info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Re: Could you help me to resolve the Kerberos error?
5,178 views
Skip to first unread message
Vipin Rathor
Jun 20, 2013, 2:08:00 AM6/20/13
to Zhutiemin, kerb...@mit.edu
Your application is looking for such a service principal (misspelled
?) which does not exist in keytab and/or KDC database.
Also, it will be helpful for all of us if you can state the scenario
that you are trying and the setup that you have.
On Thu, Jun 20, 2013 at 10:31 AM, Zhutiemin <zhut...@huawei.com> wrote:
> Dear MIT Kerberos Team:
>
> My name is Tiemin Zhu, I am a software engineer of Huawei corporation .
>
> I am getting following error with Kerberos Authentication. Could you help me to resolve this error?
> But the result of LDAP Authentication is OK
>
> Is this the configuration error in AD?
>
> Do you have any document I could study?
>
> Thanks so much!
>
> This is the error:
> [2013-05-25 03:34:01,765]--[ERROR]--[pool-1-thread-39]--[AdServiceImpl.java run() 920] - search fail.
> javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]]
> at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)
> at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
> at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
> at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
> at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
> at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
> at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
> at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
> at javax.naming.InitialContext.init(Unknown Source)
> at javax.naming.ldap.InitialLdapContext.<init>(Unknown Source)
> at com.huawei.vds.service.platform.vdesktop.service.impl.AdServiceImpl$GetSidByIpForPrivilege.run(AdServiceImpl.java:892)
> at com.huawei.vds.service.platform.vdesktop.service.impl.AdServiceImpl$GetSidByIpForPrivilege.run(AdServiceImpl.java:854)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Unknown Source)
> at com.huawei.vds.service.platform.vdesktop.service.impl.AdServiceImpl.getSidByIp(AdServiceImpl.java:824)
> at com.huawei.vds.service.platform.vdesktop.service.impl.AdServiceImpl.getSidByDomain(AdServiceImpl.java:787)
> at com.huawei.vds.service.platform.vdesktop.service.impl.AdServiceImpl.getSidByMachineName(AdServiceImpl.java:734)
> at com.huawei.vds.service.platform.vdesktop.task.CombineCreateInstanceTask.createInstance(CombineCreateInstanceTask.java:740)
> at com.huawei.vds.service.platform.vdesktop.task.CombineCreateInstanceTask.createVm(CombineCreateInstanceTask.java:655)
> at com.huawei.vds.service.platform.vdesktop.task.CombineCreateInstanceTask.combineCreateInstance(CombineCreateInstanceTask.java:503)
> at com.huawei.vds.service.platform.vdesktop.task.CombineCreateInstanceTask.run(CombineCreateInstanceTask.java:317)
> at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
> at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
> at java.util.concurrent.FutureTask.run(Unknown Source)
> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(Unknown Source)
> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source)
> at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
> at com.huawei.vds.common.utils.threadpool.VDSThreadFactory$Task.run(VDSThreadFactory.java:92)
> at java.lang.Thread.run(Unknown Source)
> Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
> at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
> ... 32 more
> Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))
> at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
> at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
> at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
> ... 33 more
> Caused by: KrbException: Server not found in Kerberos database (7)
> at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
> at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
> at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
> at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
> at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
> ... 36 more
> Caused by: KrbException: Identifier doesn't match expected value (906)
> at sun.security.krb5.internal.KDCRep.init(Unknown Source)
> at sun.security.krb5.internal.TGSRep.init(Unknown Source)
> at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)
>
>
> Best regards!
>
> phone. +86 02989184490
> mobile. +86 15249061480
> email.z...@huawei.com<mailto:email.z...@huawei.com>
> Tiemin Zhu
>
>
>
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
-Rathor
?) which does not exist in keytab and/or KDC database.
Also, it will be helpful for all of us if you can state the scenario
that you are trying and the setup that you have.
On Thu, Jun 20, 2013 at 10:31 AM, Zhutiemin <zhut...@huawei.com> wrote:
> Dear MIT Kerberos Team:
>
> My name is Tiemin Zhu, I am a software engineer of Huawei corporation .
>
> I am getting following error with Kerberos Authentication. Could you help me to resolve this error?
> But the result of LDAP Authentication is OK
>
> Is this the configuration error in AD?
>
> Do you have any document I could study?
>
> Thanks so much!
>
> This is the error:
> [2013-05-25 03:34:01,765]--[ERROR]--[pool-1-thread-39]--[AdServiceImpl.java run() 920] - search fail.
> javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]]
> at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)
> at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
> at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
> at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
> at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
> at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
> at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
> at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
> at javax.naming.InitialContext.init(Unknown Source)
> at javax.naming.ldap.InitialLdapContext.<init>(Unknown Source)
> at com.huawei.vds.service.platform.vdesktop.service.impl.AdServiceImpl$GetSidByIpForPrivilege.run(AdServiceImpl.java:892)
> at com.huawei.vds.service.platform.vdesktop.service.impl.AdServiceImpl$GetSidByIpForPrivilege.run(AdServiceImpl.java:854)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Unknown Source)
> at com.huawei.vds.service.platform.vdesktop.service.impl.AdServiceImpl.getSidByIp(AdServiceImpl.java:824)
> at com.huawei.vds.service.platform.vdesktop.service.impl.AdServiceImpl.getSidByDomain(AdServiceImpl.java:787)
> at com.huawei.vds.service.platform.vdesktop.service.impl.AdServiceImpl.getSidByMachineName(AdServiceImpl.java:734)
> at com.huawei.vds.service.platform.vdesktop.task.CombineCreateInstanceTask.createInstance(CombineCreateInstanceTask.java:740)
> at com.huawei.vds.service.platform.vdesktop.task.CombineCreateInstanceTask.createVm(CombineCreateInstanceTask.java:655)
> at com.huawei.vds.service.platform.vdesktop.task.CombineCreateInstanceTask.combineCreateInstance(CombineCreateInstanceTask.java:503)
> at com.huawei.vds.service.platform.vdesktop.task.CombineCreateInstanceTask.run(CombineCreateInstanceTask.java:317)
> at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
> at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
> at java.util.concurrent.FutureTask.run(Unknown Source)
> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(Unknown Source)
> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source)
> at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
> at com.huawei.vds.common.utils.threadpool.VDSThreadFactory$Task.run(VDSThreadFactory.java:92)
> at java.lang.Thread.run(Unknown Source)
> Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
> at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
> ... 32 more
> Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))
> at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
> at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
> at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
> ... 33 more
> Caused by: KrbException: Server not found in Kerberos database (7)
> at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
> at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
> at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
> at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
> at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
> ... 36 more
> Caused by: KrbException: Identifier doesn't match expected value (906)
> at sun.security.krb5.internal.KDCRep.init(Unknown Source)
> at sun.security.krb5.internal.TGSRep.init(Unknown Source)
> at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)
>
>
> Best regards!
>
> phone. +86 02989184490
> mobile. +86 15249061480
> email.z...@huawei.com<mailto:email.z...@huawei.com>
> Tiemin Zhu
>
>
>
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
-Rathor
Douglas E. Engert
Jun 20, 2013, 10:20:27 AM6/20/13
to kerb...@mit.edu
On 6/20/2013 4:30 AM, Zhutiemin wrote:
> Vipin:
>
> Thank you very much for Reply.
>
> I find that there are some errors in windows Application log
>
> Could you tell me how to resolve it.
Based on your java trace back, it looks like you are trying to to use LDAP.
And this message indicates that the LDAP server is on cxt23001.china.huawei.com
Normally the service principal name used by LDAP would be ldap/cxt2301.china.hawei.com
but the Java trace back says it is trying HOST/CXT23001.china.huawei.com
Why Java LDAP is using HOST is strange.
Look at the AD entry for cxt23001$ and look at the servicePrincipalName entries.
Also see:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa378747(v=vs.85).aspx
And how Java GSS with Ldap should work...
http://docs.oracle.com/javase/jndi/tutorial/ldap/security/gssapi.html
>
>
> This is the error log:
> The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server cxt23001$. The target name used was HOST/CXT23001.china.huawei.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server.
> This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (CHINA.HUAWEI.COM) is different from the client domain (CHINA.HUAWEI.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
Darek
Jun 20, 2013, 10:26:39 AM6/20/13
to Zhutiemin, kerb...@mit.edu
> Server not found in Kerberos database
You should make sure that the forward and reverse DNS for your java
application machine's IP address match, and that the hostname of the
system is exactly the same as the reverse DNS.
So if your system's IP is 1.2.3.4, a reverse DNS lookup would resolve to
java.company.com, and the system's hostname would be java.company.com,
Douglas E. Engert
Jun 21, 2013, 10:22:22 AM6/21/13
to kerb...@mit.edu
For an example of java client using GSSAPI to authentic to LDAP
(Including AD and OpenLDAP servers) look at the JXplorer package and source.
Also see:
http://old.nabble.com/Problem-using-Jxplorer-wih-GSSAPI-td24837250.html
On Windows you need a krb5.ini listing the KDCs.
Can you also specify what OS,Java versions and LDAP are being used for
client, KDCs and LDAP servers.
See inline comment below too.
On 6/20/2013 8:28 PM, Zhutiemin wrote:
> PS:
> But I use simple LDAP protocol, the result is ok.
> So I suspect that there are some incorrectly configuration in AD.
>
> I want to know what is the requirement of the Kerberos authentication, especially the configuration of AD and DNS.
>
> Thank you very much!
>
> The following section of code is a part of the entire project:
>
> LdapContext ctx = null;
> String ldapURL = "ldap://" + adIp + ":" + DEFAULT_NON_SEC_PORT;
>
>
> Hashtable<String, String> env = new Hashtable<String, String>();
> env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
> env.put(Context.PROVIDER_URL, ldapURL);
> env.put(Context.SECURITY_AUTHENTICATION, "simple");
> env.put(Context.SECURITY_PRINCIPAL, adminAccount);
> env.put(Context.SECURITY_CREDENTIALS, adminPassword);
> env.put("java.naming.ldap.attributes.binary", "objectSid");
>
> ctx = new InitialLdapContext(env, null);
>
>
> SearchControls constraints = new SearchControls();
> constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
> String searchFilter = "(CN=" + machineName + ")";
>
> NamingEnumeration<SearchResult> results = ctx.search(changeDomainInfo(domain), searchFilter, constraints);
>
> while (results.hasMoreElements())
> {
> SearchResult searchResult = (SearchResult)results.next();
> Attributes attrs = searchResult.getAttributes();
>
> if (attrs != null)
> {
> Object attValue = attrs.get("objectSid").get();
>
> return getSIDasStringOfBytes((byte[])attValue);
> }
> }
> From: Zhutiemin
> Sent: 2013年6月21日 9:19
> To: 'Darek'
> Cc: kerb...@mit.edu
> Subject: RE: Could you help me to resolve the Kerberos error?
>
> Darek:
> Thank you for your reply.
>
> I will check the and Conduct an experiment to test it
>
> I use Krb5LoginModule class to authenticate users using Kerberos protocols
>
> It is defined in the configuration
>
> AdServiceImplForKerberos {
> com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=FALSE refreshKrb5Config=TRUE;
> };
>
> And I implement the authentication by LoginContext class
>
> The following section of code is a part of the entire project:
>
> LdapContext ctx = null;
>
> Hashtable<String, String> env = new Hashtable<String, String>();
> env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
> env.put(Context.PROVIDER_URL, ldapURL);
> env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
> env.put(Context.SECURITY_PRINCIPAL, adminAccount);
> env.put(Context.SECURITY_CREDENTIALS, adminPassword);
Why the admin principal and password here?
Normally GSSAPI uses existing credentials (Kerberos tickets) that the user has
already obtained during login, bu using the windows runas or by using kinit.
> env.put("java.naming.ldap.attributes.binary", "objectSid");
> SearchControls constraints = new SearchControls();
> constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
> String searchFilter = "(CN=" + machineName + ")";
> NamingEnumeration<SearchResult> results =
> ctx.search(changeDomainInfo(domain), searchFilter, constraints);
> while (results.hasMoreElements())
> {
> SearchResult searchResult = (SearchResult)results.next();
> Attributes attrs = searchResult.getAttributes();
>
> if (attrs != null)
> {
> Object attValue = attrs.get("objectSid").get();
> return getSIDasStringOfBytes((byte[])attValue);
> email.z...@huawei.com<mailto:email.z...@huawei.com><mailto:email.z...@huawei.com><mailto:email.z...@huawei.com>
>
> Tiemin Zhu
>
>
>
>
>
>
>
> ________________________________________________
>
> Kerberos mailing list Kerb...@mit.edu<mailto:Kerb...@mit.edu>
>
> https://mailman.mit.edu/mailman/listinfo/kerberos
(Including AD and OpenLDAP servers) look at the JXplorer package and source.
Also see:
http://old.nabble.com/Problem-using-Jxplorer-wih-GSSAPI-td24837250.html
On Windows you need a krb5.ini listing the KDCs.
Can you also specify what OS,Java versions and LDAP are being used for
client, KDCs and LDAP servers.
See inline comment below too.
On 6/20/2013 8:28 PM, Zhutiemin wrote:
> PS:
> But I use simple LDAP protocol, the result is ok.
> So I suspect that there are some incorrectly configuration in AD.
>
> I want to know what is the requirement of the Kerberos authentication, especially the configuration of AD and DNS.
>
> Thank you very much!
>
> The following section of code is a part of the entire project:
>
> LdapContext ctx = null;
> String ldapURL = "ldap://" + adIp + ":" + DEFAULT_NON_SEC_PORT;
>
>
> Hashtable<String, String> env = new Hashtable<String, String>();
> env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
> env.put(Context.PROVIDER_URL, ldapURL);
> env.put(Context.SECURITY_AUTHENTICATION, "simple");
> env.put(Context.SECURITY_PRINCIPAL, adminAccount);
> env.put(Context.SECURITY_CREDENTIALS, adminPassword);
> env.put("java.naming.ldap.attributes.binary", "objectSid");
>
> ctx = new InitialLdapContext(env, null);
>
>
> SearchControls constraints = new SearchControls();
> constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
> String searchFilter = "(CN=" + machineName + ")";
>
> NamingEnumeration<SearchResult> results = ctx.search(changeDomainInfo(domain), searchFilter, constraints);
>
> while (results.hasMoreElements())
> {
> SearchResult searchResult = (SearchResult)results.next();
> Attributes attrs = searchResult.getAttributes();
>
> if (attrs != null)
> {
> Object attValue = attrs.get("objectSid").get();
>
> return getSIDasStringOfBytes((byte[])attValue);
> }
> }
> From: Zhutiemin
> Sent: 2013年6月21日 9:19
> To: 'Darek'
> Cc: kerb...@mit.edu
> Subject: RE: Could you help me to resolve the Kerberos error?
>
> Darek:
> Thank you for your reply.
>
> I will check the and Conduct an experiment to test it
>
> I use Krb5LoginModule class to authenticate users using Kerberos protocols
>
> It is defined in the configuration
>
> AdServiceImplForKerberos {
> com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=FALSE refreshKrb5Config=TRUE;
> };
>
> And I implement the authentication by LoginContext class
>
> The following section of code is a part of the entire project:
>
> LdapContext ctx = null;
>
> Hashtable<String, String> env = new Hashtable<String, String>();
> env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
> env.put(Context.PROVIDER_URL, ldapURL);
> env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
> env.put(Context.SECURITY_PRINCIPAL, adminAccount);
> env.put(Context.SECURITY_CREDENTIALS, adminPassword);
Why the admin principal and password here?
Normally GSSAPI uses existing credentials (Kerberos tickets) that the user has
already obtained during login, bu using the windows runas or by using kinit.
> env.put("java.naming.ldap.attributes.binary", "objectSid");
> SearchControls constraints = new SearchControls();
> constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
> String searchFilter = "(CN=" + machineName + ")";
> NamingEnumeration<SearchResult> results =
> ctx.search(changeDomainInfo(domain), searchFilter, constraints);
> while (results.hasMoreElements())
> {
> SearchResult searchResult = (SearchResult)results.next();
> Attributes attrs = searchResult.getAttributes();
>
> if (attrs != null)
> {
> Object attValue = attrs.get("objectSid").get();
> return getSIDasStringOfBytes((byte[])attValue);
> }
> }
>
>
> From: Darek [mailto:fafa...@gmail.com]
> Sent: 2013年6月20日 22:27
> To: Zhutiemin
> Cc: kerb...@mit.edu
> }
>
>
> From: Darek [mailto:fafa...@gmail.com]
> Sent: 2013年6月20日 22:27
> To: Zhutiemin
> Cc: kerb...@mit.edu
>
> Tiemin Zhu
>
>
>
>
>
>
>
> ________________________________________________
>
> Kerberos mailing list Kerb...@mit.edu<mailto:Kerb...@mit.edu>
>
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
Douglas E. Engert
Jun 21, 2013, 10:43:31 AM6/21/13
to kerb...@mit.edu
Here is another good example of java ldap and gssapi and JAAS:
http://code.google.com/p/vt-middleware/wiki/vtldap
The VTLDAP package is used with Shibboleth...
On 6/20/2013 8:19 PM, Zhutiemin wrote:
> Darek:
> Thank you for your reply.
>
> I will check the and Conduct an experiment to test it
>
> I use Krb5LoginModule class to authenticate users using Kerberos protocols
>
> It is defined in the configuration
>
> AdServiceImplForKerberos {
> com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=FALSE refreshKrb5Config=TRUE;
> };
>
> And I implement the authentication by LoginContext class
>
> The following section of code is a part of the entire project:
>
> LdapContext ctx = null;
>
> Hashtable<String, String> env = new Hashtable<String, String>();
> env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
> env.put(Context.PROVIDER_URL, ldapURL);
> env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
> env.put(Context.SECURITY_PRINCIPAL, adminAccount);
> env.put(Context.SECURITY_CREDENTIALS, adminPassword);
http://code.google.com/p/vt-middleware/wiki/vtldap
The VTLDAP package is used with Shibboleth...
On 6/20/2013 8:19 PM, Zhutiemin wrote:
> Darek:
> Thank you for your reply.
>
> I will check the and Conduct an experiment to test it
>
> I use Krb5LoginModule class to authenticate users using Kerberos protocols
>
> It is defined in the configuration
>
> AdServiceImplForKerberos {
> com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=FALSE refreshKrb5Config=TRUE;
> };
>
> And I implement the authentication by LoginContext class
>
> The following section of code is a part of the entire project:
>
> LdapContext ctx = null;
>
> Hashtable<String, String> env = new Hashtable<String, String>();
> env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
> env.put(Context.PROVIDER_URL, ldapURL);
> env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
> env.put(Context.SECURITY_PRINCIPAL, adminAccount);
> env.put(Context.SECURITY_CREDENTIALS, adminPassword);
vaniyel...@gmail.com
Jul 7, 2015, 12:55:55 AM7/7/15
to
hi please help on this.
I am new to this and i am getting the following error.
[10] issueHttpRequest [POST][http://localhost/Echo7.2/Echo.asmx][HTTP/1.1]
[12] StreamingContentWriter: Content type is [text/xml;charset=UTF-8]
[276] GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:710)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:192)
at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:203)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:311)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:115)
at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:442)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:641)
... 97 more
at sun.security.krb5.internal.TGSRep.init(TGSRep.java:66)
at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:61)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:55)
... 103 more
I am new to this and i am getting the following error.
[10] issueHttpRequest [POST][http://localhost/Echo7.2/Echo.asmx][HTTP/1.1]
[12] StreamingContentWriter: Content type is [text/xml;charset=UTF-8]
[276] GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:710)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
Caused by: KrbException: Server not found in Kerberos database (7)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:70)
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:192)
at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:203)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:311)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:115)
at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:442)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:641)
... 97 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143)
at sun.security.krb5.internal.TGSRep.init(TGSRep.java:66)
at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:61)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:55)
... 103 more
0 new messages