Forum Stats

  • 3,825,204 Users
  • 2,260,480 Discussions


Error "Failure unspecified at GSS-API level (Mechanism level: No cksum in AP_REQ's authenticator)" u

1817483 Member Posts: 1
edited Sep 22, 2016 7:10AM in Kerberos & Java GSS (JGSS)

Hi all,

Here the context.

- SAP Mobile platform requests a Kerberos ticket for a service. Delegation is configured for it's service user (User A can requests tickets for a service which belongs to a different user)

- With this ticket, SMP authenticates the user against tomcat where an application is running with Spring Security (JGSS is doing the magic behind)

- When the module tries to validate the ticket, we have the exception described in detail at the end of the post

            Caused by: org.ietf.jgss.GSSException:Failure unspecified at GSS-API level (Mechanism level: No cksum in AP_REQ'sauthenticator)

- The funny thing is with the browser (without delegation) Kerberos is working properly.

¿Any idea about what could be causing this behavior?

Thanks in advance and best regards!


Kerberos delegation.png


Caused by: org.ietf.jgss.GSSException: Failure unspecified at GSS-API level (Mechanism level: No cksum in AP_REQ's authenticator)

at$OverloadedChecksum.<init>( ~[na:1.8.0_101]

at<init>( ~[na:1.8.0_101]

at ~[na:1.8.0_101]

at ~[na:1.8.0_101]

at ~[na:1.8.0_101]

at ~[na:1.8.0_101]

at ~[na:1.8.0_101]

at ~[na:1.8.0_101]

at ~[na:1.8.0_101]

here debug info shown while trying to validate ticket

              Found KeyTab
               /neptuno/keys/keytab/ for HTTP/[email protected]

Entered Krb5Context.acceptSecContext with state=STATE_NEW

Looking for keys for: HTTP/[email protected]

Added key: 23version: 2

>>> EType:

Using builtin default etypes for permitted_enctypes

default etypes for permitted_enctypes: 17 16 23.

>>> EType:

MemoryCache: add 1472643443/068238/C4F3C48B35155EECCF2570E4D5EBF07E/[email protected]@EUCE.CORP.BSHG.COM
to [email protected]@EUCE.CORP.BSHG.COM|HTTP/[email protected]

MemoryCache: Existing AuthList:

#1: 1472643107/247289/F8C26EA6D6BB2269AE800A3954A305DE/[email protected]@EUCE.CORP.BSHG.COM

>>> KrbApReq: authenticate succeed.

This discussion has been closed.