Submit My Question - Recent Questions - Recent Answer
java >> Security >> Kerberos & Java GSS (JGSS)

GSS: Mechanism level: Failed to find any Kerberos Key

Im attempting to do a GSSAPI SASL authentication (as a server) with a hostname that is exactly the domain name: slushpupie.com . It isnt working, even though the same application works when the hostname has more than one dot (like host.slushpupie.com) Ive managed to reduce the application down to a trivial case just using GSS* classes, which Ive included below.

With debugging turned on, I can see that the keytab is read, and the principal is retrieved from it, but no Keys seem to come out of it.

publicclass GetKeytab{

publicstaticvoid main(String args[]){

try{

System.setProperty("java.security.auth.login.config","gss.conf");

System.setProperty("sun.security.jgss.debug","true");

System.setProperty("javax.security.auth.useSubjectCredsOnly","false");

Oid KRB5_OID =new Oid("1.2.840.113554.1.2.2");

GSSManager mgr = GSSManager.getInstance();

GSSName serviceName= mgr.createName(

args[0],

GSSName.NT_HOSTBASED_SERVICE,

KRB5_OID);

System.out.println("serviceName: "+serviceName.toString());

GSSCredential cred = mgr.createCredential(

serviceName,

GSSCredential.INDEFINITE_LIFETIME,

KRB5_OID,

GSSCredential.ACCEPT_ONLY);

GSSContext secCtx = mgr.createContext(cred);

System.out.println("Context lifetime: "+secCtx.getLifetime());

}catch (Exception e){

e.printStackTrace();

return;

}

}

}

My keytab contains keys for three principals:

Keytab name: FILE:/etc/jabber.keytab

KVNO Principal

- --

3 xmpp/slushpupie.com@SLUSHPUPIE.COM (Triple DES cbc mode with HMAC/sha1)

3 xmpp/slushpupie.com@SLUSHPUPIE.COM (DES cbc mode with CRC-32)

4 xmpp/oak.slushpupie.com@SLUSHPUPIE.COM (Triple DES cbc mode with HMAC/sha1)

4 xmpp/oak.slushpupie.com@SLUSHPUPIE.COM (DES cbc mode with CRC-32)

4 xmpp/maple.slushpupie.com@SLUSHPUPIE.COM (Triple DES cbc mode with HMAC/sha1)

4 xmpp/maple.slushpupie.com@SLUSHPUPIE.COM (DES cbc mode with CRC-32)

My gss.conf looks like this:

com.sun.security.jgss.accept{

com.sun.security.auth.module.Krb5LoginModule required storeKey=true keyTab="/etc/jabber.keytab" doNotPrompt=true useKeyTab=true realm="SLUSHPUPIE.COM" principal="xmpp/slushpupie.com" debug=true;

};

Except that I change the principal to reflect the current test.

When I run it with the hostname oak.slushpupie.com, it works:

$ java GetKeytab xmpp@oak.slushpupie.com

serviceName: xmpp@oak.slushpupie.com

Debug istrue storeKeytrue useTicketCachefalse useKeyTabtrue doNotPrompttrue ticketCache isnull isInitiatortrue KeyTab is /etc/jabber.keytab refreshKrb5Config isfalse principal is xmpp/oak.slushpupie.com tryFirstPass isfalse useFirstPass isfalse storePass isfalse clearPass isfalse

principal's key obtained from the keytab

Acquire TGT using AS Exchange

principal is xmpp/oak.slushpupie.com@SLUSHPUPIE.COM

EncryptionKey: keyType=1 keyBytes (hex dump)=0000: AA BB CC DD EE FF 00 00

EncryptionKey: keyType=16 keyBytes (hex dump)=0000: AA BB CC DD EE FF 00 002F F2 A8 34 F8 A1 C2 D6 ..%z.>../..4....

0010: FE F4 FB 92 5E 89 C8 1F

Added server's keyKerberos Principal xmpp/oak.slushpupie.com@SLUSHPUPIE.COMKey Version 4key EncryptionKey: keyType=1 keyBytes (hex dump)=

0000: AA BB CC DD EE FF 00 00

[Krb5LoginModule] added Krb5Principal xmpp/oak.slushpupie.com@SLUSHPUPIE.COM to Subject

Added server's keyKerberos Principal xmpp/oak.slushpupie.com@SLUSHPUPIE.COMKey Version 4key EncryptionKey: keyType=16 keyBytes (hex dump)=

0000: AA BB CC DD EE FF 00 00 2F F2 A8 34 F8 A1 C2 D6 ..%z.>../..4....

0010: FE F4 FB 92 5E 89 C8 1F

[Krb5LoginModule] added Krb5Principal xmpp/oak.slushpupie.com@SLUSHPUPIE.COM to Subject

Commit Succeeded

Context lifetime: 2147483647

It also works for maple.slushpupie.com, but I wont include the output unless someone wants to see it.

Now, when I switch to just slushpupie.com, I get this:

$ java GetKeytab xmpp@slushpupie.com

serviceName: xmpp@slushpupie.com

Debug istrue storeKeytrue useTicketCachefalse useKeyTabtrue doNotPrompttrue ticketCache isnull isInitiatortrue KeyTab is /etc/jabber.keytab refreshKrb5Config isfalse principal is xmpp/slushpupie.com tryFirstPass isfalse useFirstPass isfalse storePass isfalse clearPass isfalse

principal's key obtained from the keytab

Acquire TGT using AS Exchange

principal is xmpp/slushpupie.com@SLUSHPUPIE.COM

EncryptionKey: keyType=1 keyBytes (hex dump)=0000: B6 44 3E B5 C4 02 9E 23

EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 83 44 76 08 C8 70 61 469B 29 C4 E6 C1 D5 0E 32 .#v..paF.).....2

0010: 4C 44 2F 85 0E 0B 46 5E

Added server's keyKerberos Principal xmpp/slushpupie.com@SLUSHPUPIE.COMKey Version 3key EncryptionKey: keyType=1 keyBytes (hex dump)=

0000: B6 44 3E B5 C4 02 9E 23

[Krb5LoginModule] added Krb5Principal xmpp/slushpupie.com@SLUSHPUPIE.COM to Subject

Added server's keyKerberos Principal xmpp/slushpupie.com@SLUSHPUPIE.COMKey Version 3key EncryptionKey: keyType=16 keyBytes (hex dump)=

0000: 83 44 76 08 C8 70 61 469B 29 C4 E6 C1 D5 0E 32 .#v..paF.).....2

0010: 4C 44 2F 85 0E 0B 46 5E

[Krb5LoginModule] added Krb5Principal xmpp/slushpupie.com@SLUSHPUPIE.COM to Subject

Commit Succeeded

GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)

at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:75)

at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:77)

at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)

at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:389)

at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:45)

at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)

at GetKeytab.main(GetKeytab.java:27)

As you can see, the keytab was accessed and it was even able to get a TGT from the KDC. But why couldnt it be used? Something about short hostnames?

[8276 byte] By [sun@slushpupie.coma] at [2008-1-8]
«« sending int buffer from c++ to java
»» Error on StackOverFlow
# 1

You need to specify the principal name with the realm in the JAAS configuration file. The realm option in not required or supported here.

com.sun.security.jgss.accept {

com.sun.security.auth.module.Krb5LoginModule required

principal="service_principal@your_realm"

keyTab=...

useKeyTab=true

storeKey=true;

};

Seema

Seema-1a at 2007-7-12 > top of java,Security,Kerberos & Java GSS (JGSS)...
# 2
I removed the realm option, and made the principal="xmpp/slushpupie.com@SLUSHPUPIE.COM" but it has the same results.
sun@slushpupie.coma at 2007-7-12 > top of java,Security,Kerberos & Java GSS (JGSS)...
# 3
Is the keytab file accessible ? Try listing the contents of your keytab file using klist tool.% klist -e -k <your_keytab>Seema
Seema-1a at 2007-7-12 > top of java,Security,Kerberos & Java GSS (JGSS)...
# 4

Hi, Seema!

I have absolutelly such problem.

Answering your last question: kinit shows in specified keytab file:

C:\Program Files\Java\jdk1.6.0\jre\bin>klist -e -k c:\krb5.keytab

Key tab: c:\krb5.keytab, 1 entry found.

[1] Service principal: HTTP/info038.spnego.ru@SPNEGO.RU

KVNO: 1

Key type: 1

And login.conf contains:

jcifs.spnego.accept {

com.sun.security.auth.module.Krb5LoginModule required debug=true

storeKey=true keyTab="c:\\krb5.keytab" doNotPrompt=true

useKeyTab=true principal="HTTP/info038.spnego.ru@SPNEGO.RU" debug=true;

};

BUT! I can't understand: where is the connection between keytab file and this error?

Program found principal name in keytab file:

EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 1F DA 7A 13 16 1F E0 BC

Added server's keyKerberos Principal HTTP/info038.spnego.ru@SPNEGO.RUKey Version 1key EncryptionKey: keyType=1 keyBytes (hex dump)=

0000: 1F DA 7A 13 16 1F E0 BC

[Krb5LoginModule] added Krb5Principal HTTP/info038.spnego.ru@SPNEGO.RU to Subject

Commit Succeeded

and then:

jcifs.spnego.AuthenticationException: Error performing Kerberos authentication: java.lang.reflect.InvocationTargetException

at jcifs.spnego.Authentication.processKerberos(Authentication.java:447)

at jcifs.spnego.Authentication.processSpnego(Authentication.java:346)

at jcifs.spnego.Authentication.process(Authentication.java:235)

at ru.krb.filter.Negotiate.authenticate(Negotiate.java:49)

at ru.krb.filter.AuthenticationFilter.doFilter(AuthenticationFilter.java:203)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)

at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)

at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)

at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)

at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)

at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)

at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)

at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)

at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)

at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)

at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)

at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)

at java.lang.Thread.run(Unknown Source)

Caused by: java.lang.reflect.InvocationTargetException

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

at java.lang.reflect.Method.invoke(Unknown Source)

at jcifs.spnego.Authentication.processKerberos(Authentication.java:430)

... 18 more

Caused by: java.security.PrivilegedActionException: java.lang.reflect.InvocationTargetException

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.Subject.doAsPrivileged(Unknown Source)

... 23 more

Caused by: java.lang.reflect.InvocationTargetException

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

at java.lang.reflect.Method.invoke(Unknown Source)

at jcifs.spnego.Authentication$ServerAction.run(Authentication.java:511)

... 25 more

Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)

at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Unknown Source)

at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)

at sun.security.jgss.GSSManagerImpl.getCredentialElement(Unknown Source)

at sun.security.jgss.GSSCredentialImpl.add(Unknown Source)

at sun.security.jgss.GSSCredentialImpl.<init>(Unknown Source)

at sun.security.jgss.GSSManagerImpl.createCredential(Unknown Source)

... 30 more

Message was edited by:

Andremon

Andremona at 2007-7-12 > top of java,Security,Kerberos & Java GSS (JGSS)...
# 5

hey, I solved this problem by myself.

It is necessary, that SPN (ServicePrincipalName) for JCIFS configuration (in web.xml for example) was as

"HTTP/<computer account name>.<domainName>.

In my configuration it must be:

<init-param>

<param-name>jcifs.spnego.servicePrincipal</param-name>

<param-value>HTTP/info038.spnego.ru</param-value>

</init-param>

This must solve this problem.

Andremona at 2007-7-12 > top of java,Security,Kerberos & Java GSS (JGSS)...
Security
Kerberos & Java GSS (JGSS)

Security Hot Topic

Security New Topic

Security

Site Classified