2 Replies Latest reply: Sep 28, 2011 11:36 AM by 775041 RSS

    Kerberos Login seems to work, still gets rejected

    873424
      I've got a Java client app and a Java server app, and I'm trying to authenticate to the server via Kerberos. The client basically uses Apache http-components and SPNEGO to make a HTTP GET call, but I always get 401 Unauthorized as a result.

      I can not spot the error in the Kerberos login sequence below, maybe you guys can:



      Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt f
      alse ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is fa
      lse principal is null tryFirstPass is false useFirstPass is false storePass is f
      alse clearPass is false
      Kerberos-Benutzername [GP_Myuser]: GP_Myuser@EESERV.LOCAL
      Kerberos-Passwort f³r GP_Myuser@EESERV.LOCAL:
      [Krb5LoginModule] user entered username: GP_Myuser@EESERV.
      LOCAL

      default etypes for default_tkt_enctypes: 23.
      Acquire TGT using AS Exchange
      default etypes for default_tkt_enctypes: 23.
      KrbAsReq calling createMessage
      KrbAsReq in createMessage
      KrbKdcReq send: kdc=atlnztdc01.eeserv.local UDP:88, timeout=30000, number of retries =3, #bytes=144
      KDCCommunication: kdc=atlnztdc01.eeserv.local UDP:88, timeout=30000,Attempt=1, #bytes=144
      KrbKdcReq send: #bytes read=181
      KrbKdcReq send: #bytes read=181
      KdcAccessibility: remove atlnztdc01.eeserv.local:88
      KDCRep: init() encoding tag is 126 req type is 11
      KRBError:
      sTime is Tue Jul 05 16:28:31 CEST 2011 1309876111000
      suSec is 250145
      error code is 25
      error Message is Additional pre-authentication required
      realm is EESERV.LOCAL
      sname is krbtgt/EESERV.LOCAL
      eData provided.
      msgType is 30
      Pre-Authentication Data:
      PA-DATA type = 11
      PA-ETYPE-INFO etype = 23
      PA-ETYPE-INFO salt =
      Pre-Authentication Data:
      PA-DATA type = 19
      PA-ETYPE-INFO2 etype = 23
      PA-ETYPE-INFO2 salt = null
      Pre-Authentication Data:
      PA-DATA type = 2
      PA-ENC-TIMESTAMP
      Pre-Authentication Data:
      PA-DATA type = 16
      Pre-Authentication Data:
      PA-DATA type = 15
      AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
      default etypes for default_tkt_enctypes: 23.
      KrbAsReq salt is EESERV.LOCALGP_Myuser
      default etypes for default_tkt_enctypes: 23.
      Pre-Authenticaton: find key for etype = 23
      AS-REQ: Add PA_ENC_TIMESTAMP now
      EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
      KrbAsReq calling createMessage
      KrbAsReq in createMessage
      KrbKdcReq send: kdc=atlnztdc01.eeserv.local UDP:88, timeout=30000, number of
      retries =3, #bytes=222
      KDCCommunication: kdc=atlnztdc01.eeserv.local UDP:88, timeout=30000,Attempt=1, #bytes=222
      KrbKdcReq send: #bytes read=1450
      KrbKdcReq send: #bytes read=1450
      KdcAccessibility: remove atlnztdc01.eeserv.local:88
      EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
      KrbAsRep cons in KrbAsReq.getReply GP_Myuser
      default etypes for default_tkt_enctypes: 23.
      principal is GP_Myuser@EESERV.LOCAL
      EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 3D F9 1C A6 3B 94 7B 27 B3
      6C D7 E5 70 77 84 22 =...;..'.l..pw."

      Commit Succeeded

      Found ticket for GP_Myuser@EESERV.LOCAL to go to krbtgt/EESERV.LOCAL@EESER
      V.LOCAL expiring on Wed Jul 06 02:28:32 CEST 2011
      Entered Krb5Context.initSecContext with state=STATE_NEW
      Service ticket not found in the subject
      Credentials acquireServiceCreds: same realm
      default etypes for default_tgs_enctypes: 23.
      CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
      EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
      KrbKdcReq send: kdc=atlnztdc01.eeserv.local UDP:88, timeout=30000, number of
      retries =3, #bytes=1452
      KDCCommunication: kdc=atlnztdc01.eeserv.local UDP:88, timeout=30000,Attempt
      =1, #bytes=1452
      KrbKdcReq send: #bytes read=1436
      KrbKdcReq send: #bytes read=1436
      KdcAccessibility: remove atlnztdc01.eeserv.local:88
      EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
      KrbApReq: APOptions are 00100000 00000000 00000000 00000000
      EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
      Krb5Context setting mySeqNumber to: 512880730
      Created InitSecContextToken:
      0000: 01 00 6E 82 05 51 30 82 05 4D A0 03 02 01 05 A1 ..n..Q0..M......
      0010: 03 02 01 0E A2 07 03 05 00 20 00 00 00 A3 82 04 ......... ......
      0020: 6E 61 82 04 6A 30 82 04 66 A0 03 02 01 05 A1 0E na..j0..f.......
      0030: 1B 0C 45 45 53 45 52 56 2E 4C 4F 43 41 4C A2 24 ..EESERV.LOCAL.$
      0040: 30 22 A0 03 02 01 00 A1 1B 30 19 1B 04 48 54 54 0".......0...HTT
      0050: 50 1B 11 61 6C 66 2D 74 65 73 74 2E 65 6C 69 6E P..alf-test.server
      0060: 2E 63 6F 6D A3 82 04 27 30 82 04 23 A0 03 02 01 .com...'0..#....
      0070: 17 A1 03 02 01 03 A2 82 04 15 04 82 04 11 C2 1E ................
      0080: 14 D0 18 19 AF 82 D3 92 7F 62 96 A9 92 F7 94 5B .........b.....[
      0090: FF CA FE 66 2F C8 A9 C6 36 A2 2E FF EB FB CA 3D ...f/...6......=
      00A0: 5D 5B 59 B5 0F E3 B7 B6 29 C2 62 A3 45 44 42 00 ][Y.....).b.EDB.
      00B0: DA 14 3D 83 1E 50 3D AA A9 9F 0C A6 49 4E F3 51 ..=..P=.....IN.Q
      00C0: 67 68 14 A4 D3 49 E6 6F 1C 2C 7D 04 7B F2 6E BD gh...I.o.,....n.
      00D0: 23 07 DD CD 09 DC 89 62 73 0E 06 EE 68 28 39 A4 #......bs...h(9.
      00E0: 22 3C 92 C0 22 C0 6B 0B 42 4B 95 B5 E5 AC 77 30 "<..".k.BK....w0
      00F0: D8 75 A1 8D E8 FC A5 5A D6 1D A8 5B D4 15 82 C5 .u.....Z...[....
      0100: AE 1E 36 48 72 01 9B 3C FA A9 60 20 1D 9A 84 20 ..6Hr..<..` ...
      0110: 41 3F FA 71 A8 07 9C 50 73 FA 03 2B 8D 94 98 C8 A?.q...Ps..+....
      0120: 57 A2 87 09 BF 87 26 62 2B 49 40 6A 67 C4 F1 00 W.....&b+I@jg...
      0130: 66 55 D7 75 6D A6 2F 28 3C 68 86 1F 29 E1 7E 10 fU.um./(<h..)...
      0140: CD 2B F0 78 A7 23 D9 18 8D 5D 98 F9 7D 00 11 78 .+.x.#...].....x
      0150: 7B 5E D3 5E EA EE 74 82 B7 93 A4 DA 0E 3C 61 E6 .^.^..t......<a.
      0160: B3 D5 5A F3 67 8C 03 4C 0E E6 42 96 8F E0 99 98 ..Z.g..L..B.....
      0170: C2 A0 C6 D3 8F B4 A4 CA 99 C1 8A F0 6E 00 E0 BE ............n...
      0180: 95 7F 1F F5 E7 15 3D 0F CD 22 51 D9 41 D0 5F 01 ......=.."Q.A._.
      0190: 48 EB 47 64 B8 74 BC BE 76 0F AE 4B F4 E6 3A 1E H.Gd.t..v..K..:.
      01A0: 2A 62 85 FA 7E 07 E7 8D 60 EC B9 23 10 E3 1B 1E *b......`..#....
      01B0: C5 90 D2 25 BB C5 2C 05 A3 E2 39 D1 FF 70 CF E7 ...%..,...9..p..
      01C0: D5 C6 13 E6 BC 60 55 89 C1 B9 FB 0F E4 5D E7 A5 .....`U......]..
      01D0: 95 BA F9 70 EC 06 CB 62 E8 AD F3 29 BA 34 FF C2 ...p...b...).4..
      01E0: 95 76 21 9B 0D 0B DE 66 05 0E EE 33 31 E7 BE 52 .v!....f...31..R
      01F0: 64 DB 91 8B 55 96 5F E7 2D 2A EA E2 D3 BC 5F CD d...U._.-*...._.
      0200: 46 E5 45 A1 07 68 28 BF 1D 32 7D 04 C0 60 97 78 F.E..h(..2...`.x
      0210: 4F 8E 4C 92 2B F1 B2 C3 9B 04 D9 43 02 7F A5 27 O.L.+......C...'
      0220: A4 8E 48 EE 5E A9 3B 7E 7F C0 54 0D A5 75 D2 B3 ..H.^.;...T..u..
      0230: FC 72 3A 80 F4 9A F1 34 7C 51 54 13 F7 9E FE 79 .r:....4.QT....y
      0240: 8F 15 5A A7 9E 47 9B 36 10 33 F3 08 EA F2 33 BB ..Z..G.6.3....3.
      0250: 9F 45 61 ED 91 1F CF 30 05 76 C0 56 FB 38 51 25 .Ea....0.v.V.8Q%
      0260: 27 1F 39 A5 C9 F9 0C D2 00 F2 6B E2 28 09 B2 30 '.9.......k.(..0
      0270: A2 63 68 FE 46 A5 33 E0 60 BB B2 B5 DA 5A 78 2A .ch.F.3.`....Zx*
      0280: 37 FE 16 0D 8E E6 97 52 47 28 B2 D0 92 DB F3 CD 7......RG(......
      0290: 9A 5F 98 16 4E C9 96 2C 00 7C FE 96 B0 DE CD 6D ._..N..,.......m
      02A0: 5A BC 13 1B E2 E7 F6 74 DE DC 2B B7 16 AB C0 0F Z......t..+.....
      02B0: BA 4C 08 C3 4F 25 3C 1A 9A E5 36 32 8E D9 C7 10 .L..O%<...62....
      02C0: 62 F2 13 BB 62 B4 C5 F2 9D 69 DB 6C 0C 37 E1 AF b...b....i.l.7..
      02D0: F5 C6 D9 CD B5 F6 60 A2 93 DD 98 8C B2 59 C7 7A ......`......Y.z
      02E0: 50 4D 27 7B CC DA C9 28 9D 05 9C E8 FC 57 F8 4A PM'....(.....W.J
      02F0: 12 67 ED 7E 23 AB B5 FB 8A B7 CE 4D DA 1B 7F 1A .g..#......M....
      0300: B3 6F DF 42 9F C4 90 C9 35 D9 77 33 CD 6C C5 B5 .o.B....5.w3.l..
      0310: C2 A8 15 8C AE BD AE 5F 0A 0A AB 7C 8C F8 E2 9F ......._........
      0320: 27 3C 27 85 B3 97 D9 9D DA 6E 56 25 3B BA D5 FB '<'......nV%;...
      0330: AB 24 8B BE B7 26 12 7F B6 25 E5 26 DE 8D 54 AA .$...&...%.&..T.
      0340: 0B 68 DB 4B 81 AD 9C FD 88 0F 7D 6A 97 79 E5 0F .h.K.......j.y..
      0350: 5B 82 43 6F 05 AE C0 EB 77 A6 E3 39 BE 85 6E F0 [.Co....w..9..n.
      0360: B5 F5 0B 13 E7 CC 7B 1E 81 4F 37 77 BB 02 26 C2 .........O7w..&.
      0370: D7 2C 80 CD 62 91 A7 0C F8 D1 76 5C 21 39 A0 93 .,..b.....v\!9..
      0380: 83 04 0A F7 1F C3 4B 0B 34 85 2D 90 75 4E FE 31 ......K.4.-.uN.1
      0390: 61 BF D8 F3 36 B5 40 BA 06 F8 47 33 D4 DD EE 2A a...6.@...G3...*
      03A0: 9C FB 5E 51 7A 25 F7 C1 3F 4D 58 73 F2 4A 50 EA ..^Qz%..?MXs.JP.
      03B0: 68 09 27 85 F3 2E BB EA 8E B4 D3 7C DC 3B 52 71 h.'..........;Rq
      03C0: 87 34 1B 6F 80 D1 D2 F1 7D C3 9E C4 C3 79 8A A7 .4.o.........y..
      03D0: DA 0B A2 69 7C DE D5 67 C7 20 AD 97 A2 98 6A E3 ...i...g. ....j.
      03E0: A3 59 BD D2 B6 19 18 1D AB A7 58 3A 56 16 ED 2A .Y........X:V..*
      03F0: 75 73 4E DB 02 B5 77 4B F5 9D 1D A4 36 ED 39 26 usN...wK....6.9&
      0400: B8 A4 CD 7C 79 5E 11 3C 36 9D DA DA E7 F5 D2 9F ....y^.<6.......
      0410: BA 4B 45 E0 67 E5 4F 33 9E 0B 60 E6 76 EB 02 AC .KE.g.O3..`.v...
      0420: CC 24 C4 EB 37 C4 31 B7 EA F3 EA 5B 39 D6 E3 0A .$..7.1....[9...
      0430: DC F8 DE 8B 18 8C E0 25 5C 4B 85 38 B0 99 04 9C .......%\K.8....
      0440: 61 75 17 E3 E6 0C 88 D9 7B C4 9A 2D 25 B3 C1 FE au.........-%...
      0450: 9F FD 12 4F E0 DF CF E6 C1 BA 68 00 32 E8 1F 9A ...O......h.2...
      0460: 2F 0E FB 44 59 53 8B 43 C5 B6 24 D3 76 B4 04 D2 /..DYS.C..$.v...
      0470: 39 A9 21 41 EC A3 78 D1 9B 07 64 10 5B 64 EB 18 9.!A..x...d.[d..
      0480: 08 5B 2C 45 90 53 C9 90 A0 4C 15 AF 8A D4 80 A4 .[,E.S...L......
      0490: 81 C5 30 81 C2 A0 03 02 01 17 A2 81 BA 04 81 B7 ..0.............
      04A0: CB D6 6F 4E E7 6C 78 93 EF 6D EA 0C C8 A9 6B 37 ..oN.lx..m....k7
      04B0: EB 0E 9C C5 86 9E E6 BA 0D 88 26 BA FE A8 83 86 ..........&.....
      04C0: D4 06 52 50 AF 48 BC 8F 66 08 F1 1E A4 97 5E 05 ..RP.H..f.....^.
      04D0: 24 B4 DC 44 94 F3 5D 3D 07 17 10 33 15 D8 E0 0C $..D..]=...3....
      04E0: E8 E8 0F 70 E6 23 B3 FF D5 23 63 02 A4 6B 86 C9 ...p.#...#c..k..
      04F0: 88 96 FA 8B 02 3C E6 C6 19 7E 86 58 D5 07 80 8F .....<.....X....
      0500: 21 10 7A F8 2D E2 C0 AE 33 19 A3 87 8F 18 03 A0 !.z.-...3.......
      0510: 22 13 37 66 D5 CA 02 02 E9 51 87 D5 E5 7D 3E 84 ".7f.....Q....>.
      0520: 6E 62 4A 0B 04 8D CF 79 07 DE 69 3B 49 95 B1 80 nbJ....y..i;I...
      0530: F4 9A 86 62 8D BD F4 DA FB BC 69 97 9A 8D DE 92 ...b......i.....
      0540: 0E 8A 65 E7 7C 62 E1 3D E6 93 AD 6F 0A 53 00 B0 ..e..b.=...o.S..
      0550: 2F E7 09 A6 1B 01 72 /.....r

      05.07.2011 16:28:33 org.apache.http.impl.client.DefaultRequestDirector tryExecute
      INFO: I/O exception (org.apache.http.NoHttpResponseException) caught when proces
      sing request: The target server failed to respond
      05.07.2011 16:28:33 org.apache.http.impl.client.DefaultRequestDirector tryExecute
      INFO: Retrying request
      ----------------------------------------
      HTTP/1.1 401 Unauthorized
      ----------------------------------------
      <html><head>
      <meta http-equiv="Refresh" content="0; url=/share/page?pt=login">
      </head><body><p>Please log in.</p>
      </body></html>

      ----------------------------------------
        • 1. Re: Kerberos Login seems to work, still gets rejected
          Weijun
          Everything looks fine on the client side. Can you find some server side log? Maybe the server's service name is not HTTP/alf-test.server.com? Or you keytab file on the server side has something wrong?
          • 2. Re: Kerberos Login seems to work, still gets rejected
            775041
            Hello,

            I don't know whether you have already solved your Kerberos issue, but I can give you some solution.
            Recently I've migrated JRockit version to jrockit-jdk1.6.0_26-R28.1.4-4.0.1 and my settings stoped working also. Almost the same problem you have described.
            When I've rollback that change, means switch back to previous JRockit, which is jrockit-jdk1.6.0_20-R28.1.0-4.0.1, everything started working again.

            So... try different JRockit version. I'm still trying to solve problem with new JRockit b/s it solved other my problem.

            Rgds,
            Waldemar Thiel

            ps. most funny is that problem is on PROD environment, but new JRockit and Kerberos (SSO) is working fine on PRE ;-)

            Edited by: Waldemar Thiel on 2011-09-28 18:36