hi
Kiran Chandra
kiranc at iormyxintl.com
Thu Oct 14 07:18:13 EDT 2004
Hi,
I am facing an issue with Kerberos authentication using Java GSS API.
Following is the scenario. I have a web application running on a solaris
box. The KDC is running on a Win2K server which is also a domain controller.
Whenever a user logs into the domain and tries to access teh web app running
on the solaris box, he should be authenticated using Kerberos. To make this
happen an account is created for the Unix Server(HTTP service) on the KDC.
The account was tested from UNIX using kinit and it works fine.
To do the Kerberos authentication, the Kerberos token is requested from IE.
This was achieved by making the Webapplication running on Solaris set a
WWW-Authenticate header in the response and the status code as 401. On
receiving this, the client (IE) contacts the KDC and fetches the Kerberos
service ticket for the server. IE sends the Kerberos Token wrapped as a
SPNEGO token and send back this data in the Authorization header.
I am using a C library to parse out the Kerberos token and validate it. The
token I receive passes through the validation successfully. This was
verified by accessing the webapp without logging into domain, during which
the parsing and validation failed.
Now I have a valid Kerberos token which contains the client authentication
infomation. From the server application I am verifying the authenticity of
client using JAVA GSS API. I am logging into the KDC using the account
created for the server and create a GSSContext (part of GSS API spec) . The
next step to do is to pass in the Kerberos token to the acceptSecContext
method of GSSCotext. This method will check the client info and returns a
token back. The returned token will contain information whether the client
was authenticated correctly, or the server requires more information (for
further exchanges between client and server) or whether the client
authentication faled etc.
Now I am facing an issue with the acceptSecurityContext call. When I pass in
the token which was already verified as a valid Kerberos 5 token, I am
getting error.
Following is the error.
GSSException: Defective token detected (Mechanism level: AP_REQ token id
does not match!)
at
sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:7
2)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:719)
at
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:300)
at
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246)
at com.iormyx.webapp.security.GSSCallImpl.run(GSSCallImpl.java:85)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:320)
at com.iormyx.webapp.security.GSSCallImpl.startServer(GSSCallImpl.java:59)
at
com.iormyx.webapp.security.Authenticate.verifyCredential(Authenticate.java:5
0)
at com.iormyx.webapp.actions.LoginAction.execute(LoginAction.java:67)
at
org.apache.struts.action.RequestProcessor.processActionPerform(RequestProces
sor.java:484)
at
org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:274)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1482)
at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:507)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:689)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Application
FilterChain.java:237)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterCh
ain.java:157)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.ja
va:214)
at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContex
t.java:104)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
at
org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContext
Valve.java:198)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.ja
va:152)
at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContex
t.java:104)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137
)
at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContex
t.java:104)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:118
)
at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContex
t.java:102)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java
:109)
at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContex
t.java:104)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:929)
at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:160)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:799)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConne
ction(Http11Protocol.java:705)
at
org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:577)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav
a:683)
at java.lang.Thread.run(Thread.java:534)
If you have any info regarding why this happens please let me know.
Regards
Kiran C
More information about the Kerberos
mailing list