Skip to Main Content
Forums

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.

Datagram send failed

843810Jul 3 2008 — edited Jul 23 2008
I am stuck. We have an internal process that retrieves a list of users from active directory. Pretty much using the GSS-API/Kerberos v5 examples out on the net, and it works -most of the time. The app is running in tomcat, and if I restart tomcat during the day often (but not always) the internal process cannot authenticate with the AD service. I turned on the debug switch and get the following output. Note that if we wait and retry after an hour or so, it seems to work. 
Debug is  true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true Key
Tab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clear
Pass is false
                [Krb5LoginModule] user entered username: webapp

Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
Acquire TGT using AS Exchange
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
<div class="jive-quote"><div class="jive-quote"><div class="jive-quote">KrbAsReq calling createMessage
KrbAsReq in createMessage
KrbKdcReq send: kdc=foobar.com UDP:88, timeout=30000, number of retries =3, #bytes=153
KDCCommunication: kdc=foobar.com UDP:88, timeout=30000,Attempt =1, #bytes=153</div></div></div>
                [Krb5LoginModule] authentication failed
Cannot assign requested address: Datagram send failed
I did a network sniff and did not see any errors (although I am no expert at this). However there is a difference between successful attempt and a failed attempt:

successful 
14	6.167607	10.1.1.131	10.1.1.27	DNS	Standard query A foobar.com
17	6.167824	10.1.1.27	10.1.1.131	DNS	Standard query response A 10.1.1.27 A 10.1.1.0 A 10.2.1.72 A 10.1.2.27
18	6.171049	10.1.1.131	10.1.1.27	KRB5	AS-REQ
19	6.171719	10.1.1.27	10.1.1.131	KRB5	KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
20	6.184691	10.1.1.131	10.1.1.27	KRB5	AS-REQ
21	6.185498	10.1.1.27	10.1.1.131	KRB5	AS-REP
failed 
15	5.978662	10.1.1.131	10.1.1.27	DNS	Standard query A foobar.com
18	5.978871	10.1.1.27	10.1.1.131	DNS	Standard query response A 10.1.1.0 A 10.1.1.27 A 10.2.1.72 A 10.1.2.27
19	6.012441	10.1.1.131	10.1.1.27	TCP	qsm-remote > ldap [SYN] Seq=0 Win=65535 Len=0 MSS=1460
20	6.012532	10.1.1.27	10.1.1.131	TCP	ldap > qsm-remote [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460
So the successful interaction does a DNS request, and then does a Kerberos AS-REQ request. The failure scenario does a DNS request and then does a TCP request to the ldap server.

Also I have noticed that when it does work, the AD security event log shows the following three entries: 
Pre-authentication failed:
...
Authentication Ticket Request:
...
Service Ticket Request:
When it fails I get: 
Event Type:	Success Audit
Event Source:	Security
Event Category:	Account Logon 
Event ID:	680
Date:		7/3/2008
Time:		9:25:38 AM
User:		FOOBAR\webapp
Computer:	AMP
Description:
Logon attempt by:	MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:	webapp
 Source Workstation:	AMP
 Error Code:	0x0
Rebooting the client server does not solve the problem. I restarted the active directory server and that appeared to reset everything.

Using jdk1.6.0_06 and tomcat 5.5

I have been debugging and testing and tweaking this for way too long. Hoping someone has an idea. Thx!

Comments

Locked Post
New comments cannot be posted to this locked post.

Post Details

Locked on Aug 20 2008
Added on Jul 3 2008
#kerberos-java-gss-jgss
2 comments
441 views