Java Kerberos JNDI help needed urgently

Caesar caesars at cs.stanford.edu
Thu May 22 08:17:31 EDT 2003


We are trying to use kerberos authentication to perform ldap actions
on an Active Directory. The GSS sample code from sun works perfectly
on our test active directories but refuses to work on the live active
directory. The JAAS part succeeds but the GSSAPI authentication fails
with the following error (KrbException: Identifier doesn't match
expected value (906))

Any ideas about what we can try or what might be going wrong. Any and
all help will be sincerely appreciated...

Here are my kerberos debugging logs:

After the JAAS Authentication:

principal is mku at CORP.FOO.COM
>>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbAsReq etypes are: 3 1
>>> KrbKdcReq send: kdc=corp.foo.com, port=88, timeout=30000, number
of retries =3, #bytes=225
SocketTimeOutException with attempt: 1
>>> KrbKdcReq send: #bytes read=1307
>>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
>>> KrbAsRep cons in KrbAsReq.getReply mku
Commit Succeeded

>>> Authentication succeeded.
>>> Now to do the JNDI stuff

Opening connection to
ldap://corp.foo.com/CN=Users,OU=Foo,DC=corp,DC=foo,DC=com
>>> Credentials acquireServiceCreds: same realm
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
>>> KrbKdcReq send: kdc=corp.brocade.com, port=88, timeout=30000,
number of retries =3, #bytes=1278
SocketTimeOutException with attempt: 1
>>> KrbKdcReq send: #bytes read=104
>>> KDCRep: init() encoding tag is 126 req type is 13
KrbException: Identifier doesn't match expected value (906)
        at sun.security.krb5.internal.af.a(DashoA6275:129)
        at sun.security.krb5.internal.ae.a(DashoA6275:58)
        at sun.security.krb5.internal.ae.<init>(DashoA6275:53)

~Caesar


More information about the Kerberos mailing list