Why does a GSS server need a key and not just a ticket?
Kevin Burton
rkevinburton at charter.net
Tue Jan 13 19:03:33 EST 2004
Would you mind sharing with me (and the group) how you ran this code? When I
run this code I get the following error. The domain controller is a Windows
2000 machine and the machine that I am running this code on is a Windows
2000 machine. The domain controller is ppcdevad01 (I am assuming this is the
KDC) the domain is ppc.com and I have an account on the domain as kburton.
What could I be doing wrong? I get the same results when I try the Login
sample.
Kevin
rkevinburton at charter.net
C:\j2sdk1.4.2\docs\guide\security\jgss\tutorials>java -classpath
Login.jar;Sampl
eClient.jar -Djava.security.manager -Djava.security.krb5.realm=krbtgt/ppc.co
m at ppc.com -Djava.security.krb5.kdc=ppcdevad01 -Djava.security.policy=client.
policy - Djava.security.auth.login.config=csLogin.conf Login SampleClient
kburton at ppc.com localhost 4242 Kerberos username [kburton]:
Kerberos password for kburton: xxxxxxx
Unexpected Exception - unable to continue
javax.security.auth.login.LoginException: Pre-authentication information was
inv alid (24)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Un
known Source)
at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.access$000(Unknown Source)
at javax.security.auth.login.LoginContext$4.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(Unknown Source)
at javax.security.auth.login.LoginContext.login(Unknown Source)
at Login.main(Login.java:136)
Caused by: KrbException: Pre-authentication information was invalid (24)
at sun.security.krb5.KrbAsRep.<init>(Unknown Source)
at sun.security.krb5.KrbAsReq.getReply(Unknown Source)
at sun.security.krb5.Credentials.acquireTGT(Unknown Source)
... 13 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.af.a(Unknown Source)
at sun.security.krb5.internal.at.a(Unknown Source)
at sun.security.krb5.internal.at.<init>(Unknown Source)
... 16 more
C:\j2sdk1.4.2\docs\guide\security\jgss\tutorials>
"Oliver Schoett" <os at sdm.de> wrote in message
news:3FAA29F7.3040306 at sdm.de...
> I have been playing with the Sun GSS/Kerberos sample code in
>
>
http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/tutorials/ClientServer.html
>
> and noticed that the client in this scenario needs only a Kerberos
> ticket (for example, obtained from an initial Windows logon), whereas
> the server needs a key (secret information)|. |This creates a key
> management problem for our servers, which I would like to avoid.
>
> Why is it that the server needs a key, when in principle, a ticket
> should be enough to prove one's identity?
>
> Oliver Schoett
More information about the Kerberos
mailing list