1 Reply Latest reply: Jul 18, 2011 12:15 PM by 876122 RSS

    attempting to use spnego with SSO and kerberos

    744624
      hi..
      i'm trying to use spnego to see if can sso myway into our activedirectory in a kerberos way.

      i've followed the tutorial in helloKDC , requested my SPO team to register my computer name with pre-auth user name (as my computer will be the server in development natrually)
      but i still get

      Exception in thread "main" javax.security.auth.login.LoginException: null (68)
           at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696)
           at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
           at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
           at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
           at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
           at java.lang.reflect.Method.invoke(Method.java:597)
           at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
           at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
           at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
           at java.security.AccessController.doPrivileged(Native Method)
           at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
           at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
           at HelloKDC.main(HelloKDC.java:48)
      Caused by: KrbException: null (68)
           at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:66)
           at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:446)
           at sun.security.krb5.Credentials.sendASRequest(Credentials.java:401)
           at sun.security.krb5.Credentials.acquireTGT(Credentials.java:350)
           at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:662)
           ... 12 more
      Caused by: KrbException: Identifier doesn't match expected value (906)
           at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
           at sun.security.krb5.internal.ASRep.init(ASRep.java:58)
           at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53)
           at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50)
           ... 16 more

      i know the password is correct as we use these credentials to login into ldap

      my krb5.conf is:
      [libdefaults]
           default_realm = FNX.DOMAIN
           default_tkt_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
           default_tgs_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
           permitted_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc

      [realms]
           FNX.DOMAIN = {
                kdc = hq.corp.phoenix.co.il
                default_domain = FNX.DOMAIN
      }

      [domain_realm]
           .FNX.DOMAIN = FNX.DOMAIN


      i also understand that websphere itself has it own spengo library

      in the end of the day i need to intergrate this into shiro authentication mechanism but currenty i can't even get the ticket itself.