This discussion is archived
2 Replies Latest reply: Jun 26, 2013 12:15 PM by e0c6b58c-8fb4-4c3c-87bd-dc674e3a022a RSS

initSecContext throws java.net.SocketTimeoutException: Peek timed out

796334 Newbie
Currently Being Moderated
I have GSS/Jaas single-sign on authentication working in out client/server application with Kerberos on an environment with a Windows 2008 server with Windows 7 clients. All machines and users work fine. Except users in the administrators group which is a known issue with windows, if you run "klist tgt" you see a session key with all 0!

I don't use mutual authentication so one call to context.initSecContext is sufficient. However for one user on one single machine I get an exception while creating the token to be sent fromt he client to server. calling context.initSecContext(new byte[0], 0, 0). This is done in a PriviligedAction after a successfull JAAS authentication to the Kerberos. The weird thing is that it works fine with another user on the same machine. I ran "klist tgt" and the session key is filled (not all 0's).

Indeed the user has to wait somewhere between 30s and 1 minute before the exception occurs.
Does anyone have an idea why this happens?

GSSException: No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Peek timed out))
     at sun.security.jgss.spnego.SpNegoContext.initSecContext(Unknown Source)
     at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
     at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
     at reservering.shared.auth.GSSClient$AuthenticatePrivilegedAction.run(GSSClient.java:154)
     at reservering.shared.auth.GSSClient$AuthenticatePrivilegedAction.run(GSSClient.java:132)
     at java.security.AccessController.doPrivileged(Native Method)
     at javax.security.auth.Subject.doAs(Unknown Source)
     at reservering.shared.auth.GSSClient.initiateSecurityContext(GSSClient.java:120)
     at reservering.shared.auth.GSSClient.createToken(GSSClient.java:74)
     ... 9 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Peek timed out)
     at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
     at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
     at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
     at sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(Unknown Source)
     ... 18 more
Caused by: java.net.SocketTimeoutException: Peek timed out
     at java.net.PlainDatagramSocketImpl.peekData(Native Method)
     at java.net.DatagramSocket.receive(Unknown Source)
     at sun.security.krb5.internal.UDPClient.receive(Unknown Source)
     at sun.security.krb5.KrbKdcReq$KdcCommunication.run(Unknown Source)
     at java.security.AccessController.doPrivileged(Native Method)
     at sun.security.krb5.KrbKdcReq.send(Unknown Source)
     at sun.security.krb5.KrbKdcReq.send(Unknown Source)
     at sun.security.krb5.KrbKdcReq.send(Unknown Source)
     at sun.security.krb5.KrbTgsReq.send(Unknown Source)
     at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
     at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
     at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
     ... 22 more

Edited by: Strider80 on Dec 22, 2010 7:55 AM
  • 1. Re: initSecContext throws java.net.SocketTimeoutException: Peek timed out
    967206 Newbie
    Currently Being Moderated
    It has been almost 2 years since the original post but I just wanted to chime in on having what sounds like the same underlying problem - hoping you or someone else may have more information. We too have a client/server application using Kerberos to authenticate. We have Windows 7 and XP client computers.

    Only some Windows 7 clients have this problem, randomly. We never see it on XP. Just like the original post, other users can logon to the same client computer without issues. But for the affected user, once "broken" the problem doesn't go away without a complete Java reinstall, including manual deletion of cached user data. Once "fixed", affected users may go for a few days or longer but will then have the same problem return. Here's the underlying exception:

    Caused by: java.net.SocketTimeoutException: Peek timed out
         at java.net.PlainDatagramSocketImpl.peekData(Native Method)
         at java.net.DatagramSocket.receive(Unknown Source)
         at sun.security.krb5.internal.UDPClient.receive(Unknown Source)
         at sun.security.krb5.KrbKdcReq$KdcCommunication.run(Unknown Source)
         at java.security.AccessController.doPrivileged(Native Method)

    Thanks.
  • 2. Re: initSecContext throws java.net.SocketTimeoutException: Peek timed out
    e0c6b58c-8fb4-4c3c-87bd-dc674e3a022a Newbie
    Currently Being Moderated

    I think the UDP port for KDC has been blocked. Should be port 88. Check for firewall rules port 88 for TCP and UDP. This must be port issues.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points