1 Reply Latest reply: Aug 21, 2007 10:04 AM by 843810 RSS

    Server not found in Kerberos database (7)

    843810
      Hi!

      Running the examples from
      http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/lab
      works fine for me as long as I use the Kerberos test realm I have set up on a unix machine. But when I run the same classes against our Active Directory, the client spills a stacktrace, indicating that AD can not find the server in its database. But it actually is in that database, as the sample server can perfectly authenticate as exactly that principal!

      Enabling all security related debug info i could find, this is the client dump:
      $ java -Djava.security.auth.login.config=jaas-krb5.conf
           -Djava.security.krb5.kdc=##KDC##
           -Djava.security.krb5.realm=##REALM##
           -Dsun.security.jgss.debug=true
           -Dsun.security.krb5.debug=true
           -Djava.security.debug="logincontext,policy,scl,gssloginconfig"
           GssClient host ##SERVER##
      scl:  getPermissions ProtectionDomain  (file:/xxxxx/ <no signer certificates>)
       sun.misc.Launcher$AppClassLoader@11b86e7
       <no principals>
       java.security.Permissions@1a46e30 (
       (java.io.FilePermission \xxxxx\- read)
       (java.lang.RuntimePermission exitVM)
      )
      
      
      scl:
      Debug is  true storeKey false useTicketCache true useKeyTab true doNotPrompt false ticketCache is nu
      ll isInitiator true KeyTab is null refreshKrb5Config is false principal is xxxxx tryFirstPass is tru
      e useFirstPass is false storePass is false clearPass is false
      Acquire TGT from Cache
      
      KinitOptions cache name is C:\xxxxx
      Acquire default native Credentials
      Obtained TGT from LSA: Credentials:
      client=##USER##@##REALM## server=krbtgt/##REALM##@##REALM## authTime=20070705103930Z startTime=20070705103930Z endTime=20070705203930Z renewTill=20070712103930Z flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT EType (int): 23 Principal is ##USER##@##REALM##                 [Krb5LoginModule] authentication succeeded         [LoginContext]: login success Commit Succeeded         [LoginContext]: commit success Authenticated principal: [##USER##@##REALM##] Connected to address ##SERVER##/xxxxx xxxxx create server name with host@##SERVER## Search Subject for Kerberos V5 INIT cred (<<DEF>>, sun.security.jgss.krb5.Krb5InitCredential) Found ticket for ##USER##@##REALM## to go to krbtgt/##REALM##@##REALM## expiring on Thu Jul 05 20:39:30 GMT 2007 Entered Krb5Context.initSecContext with state=STATE_NEW Found ticket for ##USER##@##REALM## to go to krbtgt/##REALM##@##REALM## expiring on Thu Jul 05 20:39:30 GMT 2007 Service ticket not found in the subject
      Credentials acquireServiceCreds: same realm
      Using builtin default etypes for default_tgs_enctypes default etypes for default_tgs_enctypes: 3 1 23 16 17.
      CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
      EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
      KrbKdcReq send: kdc=##KDC## UDP:88, timeout=30000, number of retries =3, #bytes=1328
      KDCCommunication: kdc=##KDC## UDP:88, timeout=30000,Attempt =1, #bytes=1328
      KrbKdcReq send: #bytes read=101
      KrbKdcReq send: #bytes read=101
      KDCRep: init() encoding tag is 126 req type is 13
      KRBError:
               sTime is Thu Jul 05 14:43:05 GMT 2007 1183646585000          suSec is 487997          error code is 7          error Message is Server not found in Kerberos database          realm is ##REALM##          sname is host/##SERVER##          msgType is 30 KrbException: Server not found in Kerberos database (7)         at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)         at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)         at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)         at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)         at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)         at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)         at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)         at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)         at GssClient$GssClientAction.run(GssClient.java:171)         at java.security.AccessController.doPrivileged(Native Method)         at javax.security.auth.Subject.doAs(Unknown Source)         at Jaas.loginAndAction(Jaas.java:94)         at GssClient.main(GssClient.java:97) Caused by: KrbException: Identifier doesn't match expected value (906)         at sun.security.krb5.internal.KDCRep.init(Unknown Source)         at sun.security.krb5.internal.TGSRep.init(Unknown Source)         at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)         ... 13 more Exception in thread "main" java.security.PrivilegedActionException: GSSException: No valid credentia ls provided (Mechanism level: Server not found in Kerberos database (7))         at java.security.AccessController.doPrivileged(Native Method)         at javax.security.auth.Subject.doAs(Unknown Source)         at Jaas.loginAndAction(Jaas.java:94)         at GssClient.main(GssClient.java:97) Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerbero s database (7))         at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)         at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)         at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)         at GssClient$GssClientAction.run(GssClient.java:171)         ... 4 more Caused by: KrbException: Server not found in Kerberos database (7)         at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)         at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)         at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)         at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)         at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)         ... 8 more Caused by: KrbException: Identifier doesn't match expected value (906)         at sun.security.krb5.internal.KDCRep.init(Unknown Source)         at sun.security.krb5.internal.TGSRep.init(Unknown Source)         at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)         ... 13 more
      Why's AD claiming in the KRBError that it can't find a sname/realm which exactly matches the principal it accepted for the server? This totally confuses me! Can please anyone bring some light?

      Regards
        • 1. Re: Server not found in Kerberos database (7)
          843810
          It works now!!!

          The exact procedure is:
          - Create a new user in AD with an arbitrary name <username>. Use the same name in "User Logon Name", "User Logon Name (pre Win2K)" and "First Name" (odd, isn't it).
          - Set the password, deactivate "User has to change the password at first logon", and activate "Password never expires"
          - Create a mapping for the service name by entering into the command line: ktpass -princ "<protocol>/<fqdn>@<realm>" -mapuser "<username>@<realm>" -pass "*" -out dummy.keytab
          - Check that the mapping is set and unique; use adsiedit.msc (Windows Support Tools).
          - Now you can use the Java tool ktab to create your own keytab as usual and go.

          But it is a science in its own right to correctly configure an Active Directory , especially for use with Kerberos. In particular error messages are hardly useful (as it is generally the case in the Kerberos world). It may help to read:
          http://www.microsoft.com/downloads/details.aspx?FamilyID=99b0f94f-e28a-4726-bffe-2f64ae2f59a2&DisplayLang=en
          and
          http://www.microsoft.com/downloads/details.aspx?FamilyID=7dfeb015-6043-47db-8238-dc7af89c93f1&displaylang=en

          Have fun!