KDC has no support for encryption type(14)

here is the full code which i am using to perfomr the search

Hiii, i am trying to perfomr ldap serach, when i logged into ldap using kerberos, and tried to perform the search i get this error message,

javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.s

asl.SaslException: GSS initiate failed [Caused by GSSException: No valid credent

ials provided (Mechanism level: KDC has no support for encryption type (14))]]

[Krb5LoginModule]: Entering logout

[Krb5LoginModule]: logged out Subject

kindly find below my code and conf files

/-- Krb5.conf

[libdefaults]

default_realm = FGB.AE

[kadmin]

default_keys = v5 arcfour-hmac-md5

[realms]

FGB.AE = {

kdc = administrator

kdc = 172.20.10.9

admin_server = administrator

default_domain = FGB.AE

}

[domain_realm]

.fgb.ae = FGB.AE

[appdefaults]

autologin = true

forward = true

forwardable = true

encrypt = true

--//

//-- Jaas.conf

GssConf

{com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=true doNotPrompt=true;};

LoginJaas

{com.sun.security.auth.module.Krb5LoginModule required debug=true useTicketCache=true;};

--//

[b]//-- LoginJaas.java

import java.security.Principal;

import java.security.PrivilegedAction;

import java.util.Iterator;

import java.util.Set;

import javax.security.auth.Subject;

import javax.security.auth.login.LoginContext;

import javax.security.auth.login.LoginException;

import java.util.Hashtable;

import javax.naming.Context;

import javax.naming.NamingEnumeration;

import javax.naming.NamingException;

import javax.naming.directory.Attribute;

import javax.naming.directory.Attributes;

import javax.naming.directory.BasicAttributes;

import javax.naming.directory.DirContext;

import javax.naming.directory.InitialDirContext;

import javax.naming.directory.SearchResult;

//import principal.JaasRolePrincipal;

import com.sun.security.auth.callback.TextCallbackHandler;

import java.security.PrivilegedAction;

public class LoginJaas {

public static void main(String[] args) throws Exception {

System.setProperty("java.security.auth.login.config", "Jaas.conf");

System.setProperty("java.security.krb5.conf", "krb5.conf");

LoginContext lc = null;

//lc = new LoginContext("LoginJaas", new com.sun.security.auth.callback.TextCallbackHandler());

//lc.login();

System.out.println(lc.getSubject());

samaccountname();

lc.logout();

}

public static void samaccountname(){

actions pSA = new actions();

pSA.search("f3482","sAMAccountName");

if (searchLDAP.modException != null){

System.out.print(searchLDAP.modException);

}

}

}

--//[/b]

[b]//-- actions.java

import javax.security.auth.Subject;

public class actions {

KerberosaAuth pKA = new KerberosaAuth();

public String search(String sUserName, String sFilter){

pKA.KerberosAuth();

String sTRDN = sUserName;

String sResults = new String();

sResults = (Subject.doAs(pKA.lc.getSubject(), new searchLDAP(sTRDN, sFilter)).toString());

return sResults;

}

}

--//[/b]

[b]//- KerberosaAuth.java

import javax.security.auth.login.LoginContext;

import javax.security.auth.login.LoginException;

import com.sun.security.auth.callback.TextCallbackHandler;

public class KerberosaAuth {

/********************************************************

*Kerberos Authentication

*********************************************************/

LoginContext lc = null;

public void KerberosAuth() {

/*java.util.Properties p =

new java.util.Properties(System.getProperties());

//p.setProperty("java.security.krb5.realm", "fgb.ae");

//p.setProperty("java.security.krb5.kdc", "FGBDC1.fgb.ae");

//p.setProperty("java.security.auth.login.config", (getClass().getResource("Jaas.conf")).toString());*/

System.setProperty("java.security.auth.login.config", "Jaas.conf");

System.setProperty("java.security.krb5.conf", "krb5.conf");

//System.setProperties(p);

try {

lc =

new LoginContext("GssConf",new TextCallbackHandler());

// Attempt authentication

lc.login();

System.out.println(lc.getSubject());

} catch (LoginException le) {

System.err.println("Authentication attempt failed: " + le);

System.exit(-1);

}

}

}

--//[/b]

[b]//-- searchLDAP.java

import java.util.Hashtable;

import java.util.regex.Matcher;

import java.util.regex.Pattern;

import javax.naming.Context;

import javax.naming.NamingEnumeration;

import javax.naming.NamingException;

import javax.naming.directory.Attribute;

import javax.naming.directory.Attributes;

import javax.naming.directory.DirContext;

import javax.naming.directory.InitialDirContext;

import javax.naming.directory.SearchControls;

import javax.naming.directory.SearchResult;

class searchLDAP implements java.security.PrivilegedAction {

private static Matcher mGMatch;

private static Pattern pGPattern;

private static String sGDesc = new String();

private static String sRegex = ",DC=fgb,DC=ae";

private static String sGRegex = ",OU=fgb,OU=HO";

private static String ssGRegex = "CN=Users";

private static String sReplace = "";

public String sTRUN = new String();

public String sFilter = new String();

public static String sName = new String();

private static final long serialVersionUID = 1-1;

public static String sResults = new String();

public static String ssResults = new String();

public static String sUserAttrib = "";

public static String modException;

public String sTRDN = new String();

public String sErrorResult = new String();

public static String[] sAttrIDs;

public static String sSAMField = new String();

public static String sNameField = new String();

public static String sDepartmentField = new String();

public static String sMailField = new String();

public static String sIsAccountLockedField = new String();

public static String sEmployeeIDField = new String();

public searchLDAP(String ssTRDN, String ssFilter) {

sTRDN = ssTRDN;

sFilter = ssFilter;

}

public Object run() {

performSearch(sTRDN,sFilter);

return sResults;

}

private void performSearch(String sTRDN, String sFilter) {

/* Specify the ids of the attributes to return */

sAttrIDs = new String[6];

sAttrIDs [ 0 ] = "sAMAccountName";

sAttrIDs [ 1 ] = "department";

sAttrIDs [ 2 ] = "mail";

sAttrIDs [ 3 ] = "employeeID" ;

sAttrIDs [ 4 ] = "displayName";

sAttrIDs [ 5 ] = "IsAccountLocked";

String[] sGAttrIDs = {"description"};

String[] ssGAttrIDs = new String [ 3 ];

ssGAttrIDs [ 0 ] = "memberOf";

ssGAttrIDs [ 1 ] = "userAccountControl";

ssGAttrIDs [ 2 ] = "sAMAccountName";

Hashtable env = new Hashtable(11);

env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");

env.put(Context.PROVIDER_URL,"ldap://FGBDC1.fgb.ae:389");

env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");

env.put("javax.security.sasl.server.authentication", "true");

String filter = "(&("+ sFilter+"=" + sTRDN + ")(!(objectclass=computer)))";

modException = null;

SearchControls constraints = new SearchControls();

constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);

//constraints.setReturningAttributes(sAttrIDs);

constraints.setTimeLimit( 6000 );

constraints.setDerefLinkFlag( false );

constraints.setReturningObjFlag( false );

try {

/* Create initial context */

sName = null;

ssResults = null;

modException = null;

DirContext ctx = new InitialDirContext(env);

NamingEnumeration answer = ctx.search ("OU=Departments", filter , constraints );

while (answer != null && answer.hasMore()) {

/* return the partially qualified name CN="", OU="" */

SearchResult nextEntry = ( SearchResult )answer.next();

sName = (nextEntry.getName());

ssResults = sName;

Attributes aAnswer = ctx.getAttributes(sName + ",OU=Departments",sAttrIDs);

if (sTRDN.contains("*")){

}else{

int numLabels = sAttrIDs.length;

for (int i = 0; i < numLabels; i++) {

if ((aAnswer.get(sAttrIDs[i])) != null) {

sAttrIDs[i]=(aAnswer.get(sAttrIDs[i]).get().toString());

}

}

if (sAttrIDs[3].contains("employeeID")){

sAttrIDs[3]="";

}

if (sAttrIDs[5].contains("IsAccountLocked")){

sAttrIDs[5]="";

}

}

try {

Attributes aGAnswer = ctx.getAttributes(sName + ",OU=Departments",ssGAttrIDs);

if (aGAnswer.toString().contains("514")){

sResults = ((aAnswer.get("sAMAccountName").get()) + " , " + "*******ACCOUNT IS LOCKED*******");

System.out.println(sResults + '\n');

if (sTRDN.contains("*")){

}else{

sAttrIDs[5] = "ACCOUNT IS LOCKED";

}

}else{

sResults = (sName);

}

Attribute amemberOf = aGAnswer.get("memberOf");

if (amemberOf != null){

/* print each value */

NamingEnumeration eGroup = amemberOf.getAll();

while (eGroup.hasMore()) {

sGDesc = (eGroup.nextElement().toString());

pGPattern = Pattern.compile(sGRegex);

mGMatch = pGPattern.matcher(sGDesc);

while(mGMatch.find()) {

pGPattern = Pattern.compile(sRegex);

mGMatch = pGPattern.matcher(sGDesc);

sGDesc = mGMatch.replaceAll(sReplace);

Attributes aGroup = ctx.getAttributes(sGDesc, sGAttrIDs);

/* "sDesc" is the description of the group */

String sDesc = (aGroup.get("description").get().toString());

/* The following replaces the distinguished name "SGDesc" with the cn for display*/

pGPattern = Pattern.compile(ssGRegex);

mGMatch = pGPattern.matcher(sGDesc);

sGDesc = mGMatch.replaceAll(sReplace);

pGPattern = Pattern.compile(sGRegex);

mGMatch = pGPattern.matcher(sGDesc);

sGDesc = mGMatch.replaceAll(sReplace);

System.out.println(sGDesc +": "+ " (" + sDesc + " )");

}

}

}

} catch (NamingException le) {

modException = (le.toString());

sErrorResult = modException;

}

System.out.println(sName + ": "+'\n'+ "Authorization Groups: ");

if (sTRDN.contains("*")){

NamingEnumeration enumUserInfo = aAnswer.getAll();

while(enumUserInfo.hasMoreElements()) {

sResults = (enumUserInfo.nextElement().toString());

System.out.println(sResults);

}

}

}

/***************************************************/

} catch (NamingException e)

{/* open catch */

modException = (e.toString());

sErrorResult = modException;

}/* close catch */

/***************************************************/

}

}

--//[/b]

Can anyone help me

Eaglesa at 2007-7-14 >

kindly find the full output when i am tryinbg to run my program

/-

C:\PROGRA~1\Java\jdk1.5.0_06\bin>java LoginJaas

Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt fa

lse ticketCache is null KeyTab is null refreshKrb5Config is false principal is n

ull tryFirstPass is false useFirstPass is false storePass is false clearPass is

false

Acquire TGT from Cache

Principal is F3482@FGB.AE

Commit Succeeded

Subject:

Principal: F3482@FGB.AE

Private Credential: Ticket (hex) =

0000: 61 82 03 8E 30 82 03 8AA0 03 02 01 05 A1 08 1B a...0...........

0010: 06 46 47 42 2E 41 45 A21B 30 19 A0 03 02 01 02 .FGB.AE..0......

0020: A1 12 30 10 1B 06 6B 7262 74 67 74 1B 06 46 47 ..0...krbtgt..FG

0030: 42 2E 41 45 A3 82 03 5A30 82 03 56 A0 03 02 01 B.AE...Z0..V....

0040: 17 A1 03 02 01 02 A2 8203 48 04 82 03 44 39 CA .........H...D9.

0050: A8 98 91 28 3D E2 46 A5DF 23 68 89 A6 A5 05 9A ...(=.F..#h.....

0060: CF 54 5F D6 99 97 1B D181 3E 1F 1D 24 CC 19 8E .T_......>..$...

0070: 32 12 FE F7 99 A8 E8 9F00 29 51 D9 63 83 80 96 2........)Q.c...

0080: 21 9D FE E3 40 32 7A 992D 19 1B E2 8C 07 BD C3 !...@2z.-.......

0090: A0 83 13 A6 23 45 97 6F2F 1E 2D 87 51 7D 90 2E ....#E.o/.-.Q...

00A0: AB 32 55 89 53 CD 03 59D3 68 44 45 A0 9B 1D 98 .2U.S..Y.hDE....

00B0: 7B D2 C5 14 FC 8A 48 18C2 17 1F 3C 22 C9 9E A9 ......H....<"...

00C0: B7 83 06 BA 44 6E 58 8D4A A9 95 5F F7 B2 CF 6C ....DnX.J.._...l

00D0: DE 8F AF 05 26 62 58 9026 38 36 C1 69 15 F9 31 ....&bX.&86.i..1

00E0: 63 27 1F 3D FE 14 E5 1F35 AD 2C 3D 1C AC 1D F8 c'.=....5.,=....

00F0: DB 2D FB 4D 05 C4 98 E455 9D BC 5A 21 A2 D2 D0 .-.M....U..Z!...

0100: 0C 02 F8 83 2F CA CF 2DB5 9B 53 3A 74 DC 23 4E ..../..-..S:t.#N

0110: D9 2D 3F 38 53 EF 32 7B12 8B E0 58 2C AE F4 00 .-?8S.2....X,...

0120: A8 87 1C 44 C4 F2 BA 094D 18 FE 7D 78 69 C4 2A ...D....M...xi.*

0130: 6D 3E EB 15 F9 21 01 FA81 18 84 C8 94 0C CD 2C m>...!.........,

0140: 38 DF ED 54 5F 26 6E 1A90 FB 59 E7 F6 52 CE C5 8..T_&n...Y..R..

0150: 79 49 6D 50 E0 CE 62 B02D 2D A8 AF 3A 21 16 DD yImP..b.--..:!..

0160: 52 97 3A 41 2C 57 8C A5E8 66 CE 01 B8 FC 19 1E R.:A,W...f......

0170: 4A 0F 3F D6 17 7A F0 35A5 21 5A 9A FD D1 94 14 J.?..z.5.!Z.....

0180: 73 2D B2 BF 10 3C 72 FDA6 74 C4 FB 04 5E 11 93 s-...<r..t...^..

0190: 36 F3 95 B5 E1 22 20 4370 A3 C3 90 08 2A D5 54 6...." Cp....*.T

01A0: EF 52 DB C2 7E 4C 98 E559 4A FC 03 1F 03 24 4D .R...L..YJ....$M

01B0: 7E 68 BC 09 19 7F 14 C232 CE 81 82 DA AA 77 2D .h......2.....w-

01C0: C0 3B 8D AD BE 71 97 7C53 41 61 45 D0 C9 3A 3E .;...q..SAaE..:>

01D0: FE 60 B2 9E 17 80 F3 BD05 C3 FD 93 E6 D8 8E FF .`..............

01E0: C2 4B 3F B1 74 0F D9 832D 37 B8 92 50 11 C7 92 .K?.t...-7..P...

01F0: 42 02 81 17 4B 48 19 C259 4A FA 5B C2 E0 D6 09 B...KH..YJ.[....

0200: BE E9 45 72 6E ED 41 51D7 CD C8 B2 0E 5E 6A 40 ..Ern.AQ.....^j@

0210: A7 AB DF 16 CC 0F FA 9746 7F AB 45 A1 D9 7C 9B ........F..E....

0220: 1F 5A 8D 46 32 60 1C 1FEF 4B CD C5 F6 C4 16 4C .Z.F2`...K.....L

0230: 96 BF C8 EF 95 54 19 BDB7 C3 AF 6B 80 7A 06 3F .....T.....k.z.?

0240: 1D FE 95 B7 45 FE D3 619C 86 D1 50 48 24 89 B2 ....E..a...PH$..

0250: 6D D9 73 47 EF B1 5C D5CF A8 5D C7 20 70 FD 31 m.sG..\...]. p.1

0260: 5A D2 1B F8 58 D7 28 92AD CF 20 F3 D1 2A DD DB Z...X.(... ..*..

0270: 2E 79 AC DB E0 04 CC 8016 2B 07 8F F3 A7 BA 32 .y.......+.....2

0280: 53 42 98 45 95 E2 F1 E301 8F 62 58 0F 38 55 C8 SB.E......bX.8U.

0290: 77 B2 93 B5 CB 7F AE 0C84 96 FB 20 FE 59 50 D3 w.......... .YP.

02A0: 22 00 DE 73 E1 61 B4 4C33 B2 E5 E7 13 DA 40 E1 "..s.a.L3.....@.

02B0: 1B 3D 12 12 16 15 63 96AA C7 D4 A5 49 15 83 9E .=....c.....I...

02C0: BE 7C 29 97 39 F7 F4 8D67 9C 66 9A 9D 5F 40 65 ..).9...g.f.._@e

02D0: 85 DC 52 AC 11 97 F1 D2D4 53 E8 B2 E3 B7 01 AA ..R......S......

02E0: 38 F4 D8 62 AD 4E EE 2EA5 3A 24 B4 BA B9 0F 1C 8..b.N...:$.....

02F0: 17 31 0E 05 1A DC 54 8F33 6C 26 8F 82 39 0E 3F .1....T.3l&..9.?

0300: 04 38 E0 74 4F 2C DF 219F 0C 66 23 7E 92 4C 15 .8.tO,.!..f#..L.

0310: 42 1A D3 A8 9D 06 54 E90B 54 05 D5 54 BF 86 E8 B.....T..T..T...

0320: 4D 61 2B E9 29 D8 C1 BDEC 4E D2 A4 65 0F F1 EF Ma+.)....N..e...

0330: 93 D2 CD A0 40 F0 48 45DA D6 5A 7A 3F 69 1C 09 ....@.HE..Zz?i..

0340: 95 7B F7 01 4C 5E F8 2442 B6 05 4B 98 1F C4 47 ....L^.$B..K...G

0350: F5 77 3F 3C EE 56 2E A79F FB CA 85 9D CD 45 05 .w?<.V........E.

0360: 53 CF 1A 68 C4 71 76 13B2 39 39 54 65 B1 14 56 S..h.qv..99Te..V

0370: B1 EB F3 1A 0B 5D 32 BB7C 11 F0 A7 C6 0B 82 C3 .....]2.........

0380: 70 4A AC E3 47 C5 5E CF17 B0 A4 60 14 EE 93 9F pJ..G.^....`....

0390: B2 99

Client Principal = F3482@FGB.AE

Server Principal = krbtgt/FGB.AE@FGB.AE

Session Key = EncryptionKey: keyType=0 keyBytes (hex dump)= Empty Key

Forwardable Ticket true

Forwarded Ticket false

Proxiable Ticket false

Proxy Ticket false

Postdated Ticket false

Renewable Ticket true

Initial Ticket true

Auth Time = Tue Aug 22 12:05:38 GMT+04:00 2006

Start Time = Tue Aug 22 12:05:38 GMT+04:00 2006

End Time = Tue Aug 22 22:05:38 GMT+04:00 2006

Renew Till = Tue Aug 29 12:05:38 GMT+04:00 2006

Client Addresses Null

javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.s

asl.SaslException: GSS initiate failed [Caused by GSSException: No valid credent

ials provided (Mechanism level: KDC has no support for encryption type (14))]]

[Krb5LoginModule]: Entering logout

[Krb5LoginModule]: logged out Subject

//

i am able to authinticate using kerberos but when i tried to search my ldap then it give the error message can anyone help

Eaglesa at 2007-7-14 >

Hi,

Is there any other way to authenticate a user's connection to ActiveDirectory by using the session key *without* adding allowtgtsessionkey? Since MS turned this off and deemed it a security risk, I'm sure customers won't be willing to turn this on again. Currently I'm storing a username/password combo on disk which is a whole different security issue, but we can not ask customers to change this registry setting. It seems to me, without allowtgtsessionkey, java and kerberos authentication using the identity of the currently logged on user on Windows is entirely broken.

awhiga at 2007-7-14 >