Java GSS/Kerberos issue - Autheticating server
Laurence Brockman
daceilo at gmail.com
Wed Nov 30 16:17:53 EST 2005
The server is running on the same machine as the client.
I have one development box running.
Server is running as a tomcat servlet (Utilizing Apache's Axis SOAP
interface). The client contacts the kerberos server, grabs the appropriate
ticket and uses the GSS API to generate a ticket. The client then MD5's the
service ticket and inserts that into the SOAP header (Using the OASIS spec
released on Nov 7) in the form of a BinarySecurityToken element. The server
receives the request, contacts the kerberos server to authenticate itself.
The server portion creates a login context (The Password callback is just a
simple class that has two local variables, username and password, and when
the appropriate method is returned, the username is returned and the
password is returned for the appropriate method -- The same callback class
as the client).
After the login context has been created the lc.login() method is called.
This method throws an exception and the server process returns an exception
to the calling SOAP request because the authentication has failed.
I have been basing my code on IBM's paper entilied "Simplify enterprise
Java authentication with single sign-on" published on Sep 9, 2003 (For the
kerberos/GSS specific stuff).
Is this even the appropriate process to be going through on the server side?
Looking at the SampleServer.java code from Sun it doesn't even look like the
LoginContext/LoginContext.login() method's get called (Maybe replaced with
GSSManager.createContext()?).
I'm open to the idea that I'm doing this completely wrong on the server
side... I'm brand new to kerberos and basically what we need to have happen
is the SOAP Server verify that the user has appropriate access to the SOAP
service method (As defined in the kerberos server). EG.
webservermethod/soapservice.company.com at company.com. Am I going about this
the wrong way?
On 11/30/05, Seema Malkani <Seema.Malkani at sun.com> wrote:
>
> Douglas E. Engert wrote On 11/30/05 08:27,:
>
> >
> >
> > Laurence wrote:
> >
> >> Hey guys, hopefully someone can help me out here.
> >>
> >> I am having a problem with authenticating a user to a KDC (I believe
> >> the MIT reference implementation) using Java (JDK1.5 and JDK1.4)
> >> through GSS.
> >>
> >> Here is the background:
> >>
> >> I have two processes running on one machine (Client and Server).
> >>
> >> 1. Client authenticates to kerberos server and logs in, uses the GSS
> >> libraries to create a service ticket for destination server
> >> (Authenticates with principal test/admin at realm.com).
> >> 2. Server receives request from client (Through soap transcation).
> >> Generates a login context and tries to authenticate against the
> >> kerberos server using test2/admin at realm.com. Server is returned an
> >> error from the kerberos server (Integrity check on decrypted field
> >> failed (31) - PREAUTH_FAILED).
> >
> >
> > There is a bug in Java related to PREAUTH. (Its fixed in 1.6 I believe.)
> > It has to do with Jave assuming it knows the "salt" to use when
> > generating
> > the key from the password. key = fun(passwrod,salt); The salt is based
> on
> > user and realm. Jave assumes that the these have not changed since the
> > password was last changed. Windows is also case insensitive but does
> > preserve the case of the salt when changing the password.
> >
> > So if you have moved an AD account from one domain to another or changed
> > the acount name (even the case) and not changed the password you could
> > have problems.
> >
> > So make sure the case of the principal and the principal is the same
> > as when the password for the acount was last changed.
>
> I think we have a different scenario here. If I understand correctly,
> submitter says he can authenticate using same principal/password
> "test2/admin" from the client-side, but cannot use the same
> principal/password from the server-side.
>
> Laurence, can you try to simple JAAS Kerberos login, and check if you
> can authenticate from the server-side.
>
> Seema
>
> >
> >
> >>
> >> If I configured the client to use the same username/password I can
> >> authenticate on the client, but no matter what I put in the server it
> >> fails.
> >>
> >> I don't know the kerberos protocol well enough to know if I can even do
> >> this (Having the server contact the KDC after a service ticket has been
>
> >> issued to the client to authenticate). Is that why I'm getting what
> >> I've read indicates a password error?
> >>
> >> ________________________________________________
> >> Kerberos mailing list Kerberos at mit.edu
> >> https://mailman.mit.edu/mailman/listinfo/kerberos
> >>
> >>
> >
>
More information about the Kerberos
mailing list