2 Replies Latest reply: Jul 19, 2010 1:25 AM by 843810 RSS

    Kerberos  & Java GSS (JGSS) - pre-authentication required

    843810
      Hi,

      I've do some vm linux for a project:
      krbsrv as kerberos server
      Client as kerberos Client

      When i try with jaas and jgss to signin from client to server i've a little issue.. an error code is 25 "Additional pre-authentication required" .
      it works properly because the logincontext redo the authentication with the PRE_AUTH, but in DEBUG mode i see always the same error-warning :


      KRBError:
           cTime is Mon May 09 12:44:57 CEST 2022 1652093097000
           sTime is Sun Jul 18 15:25:47 CEST 2010 1279459547000
           suSec is 445405
           error code is 25
           error Message is Additional pre-authentication required
           eData provided.
           msgType is 30

      Pre-Authentication Data:
           PA-DATA type = 2
           PA-ENC-TIMESTAMP

      Pre-Authentication Data:
           PA-DATA type = 136

      Pre-Authentication Data:
           PA-DATA type = 19
           PA-ETYPE-INFO2 etype = 18

      Pre-Authentication Data:
           PA-DATA type = 13

      Pre-Authentication Data:
           PA-DATA type = 133

      KRBError received: NEEDED_PREAUTH
      AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ





      the program works because it redo the authentication with PREAUTH, but i want to know where i can setting to do PREAUTH First.
      I have to deliver the project to my boss so i must understand how to eliminate this warning. :D


      Here the code of the login to kerberos.
      private void login( String username, String password) throws LoginException 
      {
      LoginContext loginCtx = null;
      
      // "Client" è il tipo di autenticazione specificata nel file JAAS jaas.conf.
      loginCtx = new LoginContext( "Client",new LoginCallbackHandler(username ,password ));
      
      loginCtx.login();
      this.subject = loginCtx.getSubject();
      
      }
      JAAS.CONF:
      Client {
      com.sun.security.auth.module.Krb5LoginModule required
      useTicketCache=false;
      };
      Here the GSS Code:
      private void initiateSecurityContext( String servicePrincipalName) throws GSSException 
      {
      GSSManager manager = GSSManager.getInstance();
      
      Oid krb5PrincipalNameType = new Oid("1.2.840.113554.1.2.2.1");
      
      GSSName serverName = manager.createName(servicePrincipalName, krb5PrincipalNameType);
      
      final GSSContext context = manager.createContext( serverName, krb5Oid, null,GSSContext.DEFAULT_LIFETIME);
      
      this.serviceTicket = Subject.doAs( subject, new PrivilegedAction<byte[]>() 
           {
           public byte[] run() 
                {
                     try 
                          {
                               byte[] token = new byte[0];
                               context.requestMutualAuth( false);
                               context.requestCredDeleg( false);
                               return context.initSecContext( token, 0, token.length);
                          }
                     catch ( GSSException e) 
                          {
                               e.printStackTrace();
                               return null;
                          }
                }
          });
      }
      where i can set the PRE_AUTH option ?


      Thx.