9 Replies Latest reply: Oct 18, 2009 1:07 PM by 843810 RSS

    Unsupported mechanism requested

    843810
      Hi,

      I am trying to develop and JAAS module with kerberos5 support, by using JGSS API, but I stuck on 2 problems. First error is "Additional pre-authentication required" and the second one is "GSSException: 1.3.6.1.5.5.2 (Unsupported mechanism requested)". The code, below;
                     byte[] spNegoToken = null;
                     GSSManager manager = GSSManager.getInstance();
      
                     Oid spnegoOID = new Oid("1.2.840.113554.1.2.2"); // SPNEGO
                     GSSName serverName = manager.createName("j2ee-acp@YASAR.GRP", null);
                     
                     GSSCredential serverCreds = manager.createCredential(serverName, GSSCredential.DEFAULT_LIFETIME, 
                                                                                                spnegoOID, GSSCredential.ACCEPT_ONLY);
                     GSSContext context = manager.createContext(serverCreds);
                                    
                     context.requestMutualAuth(true);  // Mutual authentication
                     context.requestConf(true);  // Will use confidentiality later
                     context.requestInteg(true); // Will use integrity later
                     
                     while (!context.isEstablished()) {
                          Base64 base = new Base64();
                          spNegoToken = base.decode(Token);
                          byte[] atoken = context.acceptSecContext(spNegoToken, 0, spNegoToken.length);
                     }
      As far as I concerned that "Additional pre-authentication required" can be ignored, but the second one. Can anyone give a suggestion about the solution.

      Thank you,

      Orkun Gedik
        • 1. Re: Unsupported mechanism requested
          843810
          1.3.6.1.5.5.2 is SPNEGO and 1.2.840.113554.1.2.2 is Kerberos 5.
          • 2. Re: Unsupported mechanism requested
            843810
            hi wangwj ,

            Thank you for your response. In order to decode the username from incoming "Authorization" request, regarding 401 unauthorized message from web browser, what way shall I follow? Would you help me please? I can't find any document about this? I really stuck on this issue...

            Thank you very much.
            • 3. Re: Unsupported mechanism requested
              843810
              Are you writing a web server?

              The original program is basically correct. Only you should call "Oid spnegoOID = new Oid("1.3.6.1.5.5.2")". Finally after context.isEstablished() becomes true, you can call context.getSrcName() to get the name of the client.
              • 4. Re: Unsupported mechanism requested
                843810
                Thank you for your feedback. You know that it is really hard to find a documentation about Kerberos or SPNEGO. I am developing a JAAS module that supports SPNEGO. In order to understand and simplfy the SPNEGO authentication process, I developed and EJB and working on it. Please find how to EJB works, below;

                * Browse to the EJB via Internet Explorer
                * At the first stage, EJB returns 401 unauthorized and request for "Negotiate" in HTTP header
                * Browser send a ticket to EJB
                * I stuck at this step, because cannot resolve the user principal in the ticket.

                Please note that, already configured keytab and using it.

                So, if I use "Oid spnegoOID = new Oid("1.3.6.1.5.5.2")", system generates error, below;
                MajorString: Unsupported mechanism requested
                
                Major: 2
                
                MinorString: null
                
                Minor: 0
                
                key: YIIFsAYGKwYBBQUCoIIFpDCCBaCgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBXYEggVyYIIFbgYJKoZIhvcSAQICAQBuggVdMIIFWaADAgEFoQMCAQ6iBwMFACAAAACjggSJYYIEhTCCBIGgAwIBBaELGwlZQVNBUi5HUlCiGzAZoAMCAQKhEjAQGwRIVFRQGwhjcjd0c3QwMaOCBE4wggRKoAMCAQOhAwIBA6KCBDwEggQ4lCobHzK0LiDQDVa1rzR1zJ6d0jgxEfcaokiJLeZA45bJjk82xwhXiZV
                Please, do you have a suggestion about this?
                • 5. Re: Unsupported mechanism requested
                  843810
                  Please find the updated code, below;
                  Oid spnegoOID = new Oid("1.3.6.1.5.5.2"); // SPNEGO
                  GSSName serverName = manager.createName("HTTP/cr7tst01.yasarsap.astron.grp@YASAR.GRP", null);
                                  
                  GSSContext context = manager.createContext(serverName.canonicalize(spnegoOID),spnegoOID,null,GSSCredential.DEFAULT_LIFETIME);
                  
                  context.requestMutualAuth(true); 
                  context.requestCredDeleg(true);                                                                                     
                  // GSSContext context = manager.createContext(serverCreds);
                                                
                  while (!context.isEstablished()) {
                       Base64 base = new Base64();
                       spNegoToken = base.decode(Token);
                       byte[] atoken = context.acceptSecContext(spNegoToken, 0, spNegoToken.length);
                  }
                  One another version of the code, below;
                  Oid spnegoOID = new Oid("1.3.6.1.5.5.2"); // SPNEGO
                  GSSName serverName = manager.createName("HTTP/cr7tst01.yasarsap.astron.grp@YASAR.GRP", null);
                                  
                  GSSCredential serverCreds = manager.createCredential(serverName, GSSCredential.DEFAULT_LIFETIME, spnegoOID, GSSCredential.ACCEPT_ONLY);
                                 
                  GSSContext context = manager.createContext(serverCreds);
                  context.requestMutualAuth(true); 
                  context.requestCredDeleg(true);
                                                                                                                                     
                  while (!context.isEstablished()) {
                       Base64 base = new Base64();
                       spNegoToken = base.decode(Token);
                       byte[] atoken = context.acceptSecContext(spNegoToken, 0, spNegoToken.length);
                  }
                  Regarding the source code, the system generates "Unsupported mechanism requested" error, in first code at "manager.createContext" and in second code "manager.createCredential" methods.

                  Edited by: orkungedik on Oct 5, 2009 11:11 PM
                  • 6. Re: Unsupported mechanism requested
                    843810
                    I attached keytab, below;

                    [domain_realm]
                    [libdefaults]  
                      default_keytab_name = D:\usr\sap\CR7\SYS\global\kerberos\keytab 
                      default_realm = YASAR.GRP 
                      dns_lookup_kdc = true 
                      default_tgs_enctypes=des-cbc-crc;des-cbc-md5  
                      default_tkt_enctypes=des-cbc-crc;des-cbc-md5  
                    
                    [logging]
                    
                    [realms]
                      YASAR.GRP = { 
                        kdc = dcyim1.yasar.grp:88
                      }
                    • 7. Re: Unsupported mechanism requested
                      843810
                      You can read http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/lab/index.html for more programming topics on JGSS.

                      In your case, you should call

                      GSSName serverName = manager.createName("HTTP@cr7tst01.yasarsap.astron.grp", GSSName.NT_HOSTBASED_SERVICE);

                      Here, the service name in Kerberos and JGSS are quite different, see
                      http://java.sun.com/javase/6/docs/api/org/ietf/jgss/GSSName.html#NT_HOSTBASED_SERVICE
                      • 8. Re: Unsupported mechanism requested
                        843810
                        wangwj ,

                        Thank you for your feedback. How do I decode incoming ticket, starts with "YIIFsAYGKwYBBQUCoIIFpDCCBaCgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgE..." from browser?

                        Please find the code, below;
                        ASN1Object asn = null;
                        
                        byte[] _token = Base64.decode(Token);
                                            
                        try {
                             asn = DerCoder.decode(_token);
                        
                        } catch (CodingException e1) {
                             e1.printStackTrace();
                        }
                        But, "DerCoder.decode(_token)" returns "Unknown Tag", inside of "asn" variable and I can't use it? Would you give a suggestion about the problem?

                        Thank you

                        Edited by: orkungedik on Oct 8, 2009 11:46 PM
                        • 9. Re: Unsupported mechanism requested
                          843810
                          You will want to take a look at the source code for this [http://spnego.sourceforge.net/api|http://spnego.sourceforge.net/api] project. It does some of the things you are looking to do.

                          Edited by: patdgonzalez@yahoo.com on Oct 18, 2009 11:07 AM