Krb5LoginModule with useTicketCache=true on Vista

I've to port a Java SSO client (working correctly on W2K) on Vista.

Dispite having set allowtgtsessionkey on Vista, the client seam not to be able to acquire the session key. With a network sniffer on the client I get:

No.TimeSourceDestinationProtocol Info

1713 6.357615138.191.82.26 10.168.24.44 KRB5KRB Error: KRB5KRB_AP_ERR_BAD_INTEGRITY

Frame 1713 (151 bytes on wire, 151 bytes captured)

Ethernet II, Src: Cisco_94:db:ff (00:0a:41:94:db:ff), Dst: 10.168.24.44 (00:14:c2:0c:41:09)

Internet Protocol, Src: 138.191.82.26 (138.191.82.26), Dst: 10.168.24.44 (10.168.24.44)

Transmission Control Protocol, Src Port: kerberos (88), Dst Port: 49289 (49289), Seq: 1, Ack: 4091, Len: 97

Kerberos KRB-ERROR

Record Mark: 93 bytes

0... .... .... .... .... .... .... .... = Reserved: Not set

.000 0000 0000 0000 0000 0000 0101 1101 = Record Length: 93

Pvno: 5

MSG Type: KRB-ERROR (30)

stime: 2007-06-19 09:25:27 (Z)

susec: 856008

error_code: KRB5KRB_AP_ERR_BAD_INTEGRITY (31)

Realm: PNET.CH

Server Name (Principal): HTTP/wcbz0115.pnet.ch

Name-type: Principal (1)

Name: HTTP

Name: wcbz0115.pnet.ch

The Java exception is:

client:

[java] Connected to server wcbz0115/10.168.24.84

[java] Debug is true storeKey false useTicketCache true useKeyTab false do

NotPrompt true ticketCache is null KeyTab is null refreshKrb5Config is false pri

ncipal is null tryFirstPass is false useFirstPass is false storePass is false cl

earPass is false

[java] Acquire TGT from Cache

[java] Ticket could not be renewed : This ticket is not renewable

[java] Principal is null

[java] null credentials from Ticket Cache

[java] [Krb5LoginModule] authentication failed

[java] Unable to obtain Princpal Name for authentication

[java] GSSException: No valid credentials provided (Mechanism level: Attemp

t to obtain new INITIATE credentials failed! (null))

[java]at sun.security.jgss.krb5.Krb5InitCredential.getTgtFromSubject(K

rb5InitCredential.java:336)

[java]at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5Ini

tCredential.java:131)

[java]at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(K

rb5MechFactory.java:72)

[java]at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSMana

gerImpl.java:149)

[java]at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.jav

a:389)

[java]at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.

java:60)

[java]at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.

java:37)

[java]at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerI

mpl.java:96)

[java]at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImp

l.java:178)

[java]at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImp

l.java:158)

[java]at SampleClient.main(Unknown Source)

[java] Caused by: javax.security.auth.login.LoginException: Unable to obtai

n Princpal Name for authentication

[java]at com.sun.security.auth.module.Krb5LoginModule.promptForName(Kr

b5LoginModule.java:689)

[java]at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentic

ation(Krb5LoginModule.java:599)

[java]at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginM

odule.java:512)

[java]at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

[java]at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcces

sorImpl.java:39)

[java]at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMet

hodAccessorImpl.java:25)

[java]at java.lang.reflect.Method.invoke(Method.java:585)

[java]at javax.security.auth.login.LoginContext.invoke(LoginContext.ja

va:769)

[java]at javax.security.auth.login.LoginContext.access$000(LoginContex

t.java:186)

[java]at javax.security.auth.login.LoginContext$4.run(LoginContext.jav

a:683)

[java]at java.security.AccessController.doPrivileged(Native Method)

[java]at javax.security.auth.login.LoginContext.invokePriv(LoginContex

t.java:680)

[java]at javax.security.auth.login.LoginContext.login(LoginContext.jav

a:579)

[java]at sun.security.jgss.LoginUtility.login(LoginUtility.java:74)

[java]at sun.security.jgss.krb5.Krb5Util.getTicketFromSubject(Krb5Util

.java:137)

[java]at sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCrede

ntial.java:331)

[java]at java.security.AccessController.doPrivileged(Native Method)

[java]at sun.security.jgss.krb5.Krb5InitCredential.getTgtFromSubject(K

rb5InitCredential.java:328)

[java]... 10 more

[java] Exception in thread "main" GSSException: No valid credentials provid

ed

[java]at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.

java:69)

[java]at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.

java:37)

[java]at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerI

mpl.java:96)

[java]at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImp

l.java:178)

[java]at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImp

l.java:158)

[java]at SampleClient.main(Unknown Source)

BUILD FAILED

C:\WORK\GSS-API\build.xml:38: Java returned: 1

It seam Microsoft rescricted the access to the LSA API (used by Krb5LoginModule on Windows to optain the TGT) on Vista:

However comparing the XP and Vista Sources where AllowTgtSessionKey is used I can see that in the case of Vista additional checking is done which relate to whether the caller (user) is using an LUA (Least User Access) security token which would be the case if the operation was triggered by a "normal" logged on user. This would prevent access.

Any idea? Thanks!

[6069 byte] By [chiodoniaa] at [2008-1-12]