This discussion is archived
0 Replies Latest reply: Jul 18, 2011 1:37 AM by 876122 RSS

Cannot associate a subject with the current thread's AccessControlContext

876122 Newbie
Currently Being Moderated
I am trying to follow referrals in our Active Directory and perform authentication with Kerberos. Though the auth works perfectly, when the dir context tries to follow the referral it cannot obtain credentials for the current subject and quits with:
Exception in thread "main" javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))]]
     at com.sun.jndi.ldap.LdapReferralContext.<init>(Unknown Source)
     at com.sun.jndi.ldap.LdapReferralException.getReferralContext(Unknown Source)
     at com.sun.jndi.ldap.LdapCtx.c_getAttributes(Unknown Source)
     at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(Unknown Source)
     at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(Unknown Source)
     at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(Unknown Source)
     at javax.naming.directory.InitialDirContext.getAttributes(Unknown Source)
     at ldap.ClientLogin.main(ClientLogin.java:56)
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))]
     at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
     at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)
     at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
     at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
     at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
     at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
     at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
     at com.sun.jndi.url.ldap.ldapURLContextFactory.getObjectInstance(Unknown Source)
     at javax.naming.spi.NamingManager.getURLObject(Unknown Source)
     at javax.naming.spi.NamingManager.processURL(Unknown Source)
     at javax.naming.spi.NamingManager.processURLAddrs(Unknown Source)
     at javax.naming.spi.NamingManager.getObjectInstance(Unknown Source)
     ... 8 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))
     at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Unknown Source)
     at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Unknown Source)
     at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)
     at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Unknown Source)
     at sun.security.jgss.GSSManagerImpl.getMechanismContext(Unknown Source)
     at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
     at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
     ... 20 more
Caused by: javax.security.auth.login.LoginException: Für  sind keine Anmeldemodule konfiguriert.
     at javax.security.auth.login.LoginContext.init(Unknown Source)
     at javax.security.auth.login.LoginContext.<init>(Unknown Source)
     at sun.security.jgss.GSSUtil.login(Unknown Source)
     at sun.security.jgss.krb5.Krb5Util.getTicket(Unknown Source)
     at sun.security.jgss.krb5.Krb5InitCredential$1.run(Unknown Source)
     at java.security.AccessController.doPrivileged(Native Method)
     ... 27 more
I presumed according to [url http://download.oracle.com/javase/1.4.2/docs/guide/security/jaas/JAASRefGuide.html#doAsComp]this fact that the Subject.doAs method automatically stores my subject with the current thead's control context so I added some debug outputs nad noticed that all contexts are different:
run(): Subject of thread 'main' in context 'java.security.AccessControlContext@12e636d' is Betreff:
     Principal: <obfuscated>

getDirContext(): Subject of thread 'main' in context 'java.security.AccessControlContext@1a46e30' is null
Although the thread is the same but the context is different this obviously does not work. What is the reason for?
This is my env:
java version "1.6.0_26"
Java(TM) SE Runtime Environment (build 1.6.0_26-b03)
Java HotSpot(TM) Client VM (build 20.1-b02, mixed mode, sharing)
It seems to me that I cannot follow referrals automatically with SASL nor avoid several doAs manually.

Thanks,

Mike

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points