Message stream modified....Cross-realm authentication problem?

My simple program:

publicstaticvoid main(String[] args)throws KrbException, IOException{

Credentials c = Credentials.acquireDefaultCreds();

System.out.println("default creds: " + c);

Credentials s = Credentials.acquireServiceCreds("HTTP/test.xxx.xx", c);

System.out.println("service creds: " + s);

}

gives me an error forMessage stream modified:

>>>KinitOptions cache name is C:\Documents and Settings\user\krb5cc_user

>> Acquiredefaultnative Credentials

default creds: Credentials:

client=user@DOMAIN.XXX.XX

server=krbtgt/DOMAIN.XXX.XX@DOMAIN.XXX.XX

authTime=20070516081254Z

startTime=20070516081254Z

endTime=20070516181254Z

renewTill=20070523081254Z

flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT

EType (int): 23

>>> Credentials acquireServiceCreds: same realm

Using builtindefault etypesfor default_tgs_enctypes

default etypesfor default_tgs_enctypes: 3 1 23 16 17.

>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType

>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType

>>> KrbKdcReq send: kdc=domain.xxx.xx TCP:88, timeout=30000, number of retries =3, #bytes=2694

>>>DEBUG: TCPClient reading 2633 bytes

>>> KrbKdcReq send: #bytes read=2633

>>> KrbKdcReq send: #bytes read=2633

>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType

Exception in thread"main" KrbException: Message stream modified (41)

at sun.security.krb5.KrbKdcRep.check(Unknown Source)

at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)

at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)

at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)

at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)

at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)

at test.main(test.java:16)

krb5.conf contains:

[libdefaults]

default_realm = DOMAIN.XXX.XX

udp_preference_limit = 1

[realms]

DOMAIN.XXX.XX ={

kdc = domain.xxx.xx:88

}

SUBDOMAIN.DOMAIN.XXX.XX ={

kdc = subdomain.domain.xxx.xx:88

}

[domain_realm]

test.xxx.xx = SUBDOMAIN.DOMAIN.XXX.XX

[capaths]

SUBDOMAIN.DOMAIN.XXX.XX ={

DOMAIN.XXX.XX = .

}

DOMAIN.XXX.XX ={

SUBDOMAIN.DOMAIN.XXX.XX = .

}

So my user is in the main realm/domain, and the service is in the subdomain. The domains trust each other.

What could be the problem?

I am worried that the debug output contains the line

Credentials acquireServiceCreds: same realm

but it should be trying to acquire a ticket to another realm (the subdomain)?!

Message was edited by:

eero_

[3718 byte] By [eero_a] at [2008-1-9]