Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

Silent Kerberos authentication (SASL-JGSS) does not work for a non-default realm

33 views

Skip to first unread message

jshe...@gmail.com

unread,

Dec 14, 2007, 11:54:16 AM12/14/07

to jshe...@nexjsystem.com

I am trying to use Kerberos authentication to query an LDAP directory
(e.g. Microsof AD) through JNDI, using IBM JDK (stand-alone or within
WebSphere, version 6.1.0.11), running on Windows 2003 server (SP 2).
It all works, until I try silent SSO(useDefaultCcache=true) when the
process user belongs to a Kerberos realm different from the Kerberos
default_realm. In this case, Kerberos authentication goes fine, but I
get "No credential" exception within the privileged action, querying
LDAP:
-------
;Cause: org.ietf.jgss.GSSException, major code: 11, minor code: 0
major string: General failure, unspecified at GSSAPI level
minor string: Error: java.lang.Exception: Error: java.lang.Exception:
No credential
at
com.ibm.security.jgss.i18n.I18NException.throwGSSException(I18NException.java:
30)
at com.ibm.security.jgss.mech.krb5.p.a(p.java:1081)
at com.ibm.security.jgss.mech.krb5.p.initSecContext(p.java:1022)
at
com.ibm.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:
306)
at
com.ibm.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:
435)
at
com.ibm.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:
163)
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:120)
-------

My configuration is:

login.config:
------
nexj-kerberos-silent {
com.ibm.security.auth.module.Krb5LoginModule required
useDefaultCcache=true debug=true;
};
------

krb5.conf:
------
[libdefaults]
default_realm = NEXJSYSTEMS.LOCAL
default_tkt_enctypes = des-cbc-md5 rc4-hmac
default_tgs_enctypes = des-cbc-md5 rc4-hmac

[realms]
NEXJSYSTEMS.LOCAL = {
kdc = nexj-prd-1.nexjsystems.local
}
EXCHANGE-TEST2.LOCAL = {
kdc = yossi2.exchange-test2.local
}

[domain_realm]
.exchange-test2.local = EXCHANGE-TEST2.LOCAL
.nexjsystems.local = NEXJSYSTEMS.LOCAL
-------

One thing in the debug log looks strange:
-------
[JGSS_DBG_CRED] Done retrieving Kerberos creds from cache
[KRB_DBG_KDC] Credentials:main:Client Name:Administrator
...
[JGSS_DBG_CRED] Admini...@NEXJSYSTEMS.LOCAL added to Subject
-------

The user running the process is indeed Administrator, but it is
Admini...@EXCHANGE-TEST2.LOCAL. It seems like Krb5LoginModule adds
wrong user to the subject, and JGSS fails to find a TGT for it later.

Did anyone try silent Kerberos authentication against a non-default
realm?

Any help will be appreciated.

Thank you,

Joseph

0 new messages