1 2 3 Previous Next 30 Replies Latest reply: Aug 17, 2010 8:05 AM by 843810 RSS

    GSSContext initialization failing when context.requestMutualAuth(true)

    843810
      Hi,

      I'm trying to use GSSAPI authentication (using Kerberos) for a CVS server.

      Here's the code I'm using (it's basically a slight modification of SampleClient of a Sun tutorial):
      import org.ietf.jgss.*;
      import java.net.Socket;
      import java.security.PrivilegedAction;
      import java.security.PrivilegedActionException;
      import java.security.PrivilegedExceptionAction;
      import java.util.ArrayList;
      import java.io.EOFException;
      import java.io.File;
      import java.io.FileOutputStream;
      import java.io.FileWriter;
      import java.io.IOException;
      import java.io.DataInputStream;
      import java.io.DataOutputStream;
      import java.io.InputStream;
      import java.io.OutputStream;
      import javax.security.auth.Subject;
      import javax.security.auth.kerberos.KerberosPrincipal;
      import javax.security.auth.login.LoginContext;
      import javax.security.auth.login.LoginException;
      
      public class Client {
      
           public static void main(String[] args) throws IOException, GSSException {
      
                // Obtain the command-line arguments and parse the port number
      
                if (args.length < 3) {
                     System.err.println("Usage: java <options> SampleCallbackHandler Client "
                               + " <server> <hostName> <port>");
                     System.exit(-1);
                }
      
                String server = args[0];
                String hostName = args[1];
                int port = Integer.parseInt(args[2]);
      
                Socket socket = new Socket(hostName, port);
                OutputStream out = socket.getOutputStream();
                InputStream in = socket.getInputStream();
                DataOutputStream outStream = new DataOutputStream(out);
                DataInputStream inStream = new DataInputStream(in);
                StringBuffer request = new StringBuffer();
                request.append("BEGIN GSSAPI REQUEST");
                request.append("\n");
                outStream.write(request.toString().getBytes());
                outStream.flush();
      
                System.out.println("Connected to server " + socket.getInetAddress());
      
                // 1. Log in (to Kerberos)
                SampleCallbackHandler authenticator = new SampleCallbackHandler();
                LoginContext lc = null;
                try {
                     lc = new LoginContext("Login",
                               authenticator);
                     // Attempt authentication
                     lc.login();
                } catch (LoginException le) {
                     le.printStackTrace();
                }
                Subject subject = lc.getSubject();
                Subject.doAs(subject, new MyClientAction(socket));
                socket.close();
           }
      
      }
      
      class MyClientAction implements PrivilegedAction<Object> {
           
           private InputStream in;
           private OutputStream out;
           private DataInputStream inStream;
           private DataOutputStream outStream;
           
           public MyClientAction(Socket s) {
                try {
                     this.in = s.getInputStream();
                     this.out = s.getOutputStream();
                } catch (IOException e) {
                     // TODO Auto-generated catch block
                     e.printStackTrace();
                }
                this.inStream = new DataInputStream(this.in);
                this.outStream = new DataOutputStream(this.out);
           }
           
          public Object run() {
               
               byte[] token = null;
               
              try {
                     GSSManager manager = GSSManager.getInstance();
                     Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2");//$NON-NLS-1$
                     GSSName serverName = manager.createName("cvs@server.com",
                               GSSName.NT_HOSTBASED_SERVICE, krb5Mechanism);
      
                     // Get the context for authentication
                     GSSContext context = manager.createContext(serverName, krb5Mechanism,
                               null, GSSContext.DEFAULT_LIFETIME);
                     context.requestMutualAuth(true);     // Request mutual authentication
                     context.requestConf(true);               // Request confidentiality
                     
                    // Do the context eastablishment loop
                    token = new byte[0];              
                    while (!context.isEstablished()) {
                         
                         token = context.initSecContext(token, 0, token.length);
                    
                         // Send a token to the server if one was generated by
                         // initSecContext
                         if (token != null) {
                              System.out.println("Will send token of size " + token.length
                                        + " from initSecContext.");
                              outStream.writeInt(token.length);
                              outStream.write(token);
                              outStream.flush();
                         }
      
                         // If the client is done with context establishment
                         // then there will be no more tokens to read in this loop
                         if (!context.isEstablished()) {
                              token = new byte[inStream.readInt()];
                                   inStream.readFully(token);
                         }
                    }
      
                    System.out.println("Context Established! ");
                    System.out.println("Client is " + context.getSrcName());
                    System.out.println("Server is " + context.getTargName());
                    System.out.println("Lifetime: " + context.getLifetime());
                    
                    /*
                     * If mutual authentication did not take place, then only the client was
                     * authenticated to the server. Otherwise, both client and server were
                     * authenticated to each other.
                     */
                    if (context.getMutualAuthState())
                         System.out.println("Mutual authentication took place!");
                                  
                    byte[] messageBytes = "END AUTH REQUEST\n".getBytes();
      
                    /*
                     * The first MessageProp argument is 0 to request the default
                     * Quality-of-Protection. The second argument is true to request privacy
                     * (encryption of the message).
                     */
                    MessageProp prop = new MessageProp(0, true);
      
                    /*
                     * Encrypt the data and send it across. Integrity protection is always
                     * applied, irrespective of confidentiality (i.e., encryption). You can
                     * use the same token (byte array) as that used when establishing the
                     * context.
                     */
      
                    token = context.wrap(messageBytes, 0, messageBytes.length, prop);
                    System.out.println("Will send wrap token of size " + token.length);
                    outStream.writeInt(token.length);
                    outStream.write(token);
                    outStream.flush();
      
                    /*
                     * Now we will allow the server to decrypt the message, calculate a MIC
                     * on the decrypted message and send it back to us for verification.
                     * This is unnecessary, but done here for illustration.
                     */
                    context.verifyMIC(token, 0, token.length, messageBytes, 0,
                              messageBytes.length, prop);
          
                    System.out.println("Verified received MIC for message.");
      
                    System.out.println("Exiting...");
                    context.dispose();
              } catch (GSSException e) {
                   e.printStackTrace();
              } catch (IOException e) {
                   e.printStackTrace();
              }
              return token;
          }
      }
      When I run this, I'm getting the following error:

      GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)

      I'm able to establish the context if I set context.requestMutualAuth(false). But then, if I send wrapped messages to the server it fails with the same error. Does anybody know what I'm doing wrong?

      Thank you!
        • 1. Re: GSSContext initialization failing when context.requestMutualAuth(true)
          843810
          On which line is the exception thrown? Can you show the full exception stack info.

          In your program, you send the length of token before sending the token itself. Are you sure this is how the CVS server works? Some token contains the length info inside so probably it's not necessary to send the length explicitly.

          If you can find a CVS client that can communicate with the server correctly, you can use a packet capturer (say, wireshark) to study what the protocol looks like.
          • 2. Re: GSSContext initialization failing when context.requestMutualAuth(true)
            843810
            Thanks for your response. I'm providing requested details below.

            Note: The below captures/traces have been anonymized.

            Here is where CVS GSSAPI authentication is described: http://www.delorie.com/gnu/docs/cvs/cvsclient_3.html

            Below is the output I'm getting on the
            console. Note that I'm getting this out-of-memory error, since it tries to
            read an int from the socket, whereas "[cvs :pserver] could not verify
            credentials" (or similar) is returned.

            --------------------------------------------------------------------------
            Connected to server cvs.test.example.com/10.10.36.74
            Config name: /etc/krb5.conf
            Kerberos username [myprincipal]:
            Kerberos password for myprincipal:
            default etypes for default_tkt_enctypes: 18 16 23 1 3.
            default etypes for default_tkt_enctypes: 18 16 23 1 3.
            KrbAsReq calling createMessage
            KrbAsReq in createMessage
            KrbKdcReq send: kdc=kerberos.internal.example.com UDP:88, timeout=30000, number of retries =3, #bytes=145
            KDCCommunication: kdc=kerberos.internal.example.com UDP:88, timeout=30000,Attempt =1, #bytes=145
            KrbKdcReq send: #bytes read=567
            KrbKdcReq send: #bytes read=567
            EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
            KrbAsRep cons in KrbAsReq.getReply myprincipal
            default etypes for default_tkt_enctypes: 18 16 23 1 3.
            Found ticket for myprincipal@EXAMPLE.COM to go to krbtgt/EXAMPLE.COM@EXAMPLE.COM expiring on Wed Aug 11 18:39:37 EDT 2010
            Entered Krb5Context.initSecContext with state=STATE_NEW
            Found ticket for myprincipal@EXAMPLE.COM to go to krbtgt/EXAMPLE.COM@EXAMPLE.COM expiring on Wed Aug 11 18:39:37 EDT 2010
            Service ticket not found in the subject
            Credentials acquireServiceCreds: same realm
            default etypes for default_tgs_enctypes: 18 16 23 1 3.
            CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
            EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
            KrbKdcReq send: kdc=kerberos.internal.example.com UDP:88, timeout=30000, number of retries =3, #bytes=589
            KDCCommunication: kdc=kerberos.internal.example.com UDP:88, timeout=30000,Attempt =1, #bytes=589
            KrbKdcReq send: #bytes read=535
            KrbKdcReq send: #bytes read=535
            EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
            KrbApReq: APOptions are 00100000 00000000 00000000 00000000
            EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
            crc32: b25c43f1
            crc32: 10110010010111000100001111110001
            Krb5Context setting mySeqNumber to: 876966219
            Created InitSecContextToken:
            0000: 01 00 6E 82 01 C2 30 82 01 BE A0 03 02 01 05 A1 ..n...0.........
            0010: 03 02 01 0E A2 07 03 05 00 20 00 00 00 A3 81 F7 ......... ......
            0020: 61 81 F4 30 81 F1 A0 03 02 01 05 A1 0C 1B 0A 52 a..0...........EX
            0030: 45 44 48 41 54 2E 43 4F 4D A2 26 30 24 A0 03 02 AMPLE.COM.&0$...
            0040: 01 00 A1 1D 30 1B 1B 03 63 76 73 1B 14 63 76 73 ....0...cvs..cvs
            0050: 2E 64 65 76 65 6C 2E 72 65 64 68 61 74 2E 63 6F .test.example.co
            0060: 6D A3 81 B3 30 81 B0 A0 03 02 01 01 A1 03 02 01 m...0...........
            0070: 03 A2 81 A3 04 81 A0 B8 34 6F 79 61 69 C9 70 A5 ........4oyai.p.
            0080: 66 BE D2 65 EB 56 0C AC 1E AB 84 0B A5 D9 59 64 f..e.V........Yd
            0090: 6A 57 B2 85 0F 4D 19 C8 80 16 00 14 98 4A 44 0B jW...M.......JD.
            00A0: 45 5E 6D 27 C8 BC F1 37 62 FA 00 28 05 95 9C D5 E^m'...7b..(....
            00B0: 02 83 82 4D 4B FF 6D 64 30 0D CB 1F 98 BE 79 E2 ...MK.md0.....y.
            00C0: B1 04 2F 46 BC A6 EA 3B D0 43 B0 78 E2 76 E7 D5 ../F...;.C.x.v..
            00D0: AA E5 48 C2 53 1C 34 E6 A1 37 AC D0 DB 71 DD E7 ..H.S.4..7...q..
            00E0: D5 5B 47 24 0D BF 67 93 0F 22 70 2D 37 91 29 45 .[G$..g.."p-7.)E
            00F0: C8 FD A1 C9 17 D2 6A C3 6A A4 EF A6 06 4A A9 F3 ......j.j....J..
            0100: 00 59 91 E9 5B 61 4D 11 24 86 89 A3 36 16 81 AC .Y..[aM.$...6...
            0110: FD 33 4E C8 DD 05 E5 A4 81 AE 30 81 AB A0 03 02 .3N.......0.....
            0120: 01 01 A2 81 A3 04 81 A0 01 A7 96 A7 42 83 2C 47 ............B.,G
            0130: 2E 8A E7 BF 5E 81 3B D6 B2 54 86 89 D5 6F 24 48 ....^.;..T...o$H
            0140: F9 DF 58 7C CA 58 DD 7F 94 78 07 5E 25 34 63 40 ..X..X...x.^%4c@
            0150: 49 3B 12 C5 56 99 17 FD 87 8B 59 3F 1A A0 59 94 I;..V.....Y?..Y.
            0160: 5A 0F 81 B4 25 CC 84 29 C2 5E C7 9F 0B CD FA DA Z...%..).^......
            0170: ED DE DF 5A BE 83 24 51 26 1F 53 43 49 34 E2 17 ...Z..$Q&.SCI4..
            0180: 89 88 74 A8 EE D5 9F AE 5F 3A 39 BB A3 16 BA 82 ..t....._:9.....
            0190: C1 13 8F 96 B7 E0 4F 04 7F BB 19 5A 1B CF 37 05 ......O....Z..7.
            01A0: 33 CB CD 16 32 90 F7 46 B9 DC A5 8E A8 A5 05 A9 3...2..F........
            01B0: 1B 17 DA E0 38 68 9A 3B 67 67 1F 55 DF 11 A2 3B ....8h.;gg.U...;
            01C0: CE F4 34 FF AE 07 98 95 ..4.....

            Will send token of size 471 from initSecContext.
            Exception in thread "main" java.lang.OutOfMemoryError: Java heap space
            at MyClientAction.run(Client.java:128)
            at java.security.AccessController.doPrivileged(Native Method)
            at javax.security.auth.Subject.doAs(Subject.java:357)
            at Client.main(Client.java:67)>

            ----------------------------------

            Edited by: Severin_G on Aug 13, 2010 6:58 AM
            • 3. Re: GSSContext initialization failing when context.requestMutualAuth(true)
              843810
              The sniffed network traffic (Kerberos exchange) from this is as follows:

              ----------------------------------
              No.     Time                       Source                Destination           Protocol Info
                28211 2010-08-11 08:39:04.105321 10.15.16.120          10.5.0.11             KRB5     AS-REQ
              
              Frame 28211 (187 bytes on wire, 187 bytes captured)
                  Arrival Time: Aug 11, 2010 08:39:04.105321000
                  [Time delta from previous captured frame: 0.027807000 seconds]
                  [Time delta from previous displayed frame: 31.941427000 seconds]
                  [Time since reference or first frame: 31.941427000 seconds]
                  Frame Number: 28211
                  Frame Length: 187 bytes
                  Capture Length: 187 bytes
                  [Frame is marked: False]
                  [Protocols in frame: eth:ip:udp:kerberos]
                  [Coloring Rule Name: UDP]
                  [Coloring Rule String: udp]
              Ethernet II, Src: Dell_85:47:69 (00:18:8b:85:47:69), Dst: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
                  Destination: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
                      Address: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
                      .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
                      .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
                  Source: Dell_85:47:69 (00:18:8b:85:47:69)
                      Address: Dell_85:47:69 (00:18:8b:85:47:69)
                      .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
                      .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
                  Type: IP (0x0800)
              Internet Protocol, Src: 10.15.16.120 (10.15.16.120), Dst: 10.5.0.11 (10.5.0.11)
                  Version: 4
                  Header length: 20 bytes
                  Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
                      0000 00.. = Differentiated Services Codepoint: Default (0x00)
                      .... ..0. = ECN-Capable Transport (ECT): 0
                      .... ...0 = ECN-CE: 0
                  Total Length: 173
                  Identification: 0x0000 (0)
                  Flags: 0x02 (Don't Fragment)
                      0.. = Reserved bit: Not Set
                      .1. = Don't fragment: Set
                      ..0 = More fragments: Not Set
                  Fragment offset: 0
                  Time to live: 64
                  Protocol: UDP (0x11)
                  Header checksum: 0x15aa [correct]
                      [Good: True]
                      [Bad : False]
                  Source: 10.15.16.120 (10.15.16.120)
                  Destination: 10.5.0.11 (10.5.0.11)
              User Datagram Protocol, Src Port: 48056 (48056), Dst Port: kerberos (88)
                  Source port: 48056 (48056)
                  Destination port: kerberos (88)
                  Length: 153
                  Checksum: 0x2541 [validation disabled]
                      [Good Checksum: False]
                      [Bad Checksum: False]
              Kerberos AS-REQ
                  Pvno: 5
                  MSG Type: AS-REQ (10)
                  KDC_REQ_BODY
                      Padding: 0
                      KDCOptions: 00000000
                          .0.. .... .... .... .... .... .... .... = Forwardable: Do NOT use forwardable tickets
                          ..0. .... .... .... .... .... .... .... = Forwarded: This is NOT a forwarded ticket
                          ...0 .... .... .... .... .... .... .... = Proxiable: Do NOT use proxiable tickets
                          .... 0... .... .... .... .... .... .... = Proxy: This ticket has NOT been proxied
                          .... .0.. .... .... .... .... .... .... = Allow Postdate: We do NOT allow the ticket to be postdated
                          .... ..0. .... .... .... .... .... .... = Postdated: This ticket is NOT postdated
                          .... .... 0... .... .... .... .... .... = Renewable: This ticket is NOT renewable
                          .... .... ...0 .... .... .... .... .... = Opt HW Auth: False
                          .... .... .... ..0. .... .... .... .... = Constrained Delegation: This is a normal request (no constrained delegation)
                          .... .... .... ...0 .... .... .... .... = Canonicalize: This is NOT a canonicalized ticket request
                          .... .... .... .... .... .... ..0. .... = Disable Transited Check: Transited checking is NOT disabled
                          .... .... .... .... .... .... ...0 .... = Renewable OK: We do NOT accept renewed tickets
                          .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do NOT encrypt the tkt inside the skey
                          .... .... .... .... .... .... .... ..0. = Renew: This is NOT a request to renew a ticket
                          .... .... .... .... .... .... .... ...0 = Validate: This is NOT a request to validate a postdated ticket
                      Client Name (Principal): myprincipal
                          Name-type: Principal (1)
                          Name: myprincipal
                      Realm: EXAMPLE.COM
                      Server Name (Service and Instance): krbtgt/EXAMPLE.COM
                          Name-type: Service and Instance (2)
                          Name: krbtgt
                          Name: EXAMPLE.COM
                      till: 1970-01-01 00:00:00 (UTC)
                      Nonce: 219522633
                      Encryption Types: aes256-cts-hmac-sha1-96 des3-cbc-sha1 rc4-hmac des-cbc-crc des-cbc-md5
                          Encryption type: aes256-cts-hmac-sha1-96 (18)
                          Encryption type: des3-cbc-sha1 (16)
                          Encryption type: rc4-hmac (23)
                          Encryption type: des-cbc-crc (1)
                          Encryption type: des-cbc-md5 (3)
              • 4. Re: GSSContext initialization failing when context.requestMutualAuth(true)
                843810
                No.     Time                       Source                Destination           Protocol Info
                  28213 2010-08-11 08:39:04.186793 10.5.0.11             10.15.16.120          KRB5     AS-REP
                
                Frame 28213 (609 bytes on wire, 609 bytes captured)
                    Arrival Time: Aug 11, 2010 08:39:04.186793000
                    [Time delta from previous captured frame: 0.013459000 seconds]
                    [Time delta from previous displayed frame: 0.081472000 seconds]
                    [Time since reference or first frame: 32.022899000 seconds]
                    Frame Number: 28213
                    Frame Length: 609 bytes
                    Capture Length: 609 bytes
                    [Frame is marked: False]
                    [Protocols in frame: eth:ip:udp:kerberos]
                    [Coloring Rule Name: UDP]
                    [Coloring Rule String: udp]
                Ethernet II, Src: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f), Dst: Dell_85:47:69 (00:18:8b:85:47:69)
                    Destination: Dell_85:47:69 (00:18:8b:85:47:69)
                        Address: Dell_85:47:69 (00:18:8b:85:47:69)
                        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
                        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
                    Source: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
                        Address: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
                        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
                        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
                    Type: IP (0x0800)
                Internet Protocol, Src: 10.5.0.11 (10.5.0.11), Dst: 10.15.16.120 (10.15.16.120)
                    Version: 4
                    Header length: 20 bytes
                    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
                        0000 00.. = Differentiated Services Codepoint: Default (0x00)
                        .... ..0. = ECN-Capable Transport (ECT): 0
                        .... ...0 = ECN-CE: 0
                    Total Length: 595
                    Identification: 0x0000 (0)
                    Flags: 0x02 (Don't Fragment)
                        0.. = Reserved bit: Not Set
                        .1. = Don't fragment: Set
                        ..0 = More fragments: Not Set
                    Fragment offset: 0
                    Time to live: 58
                    Protocol: UDP (0x11)
                    Header checksum: 0x1a04 [correct]
                        [Good: True]
                        [Bad : False]
                    Source: 10.5.0.11 (10.5.0.11)
                    Destination: 10.15.16.120 (10.15.16.120)
                User Datagram Protocol, Src Port: kerberos (88), Dst Port: 48056 (48056)
                    Source port: kerberos (88)
                    Destination port: 48056 (48056)
                    Length: 575
                    Checksum: 0xa870 [validation disabled]
                        [Good Checksum: False]
                        [Bad Checksum: False]
                Kerberos AS-REP
                    Pvno: 5
                    MSG Type: AS-REP (11)
                    padata: PA-ENCTYPE-INFO2
                        Type: PA-ENCTYPE-INFO2 (19)
                            Value: 30073005A003020112 aes256-cts-hmac-sha1-96
                                Encryption type: aes256-cts-hmac-sha1-96 (18)
                    Client Realm: EXAMPLE.COM
                    Client Name (Principal): myprincipal
                        Name-type: Principal (1)
                        Name: myprincipal
                    Ticket
                        Tkt-vno: 5
                        Realm: EXAMPLE.COM
                        Server Name (Service and Instance): krbtgt/EXAMPLE.COM
                            Name-type: Service and Instance (2)
                            Name: krbtgt
                            Name: EXAMPLE.COM
                        enc-part aes256-cts-hmac-sha1-96
                            Encryption type: aes256-cts-hmac-sha1-96 (18)
                            Kvno: 2
                            enc-part: 500D340BEAADD9750D0312E3BDD828626B8CB0F19BA3FAEC...
                    enc-part aes256-cts-hmac-sha1-96
                        Encryption type: aes256-cts-hmac-sha1-96 (18)
                        enc-part: 549AA940C63E487DE9A425E624A7517FACF38D548D0FBD65...
                • 5. Re: GSSContext initialization failing when context.requestMutualAuth(true)
                  843810
                  No.     Time                       Source                Destination           Protocol Info
                    28537 2010-08-11 08:39:40.570437 10.15.16.120          10.5.0.11             KRB5     AS-REQ
                  
                  Frame 28537 (187 bytes on wire, 187 bytes captured)
                      Arrival Time: Aug 11, 2010 08:39:40.570437000
                      [Time delta from previous captured frame: 0.003338000 seconds]
                      [Time delta from previous displayed frame: 36.383644000 seconds]
                      [Time since reference or first frame: 68.406543000 seconds]
                      Frame Number: 28537
                      Frame Length: 187 bytes
                      Capture Length: 187 bytes
                      [Frame is marked: False]
                      [Protocols in frame: eth:ip:udp:kerberos]
                      [Coloring Rule Name: UDP]
                      [Coloring Rule String: udp]
                  Ethernet II, Src: Dell_85:47:69 (00:18:8b:85:47:69), Dst: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
                      Destination: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
                          Address: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
                          .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
                          .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
                      Source: Dell_85:47:69 (00:18:8b:85:47:69)
                          Address: Dell_85:47:69 (00:18:8b:85:47:69)
                          .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
                          .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
                      Type: IP (0x0800)
                  Internet Protocol, Src: 10.15.16.120 (10.15.16.120), Dst: 10.5.0.11 (10.5.0.11)
                      Version: 4
                      Header length: 20 bytes
                      Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
                          0000 00.. = Differentiated Services Codepoint: Default (0x00)
                          .... ..0. = ECN-Capable Transport (ECT): 0
                          .... ...0 = ECN-CE: 0
                      Total Length: 173
                      Identification: 0x0000 (0)
                      Flags: 0x02 (Don't Fragment)
                          0.. = Reserved bit: Not Set
                          .1. = Don't fragment: Set
                          ..0 = More fragments: Not Set
                      Fragment offset: 0
                      Time to live: 64
                      Protocol: UDP (0x11)
                      Header checksum: 0x15aa [correct]
                          [Good: True]
                          [Bad : False]
                      Source: 10.15.16.120 (10.15.16.120)
                      Destination: 10.5.0.11 (10.5.0.11)
                  User Datagram Protocol, Src Port: 47224 (47224), Dst Port: kerberos (88)
                      Source port: 47224 (47224)
                      Destination port: kerberos (88)
                      Length: 153
                      Checksum: 0x2541 [validation disabled]
                          [Good Checksum: False]
                          [Bad Checksum: False]
                  Kerberos AS-REQ
                      Pvno: 5
                      MSG Type: AS-REQ (10)
                      KDC_REQ_BODY
                          Padding: 0
                          KDCOptions: 00000000
                              .0.. .... .... .... .... .... .... .... = Forwardable: Do NOT use forwardable tickets
                              ..0. .... .... .... .... .... .... .... = Forwarded: This is NOT a forwarded ticket
                              ...0 .... .... .... .... .... .... .... = Proxiable: Do NOT use proxiable tickets
                              .... 0... .... .... .... .... .... .... = Proxy: This ticket has NOT been proxied
                              .... .0.. .... .... .... .... .... .... = Allow Postdate: We do NOT allow the ticket to be postdated
                              .... ..0. .... .... .... .... .... .... = Postdated: This ticket is NOT postdated
                              .... .... 0... .... .... .... .... .... = Renewable: This ticket is NOT renewable
                              .... .... ...0 .... .... .... .... .... = Opt HW Auth: False
                              .... .... .... ..0. .... .... .... .... = Constrained Delegation: This is a normal request (no constrained delegation)
                              .... .... .... ...0 .... .... .... .... = Canonicalize: This is NOT a canonicalized ticket request
                              .... .... .... .... .... .... ..0. .... = Disable Transited Check: Transited checking is NOT disabled
                              .... .... .... .... .... .... ...0 .... = Renewable OK: We do NOT accept renewed tickets
                              .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do NOT encrypt the tkt inside the skey
                              .... .... .... .... .... .... .... ..0. = Renew: This is NOT a request to renew a ticket
                              .... .... .... .... .... .... .... ...0 = Validate: This is NOT a request to validate a postdated ticket
                          Client Name (Principal): myprincipal
                              Name-type: Principal (1)
                              Name: myprincipal
                          Realm: EXAMPLE.COM
                          Server Name (Service and Instance): krbtgt/EXAMPLE.COM
                              Name-type: Service and Instance (2)
                              Name: krbtgt
                              Name: EXAMPLE.COM
                          till: 1970-01-01 00:00:00 (UTC)
                          Nonce: 1901426187
                          Encryption Types: aes256-cts-hmac-sha1-96 des3-cbc-sha1 rc4-hmac des-cbc-crc des-cbc-md5
                              Encryption type: aes256-cts-hmac-sha1-96 (18)
                              Encryption type: des3-cbc-sha1 (16)
                              Encryption type: rc4-hmac (23)
                              Encryption type: des-cbc-crc (1)
                              Encryption type: des-cbc-md5 (3)
                  • 6. Re: GSSContext initialization failing when context.requestMutualAuth(true)
                    843810
                    No.     Time                       Source                Destination           Protocol Info
                      28538 2010-08-11 08:39:40.649676 10.5.0.11             10.15.16.120          KRB5     AS-REP
                    
                    Frame 28538 (609 bytes on wire, 609 bytes captured)
                        Arrival Time: Aug 11, 2010 08:39:40.649676000
                        [Time delta from previous captured frame: 0.079239000 seconds]
                        [Time delta from previous displayed frame: 0.079239000 seconds]
                        [Time since reference or first frame: 68.485782000 seconds]
                        Frame Number: 28538
                        Frame Length: 609 bytes
                        Capture Length: 609 bytes
                        [Frame is marked: False]
                        [Protocols in frame: eth:ip:udp:kerberos]
                        [Coloring Rule Name: UDP]
                        [Coloring Rule String: udp]
                    Ethernet II, Src: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f), Dst: Dell_85:47:69 (00:18:8b:85:47:69)
                        Destination: Dell_85:47:69 (00:18:8b:85:47:69)
                            Address: Dell_85:47:69 (00:18:8b:85:47:69)
                            .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
                            .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
                        Source: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
                            Address: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
                            .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
                            .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
                        Type: IP (0x0800)
                    Internet Protocol, Src: 10.5.0.11 (10.5.0.11), Dst: 10.15.16.120 (10.15.16.120)
                        Version: 4
                        Header length: 20 bytes
                        Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
                            0000 00.. = Differentiated Services Codepoint: Default (0x00)
                            .... ..0. = ECN-Capable Transport (ECT): 0
                            .... ...0 = ECN-CE: 0
                        Total Length: 595
                        Identification: 0x0000 (0)
                        Flags: 0x02 (Don't Fragment)
                            0.. = Reserved bit: Not Set
                            .1. = Don't fragment: Set
                            ..0 = More fragments: Not Set
                        Fragment offset: 0
                        Time to live: 58
                        Protocol: UDP (0x11)
                        Header checksum: 0x1a04 [correct]
                            [Good: True]
                            [Bad : False]
                        Source: 10.5.0.11 (10.5.0.11)
                        Destination: 10.15.16.120 (10.15.16.120)
                    User Datagram Protocol, Src Port: kerberos (88), Dst Port: 47224 (47224)
                        Source port: kerberos (88)
                        Destination port: 47224 (47224)
                        Length: 575
                        Checksum: 0xb923 [validation disabled]
                            [Good Checksum: False]
                            [Bad Checksum: False]
                    Kerberos AS-REP
                        Pvno: 5
                        MSG Type: AS-REP (11)
                        padata: PA-ENCTYPE-INFO2
                            Type: PA-ENCTYPE-INFO2 (19)
                                Value: 30073005A003020112 aes256-cts-hmac-sha1-96
                                    Encryption type: aes256-cts-hmac-sha1-96 (18)
                        Client Realm: EXAMPLE.COM
                        Client Name (Principal): myprincipal
                            Name-type: Principal (1)
                            Name: myprincipal
                        Ticket
                            Tkt-vno: 5
                            Realm: EXAMPLE.COM
                            Server Name (Service and Instance): krbtgt/EXAMPLE.COM
                                Name-type: Service and Instance (2)
                                Name: krbtgt
                                Name: EXAMPLE.COM
                            enc-part aes256-cts-hmac-sha1-96
                                Encryption type: aes256-cts-hmac-sha1-96 (18)
                                Kvno: 2
                                enc-part: 0C2CDAB6A9F9D1EF20465505CE5C79A1B05BA66CF8108CAB...
                        enc-part aes256-cts-hmac-sha1-96
                            Encryption type: aes256-cts-hmac-sha1-96 (18)
                            enc-part: 29AC0C9E998723631A8A66C4389A2E0426962B3791944B8C...
                    • 7. Re: GSSContext initialization failing when context.requestMutualAuth(true)
                      843810
                      No.     Time                       Source                Destination           Protocol Info
                        28547 2010-08-11 08:39:40.865350 10.15.16.120          10.5.0.11             KRB5     TGS-REQ
                      
                      Frame 28547 (631 bytes on wire, 631 bytes captured)
                          Arrival Time: Aug 11, 2010 08:39:40.865350000
                          [Time delta from previous captured frame: 0.043476000 seconds]
                          [Time delta from previous displayed frame: 0.215674000 seconds]
                          [Time since reference or first frame: 68.701456000 seconds]
                          Frame Number: 28547
                          Frame Length: 631 bytes
                          Capture Length: 631 bytes
                          [Frame is marked: False]
                          [Protocols in frame: eth:ip:udp:kerberos]
                          [Coloring Rule Name: UDP]
                          [Coloring Rule String: udp]
                      Ethernet II, Src: Dell_85:47:69 (00:18:8b:85:47:69), Dst: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
                          Destination: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
                              Address: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
                              .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
                              .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
                          Source: Dell_85:47:69 (00:18:8b:85:47:69)
                              Address: Dell_85:47:69 (00:18:8b:85:47:69)
                              .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
                              .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
                          Type: IP (0x0800)
                      Internet Protocol, Src: 10.15.16.120 (10.15.16.120), Dst: 10.5.0.11 (10.5.0.11)
                          Version: 4
                          Header length: 20 bytes
                          Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
                              0000 00.. = Differentiated Services Codepoint: Default (0x00)
                              .... ..0. = ECN-Capable Transport (ECT): 0
                              .... ...0 = ECN-CE: 0
                          Total Length: 617
                          Identification: 0x0000 (0)
                          Flags: 0x02 (Don't Fragment)
                              0.. = Reserved bit: Not Set
                              .1. = Don't fragment: Set
                              ..0 = More fragments: Not Set
                          Fragment offset: 0
                          Time to live: 64
                          Protocol: UDP (0x11)
                          Header checksum: 0x13ee [correct]
                              [Good: True]
                              [Bad : False]
                          Source: 10.15.16.120 (10.15.16.120)
                          Destination: 10.5.0.11 (10.5.0.11)
                      User Datagram Protocol, Src Port: 41618 (41618), Dst Port: kerberos (88)
                          Source port: 41618 (41618)
                          Destination port: kerberos (88)
                          Length: 597
                          Checksum: 0x26fd [validation disabled]
                              [Good Checksum: False]
                              [Bad Checksum: False]
                      Kerberos TGS-REQ
                          Pvno: 5
                          MSG Type: TGS-REQ (12)
                          padata: PA-TGS-REQ
                              Type: PA-TGS-REQ (1)
                                  Value: 6E8201AD308201A9A003020105A10302010EA20703050000... AP-REQ
                                      Pvno: 5
                                      MSG Type: AP-REQ (14)
                                      Padding: 0
                                      APOptions: 00000000
                                          .0.. .... .... .... .... .... .... .... = Use Session Key: Do NOT use the session key to encrypt the ticket
                                          ..0. .... .... .... .... .... .... .... = Mutual required: Mutual authentication is NOT required
                                      Ticket
                                          Tkt-vno: 5
                                          Realm: EXAMPLE.COM
                                          Server Name (Service and Instance): krbtgt/EXAMPLE.COM
                                              Name-type: Service and Instance (2)
                                              Name: krbtgt
                                              Name: EXAMPLE.COM
                                          enc-part aes256-cts-hmac-sha1-96
                                              Encryption type: aes256-cts-hmac-sha1-96 (18)
                                              Kvno: 2
                                              enc-part: 0C2CDAB6A9F9D1EF20465505CE5C79A1B05BA66CF8108CAB...
                                      Authenticator aes256-cts-hmac-sha1-96
                                          Encryption type: aes256-cts-hmac-sha1-96 (18)
                                          Authenticator data: BF837B10906C4CAE0775AA9BBBFC927AEC282B6A7651CBA8...
                          KDC_REQ_BODY
                              Padding: 0
                              KDCOptions: 00000000
                                  .0.. .... .... .... .... .... .... .... = Forwardable: Do NOT use forwardable tickets
                                  ..0. .... .... .... .... .... .... .... = Forwarded: This is NOT a forwarded ticket
                                  ...0 .... .... .... .... .... .... .... = Proxiable: Do NOT use proxiable tickets
                                  .... 0... .... .... .... .... .... .... = Proxy: This ticket has NOT been proxied
                                  .... .0.. .... .... .... .... .... .... = Allow Postdate: We do NOT allow the ticket to be postdated
                                  .... ..0. .... .... .... .... .... .... = Postdated: This ticket is NOT postdated
                                  .... .... 0... .... .... .... .... .... = Renewable: This ticket is NOT renewable
                                  .... .... ...0 .... .... .... .... .... = Opt HW Auth: False
                                  .... .... .... ..0. .... .... .... .... = Constrained Delegation: This is a normal request (no constrained delegation)
                                  .... .... .... ...0 .... .... .... .... = Canonicalize: This is NOT a canonicalized ticket request
                                  .... .... .... .... .... .... ..0. .... = Disable Transited Check: Transited checking is NOT disabled
                                  .... .... .... .... .... .... ...0 .... = Renewable OK: We do NOT accept renewed tickets
                                  .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do NOT encrypt the tkt inside the skey
                                  .... .... .... .... .... .... .... ..0. = Renew: This is NOT a request to renew a ticket
                                  .... .... .... .... .... .... .... ...0 = Validate: This is NOT a request to validate a postdated ticket
                              Realm: EXAMPLE.COM
                              Server Name (Unknown): cvs/cvs.test.example.com
                                  Name-type: Unknown (0)
                                  Name: cvs
                                  Name: cvs.test.example.com
                              till: 1970-01-01 00:00:00 (UTC)
                              Nonce: 772940195
                              Encryption Types: aes256-cts-hmac-sha1-96 des3-cbc-sha1 rc4-hmac des-cbc-crc des-cbc-md5
                                  Encryption type: aes256-cts-hmac-sha1-96 (18)
                                  Encryption type: des3-cbc-sha1 (16)
                                  Encryption type: rc4-hmac (23)
                                  Encryption type: des-cbc-crc (1)
                                  Encryption type: des-cbc-md5 (3)
                      • 8. Re: GSSContext initialization failing when context.requestMutualAuth(true)
                        843810
                        No.     Time                       Source                Destination           Protocol Info
                          28548 2010-08-11 08:39:40.952776 10.5.0.11             10.15.16.120          KRB5     TGS-REP
                        
                        Frame 28548 (577 bytes on wire, 577 bytes captured)
                            Arrival Time: Aug 11, 2010 08:39:40.952776000
                            [Time delta from previous captured frame: 0.087426000 seconds]
                            [Time delta from previous displayed frame: 0.087426000 seconds]
                            [Time since reference or first frame: 68.788882000 seconds]
                            Frame Number: 28548
                            Frame Length: 577 bytes
                            Capture Length: 577 bytes
                            [Frame is marked: False]
                            [Protocols in frame: eth:ip:udp:kerberos]
                            [Coloring Rule Name: UDP]
                            [Coloring Rule String: udp]
                        Ethernet II, Src: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f), Dst: Dell_85:47:69 (00:18:8b:85:47:69)
                            Destination: Dell_85:47:69 (00:18:8b:85:47:69)
                                Address: Dell_85:47:69 (00:18:8b:85:47:69)
                                .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
                                .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
                            Source: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
                                Address: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
                                .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
                                .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
                            Type: IP (0x0800)
                        Internet Protocol, Src: 10.5.0.11 (10.5.0.11), Dst: 10.15.16.120 (10.15.16.120)
                            Version: 4
                            Header length: 20 bytes
                            Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
                                0000 00.. = Differentiated Services Codepoint: Default (0x00)
                                .... ..0. = ECN-Capable Transport (ECT): 0
                                .... ...0 = ECN-CE: 0
                            Total Length: 563
                            Identification: 0x0000 (0)
                            Flags: 0x02 (Don't Fragment)
                                0.. = Reserved bit: Not Set
                                .1. = Don't fragment: Set
                                ..0 = More fragments: Not Set
                            Fragment offset: 0
                            Time to live: 58
                            Protocol: UDP (0x11)
                            Header checksum: 0x1a24 [correct]
                                [Good: True]
                                [Bad : False]
                            Source: 10.5.0.11 (10.5.0.11)
                            Destination: 10.15.16.120 (10.15.16.120)
                        User Datagram Protocol, Src Port: kerberos (88), Dst Port: 41618 (41618)
                            Source port: kerberos (88)
                            Destination port: 41618 (41618)
                            Length: 543
                            Checksum: 0xfd86 [validation disabled]
                                [Good Checksum: False]
                                [Bad Checksum: False]
                        Kerberos TGS-REP
                            Pvno: 5
                            MSG Type: TGS-REP (13)
                            Client Realm: EXAMPLE.COM
                            Client Name (Principal): myprincipal
                                Name-type: Principal (1)
                                Name: myprincipal
                            Ticket
                                Tkt-vno: 5
                                Realm: EXAMPLE.COM
                                Server Name (Unknown): cvs/cvs.test.example.com
                                    Name-type: Unknown (0)
                                    Name: cvs
                                    Name: cvs.test.example.com
                                enc-part des-cbc-crc
                                    Encryption type: des-cbc-crc (1)
                                    Kvno: 3
                                    enc-part: B8346F796169C970A566BED265EB560CAC1EAB840BA5D959...
                            enc-part aes256-cts-hmac-sha1-96
                                Encryption type: aes256-cts-hmac-sha1-96 (18)
                                enc-part: 4481315477DE6534CAA5A1435A053554F2E8CDB12D5811B0...
                        • 9. Re: GSSContext initialization failing when context.requestMutualAuth(true)
                          843810
                          Now, compare this to a network trace where Kerberos exchanges succeed.

                          --------------------------------------
                          No.     Time                       Source                Destination           Protocol Info
                              141 2010-08-11 08:48:24.575697 10.15.16.120          10.5.0.11             KRB5     AS-REQ
                          
                          Frame 141 (227 bytes on wire, 227 bytes captured)
                              Arrival Time: Aug 11, 2010 08:48:24.575697000
                              [Time delta from previous captured frame: 0.000149000 seconds]
                              [Time delta from previous displayed frame: 18.658561000 seconds]
                              [Time since reference or first frame: 18.658561000 seconds]
                              Frame Number: 141
                              Frame Length: 227 bytes
                              Capture Length: 227 bytes
                              [Frame is marked: False]
                              [Protocols in frame: eth:ip:udp:kerberos]
                              [Coloring Rule Name: UDP]
                              [Coloring Rule String: udp]
                          Ethernet II, Src: Dell_85:47:69 (00:18:8b:85:47:69), Dst: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
                              Destination: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
                                  Address: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
                                  .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
                                  .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
                              Source: Dell_85:47:69 (00:18:8b:85:47:69)
                                  Address: Dell_85:47:69 (00:18:8b:85:47:69)
                                  .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
                                  .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
                              Type: IP (0x0800)
                          Internet Protocol, Src: 10.15.16.120 (10.15.16.120), Dst: 10.5.0.11 (10.5.0.11)
                              Version: 4
                              Header length: 20 bytes
                              Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
                                  0000 00.. = Differentiated Services Codepoint: Default (0x00)
                                  .... ..0. = ECN-Capable Transport (ECT): 0
                                  .... ...0 = ECN-CE: 0
                              Total Length: 213
                              Identification: 0x2c5e (11358)
                              Flags: 0x02 (Don't Fragment)
                                  0.. = Reserved bit: Not Set
                                  .1. = Don't fragment: Set
                                  ..0 = More fragments: Not Set
                              Fragment offset: 0
                              Time to live: 64
                              Protocol: UDP (0x11)
                              Header checksum: 0xe923 [correct]
                                  [Good: True]
                                  [Bad : False]
                              Source: 10.15.16.120 (10.15.16.120)
                              Destination: 10.5.0.11 (10.5.0.11)
                          User Datagram Protocol, Src Port: 39656 (39656), Dst Port: kerberos (88)
                              Source port: 39656 (39656)
                              Destination port: kerberos (88)
                              Length: 193
                              Checksum: 0x2569 [validation disabled]
                                  [Good Checksum: False]
                                  [Bad Checksum: False]
                          Kerberos AS-REQ
                              Pvno: 5
                              MSG Type: AS-REQ (10)
                              padata: Unknown:149
                                  Type: Unknown (149)
                                      Value: <MISSING>
                              KDC_REQ_BODY
                                  Padding: 0
                                  KDCOptions: 40010010 (Forwardable, Canonicalize, Renewable OK)
                                      .1.. .... .... .... .... .... .... .... = Forwardable: FORWARDABLE tickets are allowed/requested
                                      ..0. .... .... .... .... .... .... .... = Forwarded: This is NOT a forwarded ticket
                                      ...0 .... .... .... .... .... .... .... = Proxiable: Do NOT use proxiable tickets
                                      .... 0... .... .... .... .... .... .... = Proxy: This ticket has NOT been proxied
                                      .... .0.. .... .... .... .... .... .... = Allow Postdate: We do NOT allow the ticket to be postdated
                                      .... ..0. .... .... .... .... .... .... = Postdated: This ticket is NOT postdated
                                      .... .... 0... .... .... .... .... .... = Renewable: This ticket is NOT renewable
                                      .... .... ...0 .... .... .... .... .... = Opt HW Auth: False
                                      .... .... .... ..0. .... .... .... .... = Constrained Delegation: This is a normal request (no constrained delegation)
                                      .... .... .... ...1 .... .... .... .... = Canonicalize: This is a request for a CANONICALIZED ticket
                                      .... .... .... .... .... .... ..0. .... = Disable Transited Check: Transited checking is NOT disabled
                                      .... .... .... .... .... .... ...1 .... = Renewable OK: We accept RENEWED tickets
                                      .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do NOT encrypt the tkt inside the skey
                                      .... .... .... .... .... .... .... ..0. = Renew: This is NOT a request to renew a ticket
                                      .... .... .... .... .... .... .... ...0 = Validate: This is NOT a request to validate a postdated ticket
                                  Client Name (Principal): myprincipal
                                      Name-type: Principal (1)
                                      Name: myprincipal
                                  Realm: EXAMPLE.COM
                                  Server Name (Unknown): krbtgt/EXAMPLE.COM
                                      Name-type: Unknown (0)
                                      Name: krbtgt
                                      Name: EXAMPLE.COM
                                  from: 2010-08-11 12:48:24 (UTC)
                                  till: 2010-08-12 12:48:24 (UTC)
                                  Nonce: 1093728284
                                  Encryption Types: aes256-cts-hmac-sha1-96 des3-cbc-sha1 rc4-hmac des-cbc-crc des-cbc-md5 des-cbc-md4
                                      Encryption type: aes256-cts-hmac-sha1-96 (18)
                                      Encryption type: des3-cbc-sha1 (16)
                                      Encryption type: rc4-hmac (23)
                                      Encryption type: des-cbc-crc (1)
                                      Encryption type: des-cbc-md5 (3)
                                      Encryption type: des-cbc-md4 (2)
                          • 10. Re: GSSContext initialization failing when context.requestMutualAuth(true)
                            843810
                            No.     Time                       Source                Destination           Protocol Info
                                142 2010-08-11 08:48:24.661614 10.5.0.11             10.15.16.120          KRB5     AS-REP
                            
                            Frame 142 (649 bytes on wire, 649 bytes captured)
                                Arrival Time: Aug 11, 2010 08:48:24.661614000
                                [Time delta from previous captured frame: 0.085917000 seconds]
                                [Time delta from previous displayed frame: 0.085917000 seconds]
                                [Time since reference or first frame: 18.744478000 seconds]
                                Frame Number: 142
                                Frame Length: 649 bytes
                                Capture Length: 649 bytes
                                [Frame is marked: False]
                                [Protocols in frame: eth:ip:udp:kerberos]
                                [Coloring Rule Name: UDP]
                                [Coloring Rule String: udp]
                            Ethernet II, Src: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f), Dst: Dell_85:47:69 (00:18:8b:85:47:69)
                                Destination: Dell_85:47:69 (00:18:8b:85:47:69)
                                    Address: Dell_85:47:69 (00:18:8b:85:47:69)
                                    .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
                                    .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
                                Source: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
                                    Address: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
                                    .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
                                    .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
                                Type: IP (0x0800)
                            Internet Protocol, Src: 10.5.0.11 (10.5.0.11), Dst: 10.15.16.120 (10.15.16.120)
                                Version: 4
                                Header length: 20 bytes
                                Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
                                    0000 00.. = Differentiated Services Codepoint: Default (0x00)
                                    .... ..0. = ECN-Capable Transport (ECT): 0
                                    .... ...0 = ECN-CE: 0
                                Total Length: 635
                                Identification: 0x0000 (0)
                                Flags: 0x02 (Don't Fragment)
                                    0.. = Reserved bit: Not Set
                                    .1. = Don't fragment: Set
                                    ..0 = More fragments: Not Set
                                Fragment offset: 0
                                Time to live: 58
                                Protocol: UDP (0x11)
                                Header checksum: 0x19dc [correct]
                                    [Good: True]
                                    [Bad : False]
                                Source: 10.5.0.11 (10.5.0.11)
                                Destination: 10.15.16.120 (10.15.16.120)
                            User Datagram Protocol, Src Port: kerberos (88), Dst Port: 39656 (39656)
                                Source port: kerberos (88)
                                Destination port: 39656 (39656)
                                Length: 615
                                Checksum: 0x267e [validation disabled]
                                    [Good Checksum: False]
                                    [Bad Checksum: False]
                            Kerberos AS-REP
                                Pvno: 5
                                MSG Type: AS-REP (11)
                                padata: PA-ENCTYPE-INFO2
                                    Type: PA-ENCTYPE-INFO2 (19)
                                        Value: 30073005A003020112 aes256-cts-hmac-sha1-96
                                            Encryption type: aes256-cts-hmac-sha1-96 (18)
                                Client Realm: EXAMPLE.COM
                                Client Name (Principal): myprincipal
                                    Name-type: Principal (1)
                                    Name: myprincipal
                                Ticket
                                    Tkt-vno: 5
                                    Realm: EXAMPLE.COM
                                    Server Name (Unknown): krbtgt/EXAMPLE.COM
                                        Name-type: Unknown (0)
                                        Name: krbtgt
                                        Name: EXAMPLE.COM
                                    enc-part aes256-cts-hmac-sha1-96
                                        Encryption type: aes256-cts-hmac-sha1-96 (18)
                                        Kvno: 2
                                        enc-part: 965F746441DBACDD329CFE30D8BF67A40DCBE3FCDCA9CF57...
                                enc-part aes256-cts-hmac-sha1-96
                                    Encryption type: aes256-cts-hmac-sha1-96 (18)
                                    enc-part: 60B6D1BD59D62795AA0986B8FBF43CD1D5DE8117E033022F...
                            • 11. Re: GSSContext initialization failing when context.requestMutualAuth(true)
                              843810
                              No.     Time                       Source                Destination           Protocol Info
                                  268 2010-08-11 08:48:39.601024 10.15.16.120          10.5.0.11             KRB5     TGS-REQ
                              
                              Frame 268 (698 bytes on wire, 698 bytes captured)
                                  Arrival Time: Aug 11, 2010 08:48:39.601024000
                                  [Time delta from previous captured frame: 0.000113000 seconds]
                                  [Time delta from previous displayed frame: 14.939410000 seconds]
                                  [Time since reference or first frame: 33.683888000 seconds]
                                  Frame Number: 268
                                  Frame Length: 698 bytes
                                  Capture Length: 698 bytes
                                  [Frame is marked: False]
                                  [Protocols in frame: eth:ip:udp:kerberos]
                                  [Coloring Rule Name: UDP]
                                  [Coloring Rule String: udp]
                              Ethernet II, Src: Dell_85:47:69 (00:18:8b:85:47:69), Dst: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
                                  Destination: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
                                      Address: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
                                      .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
                                      .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
                                  Source: Dell_85:47:69 (00:18:8b:85:47:69)
                                      Address: Dell_85:47:69 (00:18:8b:85:47:69)
                                      .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
                                      .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
                                  Type: IP (0x0800)
                              Internet Protocol, Src: 10.15.16.120 (10.15.16.120), Dst: 10.5.0.11 (10.5.0.11)
                                  Version: 4
                                  Header length: 20 bytes
                                  Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
                                      0000 00.. = Differentiated Services Codepoint: Default (0x00)
                                      .... ..0. = ECN-Capable Transport (ECT): 0
                                      .... ...0 = ECN-CE: 0
                                  Total Length: 684
                                  Identification: 0x670f (26383)
                                  Flags: 0x02 (Don't Fragment)
                                      0.. = Reserved bit: Not Set
                                      .1. = Don't fragment: Set
                                      ..0 = More fragments: Not Set
                                  Fragment offset: 0
                                  Time to live: 64
                                  Protocol: UDP (0x11)
                                  Header checksum: 0xac9b [correct]
                                      [Good: True]
                                      [Bad : False]
                                  Source: 10.15.16.120 (10.15.16.120)
                                  Destination: 10.5.0.11 (10.5.0.11)
                              User Datagram Protocol, Src Port: 47471 (47471), Dst Port: kerberos (88)
                                  Source port: 47471 (47471)
                                  Destination port: kerberos (88)
                                  Length: 664
                                  Checksum: 0x2740 [validation disabled]
                                      [Good Checksum: False]
                                      [Bad Checksum: False]
                              Kerberos TGS-REQ
                                  Pvno: 5
                                  MSG Type: TGS-REQ (12)
                                  padata: PA-TGS-REQ
                                      Type: PA-TGS-REQ (1)
                                          Value: 6E8201ED308201E9A003020105A10302010EA20703050000... AP-REQ
                                              Pvno: 5
                                              MSG Type: AP-REQ (14)
                                              Padding: 0
                                              APOptions: 00000000
                                                  .0.. .... .... .... .... .... .... .... = Use Session Key: Do NOT use the session key to encrypt the ticket
                                                  ..0. .... .... .... .... .... .... .... = Mutual required: Mutual authentication is NOT required
                                              Ticket
                                                  Tkt-vno: 5
                                                  Realm: EXAMPLE.COM
                                                  Server Name (Unknown): krbtgt/EXAMPLE.COM
                                                      Name-type: Unknown (0)
                                                      Name: krbtgt
                                                      Name: EXAMPLE.COM
                                                  enc-part aes256-cts-hmac-sha1-96
                                                      Encryption type: aes256-cts-hmac-sha1-96 (18)
                                                      Kvno: 2
                                                      enc-part: 965F746441DBACDD329CFE30D8BF67A40DCBE3FCDCA9CF57...
                                              Authenticator aes256-cts-hmac-sha1-96
                                                  Encryption type: aes256-cts-hmac-sha1-96 (18)
                                                  Authenticator data: BB71EA777A4F89398F8D393CDB171D3154236273FD348407...
                                  KDC_REQ_BODY
                                      Padding: 0
                                      KDCOptions: 40810000 (Forwardable, Renewable, Canonicalize)
                                          .1.. .... .... .... .... .... .... .... = Forwardable: FORWARDABLE tickets are allowed/requested
                                          ..0. .... .... .... .... .... .... .... = Forwarded: This is NOT a forwarded ticket
                                          ...0 .... .... .... .... .... .... .... = Proxiable: Do NOT use proxiable tickets
                                          .... 0... .... .... .... .... .... .... = Proxy: This ticket has NOT been proxied
                                          .... .0.. .... .... .... .... .... .... = Allow Postdate: We do NOT allow the ticket to be postdated
                                          .... ..0. .... .... .... .... .... .... = Postdated: This ticket is NOT postdated
                                          .... .... 1... .... .... .... .... .... = Renewable: This ticket is RENEWABLE
                                          .... .... ...0 .... .... .... .... .... = Opt HW Auth: False
                                          .... .... .... ..0. .... .... .... .... = Constrained Delegation: This is a normal request (no constrained delegation)
                                          .... .... .... ...1 .... .... .... .... = Canonicalize: This is a request for a CANONICALIZED ticket
                                          .... .... .... .... .... .... ..0. .... = Disable Transited Check: Transited checking is NOT disabled
                                          .... .... .... .... .... .... ...0 .... = Renewable OK: We do NOT accept renewed tickets
                                          .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do NOT encrypt the tkt inside the skey
                                          .... .... .... .... .... .... .... ..0. = Renew: This is NOT a request to renew a ticket
                                          .... .... .... .... .... .... .... ...0 = Validate: This is NOT a request to validate a postdated ticket
                                      Realm: EXAMPLE.COM
                                      Server Name (Service and Host): cvs/cvs.test.example.com
                                          Name-type: Service and Host (3)
                                          Name: cvs
                                          Name: cvs.test.example.com
                                      till: 2010-08-11 22:48:21 (UTC)
                                      Nonce: 1281530907
                                      Encryption Types: aes256-cts-hmac-sha1-96 des3-cbc-sha1 rc4-hmac des-cbc-crc des-cbc-md5 des-cbc-md4
                                          Encryption type: aes256-cts-hmac-sha1-96 (18)
                                          Encryption type: des3-cbc-sha1 (16)
                                          Encryption type: rc4-hmac (23)
                                          Encryption type: des-cbc-crc (1)
                                          Encryption type: des-cbc-md5 (3)
                                          Encryption type: des-cbc-md4 (2)
                              • 12. Re: GSSContext initialization failing when context.requestMutualAuth(true)
                                843810
                                No.     Time                       Source                Destination           Protocol Info
                                    270 2010-08-11 08:48:39.689031 10.5.0.11             10.15.16.120          KRB5     TGS-REP
                                
                                Frame 270 (615 bytes on wire, 615 bytes captured)
                                    Arrival Time: Aug 11, 2010 08:48:39.689031000
                                    [Time delta from previous captured frame: 0.062874000 seconds]
                                    [Time delta from previous displayed frame: 0.088007000 seconds]
                                    [Time since reference or first frame: 33.771895000 seconds]
                                    Frame Number: 270
                                    Frame Length: 615 bytes
                                    Capture Length: 615 bytes
                                    [Frame is marked: False]
                                    [Protocols in frame: eth:ip:udp:kerberos]
                                    [Coloring Rule Name: UDP]
                                    [Coloring Rule String: udp]
                                Ethernet II, Src: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f), Dst: Dell_85:47:69 (00:18:8b:85:47:69)
                                    Destination: Dell_85:47:69 (00:18:8b:85:47:69)
                                        Address: Dell_85:47:69 (00:18:8b:85:47:69)
                                        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
                                        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
                                    Source: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
                                        Address: Cisco_ba:e4:7f (00:0f:23:ba:e4:7f)
                                        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
                                        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
                                    Type: IP (0x0800)
                                Internet Protocol, Src: 10.5.0.11 (10.5.0.11), Dst: 10.15.16.120 (10.15.16.120)
                                    Version: 4
                                    Header length: 20 bytes
                                    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
                                        0000 00.. = Differentiated Services Codepoint: Default (0x00)
                                        .... ..0. = ECN-Capable Transport (ECT): 0
                                        .... ...0 = ECN-CE: 0
                                    Total Length: 601
                                    Identification: 0x0000 (0)
                                    Flags: 0x02 (Don't Fragment)
                                        0.. = Reserved bit: Not Set
                                        .1. = Don't fragment: Set
                                        ..0 = More fragments: Not Set
                                    Fragment offset: 0
                                    Time to live: 58
                                    Protocol: UDP (0x11)
                                    Header checksum: 0x19fe [correct]
                                        [Good: True]
                                        [Bad : False]
                                    Source: 10.5.0.11 (10.5.0.11)
                                    Destination: 10.15.16.120 (10.15.16.120)
                                User Datagram Protocol, Src Port: kerberos (88), Dst Port: 47471 (47471)
                                    Source port: kerberos (88)
                                    Destination port: 47471 (47471)
                                    Length: 581
                                    Checksum: 0xb1bf [validation disabled]
                                        [Good Checksum: False]
                                        [Bad Checksum: False]
                                Kerberos TGS-REP
                                    Pvno: 5
                                    MSG Type: TGS-REP (13)
                                    Client Realm: EXAMPLE.COM
                                    Client Name (Principal): myprincipal
                                        Name-type: Principal (1)
                                        Name: myprincipal
                                    Ticket
                                        Tkt-vno: 5
                                        Realm: EXAMPLE.COM
                                        Server Name (Service and Host): cvs/cvs.test.example.com
                                            Name-type: Service and Host (3)
                                            Name: cvs
                                            Name: cvs.test.example.com
                                        enc-part des-cbc-crc
                                            Encryption type: des-cbc-crc (1)
                                            Kvno: 3
                                            enc-part: 313842868669488163D7A869686D1FAE08C5AF0BCA05EE8B...
                                    enc-part aes256-cts-hmac-sha1-96
                                        Encryption type: aes256-cts-hmac-sha1-96 (18)
                                        enc-part: 0355CF787484A4384BD0C83623D370CF880502470529832C...
                                • 13. Re: GSSContext initialization failing when context.requestMutualAuth(true)
                                  843810
                                  Note that the last exchange trace was sniffed when using a working native client. I realize that there are differences in KDCOptions, till time and cvs service name (which in the Java trace is "unknown"). I don't know how to set KDCOptions in a Java program?! Any more thoughts on this? Help is hugely appreciated!

                                  Sorry about the spam, but Oracle forums don't allow single posts to be longer than 7K something characters :-(

                                  Thanks!

                                  Edited by: Severin_G on Aug 13, 2010 7:16 AM
                                  • 14. Re: GSSContext initialization failing when context.requestMutualAuth(true)
                                    843810
                                    Your traced packets do not provide much info. These are AS and TGS messages between the client and the KDC, not JGSS tokens. JGSS tokens are transferred between the application (here, cvs) client and server.

                                    The exception thrown in your app is OutOfMemoryError. It's quite likely that the "token = new byte[inStream.readInt()];" line has a problem. I guess the server has not sent the length at all. Please try directly calling initSecContext on the stream itself:

                                    http://download.java.net/jdk7/docs/api/org/ietf/jgss/GSSContext.html#initSecContext(java.io.InputStream, java.io.OutputStream)
                                    1 2 3 Previous Next