2 Replies Latest reply: Jul 2, 2009 12:28 PM by 843810 RSS

    How do I use Kerberos Auth in Java 6?

    843810
      Hi,

      I have a problem with the Kerberos authentication. I have a simple class that tries to connect to an LDAP server using Kerberos. It works great when I use java 5, but with java 6 it fails.

      Here is part of the code:
              System.setProperty("java.security.auth.login.config", "/etc/login.conf");
              System.setProperty("java.security.krb5.conf", "/etc/krb5.conf");
      
              System.out.println("Trying to login using kerberos...");
              KerberosCallbackHandler kerberosCallbak = new KerberosCallbackHandler();
              LoginContext loginContext = new LoginContext(loginContextName, kerberosCallbak);
              loginContext.login();
      
              System.out.println("Login succeeded");
              //Login succeeds on both java 5 and java 6
      
              Subject.doAs(loginContext.getSubject(), new JndiAction());
              System.out.println("Connected through Kerberos successfully");
      The failure happens in the JndiAction:
          public class JndiAction implements PrivilegedExceptionAction<Integer>
          {
              public Integer run() throws Exception
              {
                  String username = user + "@" + domain;
                  System.out.println("User to connect to Kerberos is " + username);
                  System.out.println("Provider URL is: " + url);
      
                  Hashtable<String, String> env = new Hashtable<String, String>();
                  env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
                  env.put("java.naming.ldap.derefAliases", "finding");
                  env.put(Context.PROVIDER_URL, url);
                  env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
                 
                  System.out.println("Trying to create context...");
                  new InitialLdapContext(env, null);
                  return 0;
              }
          }
      An exception occures when calling new InitialLdapContext:
      Exception in thread "main" java.security.PrivilegedActionException: javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]]
              at java.security.AccessController.doPrivileged(Native Method)
              at javax.security.auth.Subject.doAs(Unknown Source)
              at KerberosAuth.connectKerberos(KerberosAuth.java:71)
              at KerberosAuth.main(KerberosAuth.java:29)
      Caused by: javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]]
              at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)
              at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
              at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
              at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
              at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
              at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
              at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
              at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
              at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
              at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
              at javax.naming.InitialContext.init(Unknown Source)
              at javax.naming.ldap.InitialLdapContext.<init>(Unknown Source)
              at KerberosAuth$JndiAction.run(KerberosAuth.java:155)
              at KerberosAuth$JndiAction.run(KerberosAuth.java:1)
              ... 4 more
      Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
              at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
              ... 18 more
      Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))
              at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
              at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
              at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
              ... 19 more
      Caused by: KrbException: Server not found in Kerberos database (7)
              at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
              at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
              at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
              at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
              at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
              ... 22 more
      Caused by: KrbException: Identifier doesn't match expected value (906)
              at sun.security.krb5.internal.KDCRep.init(Unknown Source)
              at sun.security.krb5.internal.TGSRep.init(Unknown Source)
              at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)
              ... 27 more
      I want to emphasize that the login function did succeed, and that I try to connect to the same server with the same username and password and same configuration. With java 5 it works, with java 6 it does not.

      Does anybody know what I should do to solve this problem?

      TIA,
      Dikla
        • 1. Re: How do I use Kerberos Auth in Java 6?
          843810
          What kind of LDAP server are you connecting to?
          This can not be debugged without knowing more information such as the LDAP URL etc.

          The error Kerberos error "No valid credentials provided (Mechanism level: Server not found in Kerberos database)" can have a couple of different causes:
          a) the service principal name is formatted incorrectly or not not recognized by the KDC
          b) attempting cross-realm auth without the correct config in krb5.conf

          But my first recommendation is to submit the username as just "user" not user + "@" + domain;

          The best way to debug these problems is to examine a Kerberos/LDAP tcp packet trace with a tool like WireShark.
          • 2. Re: How do I use Kerberos Auth in Java 6?
            843810
            Thanks, it was a network problem.