
    0440: 09 FF 4D 1F 7D 14 A6 DE 92 80 43 EA A2 F7 A6 03 ..M.......C.....
    0450: AA C1 D7 3B 8A 08 51 CC C5 8C 86 11 A5 F1 1A 37 ...;..Q........7
    0460: CD 56 09 18 7F 00 98 25 38 3E 8E 3D A0 41 A2 60 .V.....%8>.=.A.`
    0470: 62 16 DF DF 11 0F 09 52 71 F4 9D F8 3F 83 D8 89 b......Rq...?...
    0480: 41 4C 15 20 98 3B 7E DF EB C3 44 C5 3D 8D 0C BA AL. .;....D.=...
    0490: 0E C5 01 79 7B 1E 99 D5 E3 92 80 DD 37 79 9C C7 ...y........7y..
    04A0: CD A4 49 90 AB CE 40 E9 4D AA D5 5D 7E 25 37 66 ..I...@.M..].%7f
    04B0: C0 2A 05 6E 9B AA 63 8F 2B 8C 64 56 9F 29 91 8F .*.n..c.+.dV.)..
    04C0: E0 B4 28 7B 9B 85 29 8E B6 7C 69 4A FA E6 FC 7B ..(...)...iJ....
    04D0: 72 1A 69 F0 32 6C FA 2D 3F 30 71 50 89 09 E8 6E r.i.2l.-?0qP...n
    04E0: 5B BF 34 96 2C 97 10 C3 BD F7 93 E3 7F 79 EC 5F [.4.,........y._
    04F0: 3A D1 FE 4B 10 0D A8 6F 19 59 4A 7B 31 4A 90 51 :..K...o.YJ.1J.Q
    0500: 5C 6A D9 E2 97 E5 A6 CF 2F 19 28 A5 92 3A 67 DB \j....../.(..:g.
    0510: 64 F2 60 1C 3E FB 3D 16 6E D1 ED 9D 60 93 7E 7C d.`.>.=.n...`...
    0520: 1E C4 A4 8E DB 47 F3 30 EC E7 05 9D 20 8A 1F A5 .....G.0.... ...
    0530: DC 28 9B 30 97 47 8E 45 9A 9E B8 7E FB 87 96 B3 .(.0.G.E........
    0540: 81 90 23 88 D0 24 86 6E 9C 4B 99 1B 91 8D B0 75 ..#..$.n.K.....u
    0550: AE A4 F2 19 CC BF AD F9 0A 13 A3 93 4B EB 78 1C ............K.x.
    0560: 89 54 F5 C7 86 CD 53 B3 5E F7 E1 10 DE E7 EF 6F .T....S.^......o
    0570: 4E DE 50 0F F5 B4 C9 5A 2A 7A B7 2D 29 EB AC 0B N.P....Z*z.-)...
    0580: 9C 9C BE BF BB FE B6 38 B5 FA 6C 05 F0 27 CF F7 .......8..l..'..
    0590: FF 0A 8E 0D 2E A7 B3 8B D9 2A D4 1C 81 86 50 39 .........*....P9
    05A0: C1 90 38 05 02 3E 0E 56 5B DF CE E1 15 8D AE A6 ..8..>.V[.......
    05B0: 85 5F 96 8E 50 F1 B0 DA 13 76 A8 D9 E9 9D CD C7 ._..P....v......
    05C0: 5E D6 79 48 D9 CC F2 2D 46 E6 74 37 85 DD 6B 92 ^.yH...-F.t7..k.
    05D0: 2B 78 70 9F 83 E0 58 B4 08 E7 15 62 2F AE AA E3 +xp...X....b/...
    05E0: 90 A7 50 6B 27 08 3E E5 EB AE 4B F7 18 A0 F9 6B ..Pk'.>...K....k
    05F0: 3E CA 80 C0 BD E7 3E A1 F2 42 38 F1 CF 5C 64 B6 >.....>..B8..\d.
    0600: 3A 05 3A F5 7F 01 CE 01 66 C3 27 BD E4 D1 94 17 :.:.....f.'.....
    0610: 93 11 B5 64 F9 B2 D4 02 33 EF 73 50 5C CE 18 AA ...d....3.sP\...
    0620: 77 AA 9A E2 E1 5B C0 60 B7 4C 7B 4B 7D 35 5B 7B w....[.`.L.K.5[.
    0630: 4A 06 C5 DA 4E 3B 0F 15 DE 5A 2D 3F 4E BD 88 E0 J...N;...Z-?N...
    0640: 0C A3 CB 17 3A 6E 4F C9 A8 BE 7E 1A D3 4D 6E 08 ....:nO......Mn.
    0650: 01 24 25 FA 96 0A 99 0B F4 28 BE 27 7E 1F F9 52 .$%......(.'...R
    0660: 13 A4 81 BE 30 81 BB A0 03 02 01 03 A2 81 B3 04 ....0...........
    0670: 81 B0 C8 12 10 98 DF 8A E0 9C 43 4C AD BB 32 9E ..........CL..2.
    0680: DC 10 6B 12 83 EA A3 EF 3F D6 7B B9 5C 6F B7 07 ..k.....?...\o..
    0690: 63 2D 64 74 34 D0 BE 3D 03 22 7C 28 92 2E 66 01 c-dt4..=.".(..f.
    06A0: 2F 92 43 B6 43 45 B3 59 04 3A 57 7B 6A 2B B6 0A /.C.CE.Y.:W.j+..
    06B0: 89 C5 8F AB 8F 02 46 13 69 96 3F B9 8C 14 51 95 ......F.i.?...Q.
    06C0: 6F 1B F4 5E 72 0F E3 BD 24 6E 15 C5 06 B2 38 29 o..^r...$n....8)
    06D0: 80 60 4D 2F E7 5D B8 A6 49 E7 BC D8 05 33 80 52 .`M/.]..I....3.R
    06E0: E5 BC E2 AF 8A E3 19 A9 F2 B6 7A 56 57 A5 C9 29 ..........zVW..)
    06F0: E4 FE B9 BE 8D 07 2C 88 60 B9 ED 56 9C C2 84 D6 ......,.`..V....
    0700: DB 1D E3 58 A1 F1 57 3A 92 9B F4 C9 92 BE 0E 79 ...X..W:.......y
    0710: 76 D8 78 11 A2 74 16 83 74 43 96 93 41 7C 86 30 v.x..t..tC..A..0
    0720: 57 F8 W.
  • 11. Re: Cross Realm Authentication using NEGOTIATE protocol (SPNEGO) failed
    843810 Newbie
    Currently Being Moderated
    Unfortunately this is only the data sent from the client to server, the reply is not printed.

    Do you have some other way to capture the data sent back by the server? Say, a network sniffer.

    Edited by: wangwj on Mar 26, 2009 1:30 PM
  • 12. Re: Cross Realm Authentication using NEGOTIATE protocol (SPNEGO) failed
    843810 Newbie
    Currently Being Moderated
    Add these lines at the beginning of your code, and you can capture more HTTP info:
    String HTTPLOG = "sun.net.www.protocol.http.HttpURLConnection";
    Logger.getLogger(HTTPLOG).setLevel(Level.ALL);
    Handler h = new ConsoleHandler();
    h.setLevel(Level.ALL);
    Logger.getLogger(HTTPLOG).addHandler(h);
  • 13. Re: Cross Realm Authentication using NEGOTIATE protocol (SPNEGO) failed
    843810 Newbie
    Currently Being Moderated
    Thank you, Wangwj. You led me to the right direction. Now my kerberos code is working cross realms.

    In fact, DNS is the culprit for the "AP_REP token id does not match" error. As you suggested, I wiresharked the network traffic, and found that in side of the Kerberos error message, it stated the target server name is different as I provided. For some reason, DNS has two names for the same machine, and it returned a wrong one.

    After I change to another machine, everything works fine. But JRE 1.7 is still necessary, because it fixed the samerealm issue.
  • 14. Re: Cross Realm Authentication using NEGOTIATE protocol (SPNEGO) failed
    843810 Newbie
    Currently Being Moderated
    Glad to hear that.
1 2 Previous Next