JGSS: Integrity check on decrypted field failed (31)

Michael B Allen mba2000 at ioplex.com
Tue Nov 7 23:48:03 EST 2006 

I believe this problem must be a bug in Java for Windows.

All of the GSS examples use the default credentials of the user running
the server. I do not. I created a KerberosKey from a password and acquired
the GSSCredential through Subject.doAsPriviledged. Again the Filter works
on Linux this way just fine. But apparently Windows is not satisfied when
acceptSecContext is called. I can only guess that the Krb5LoginModule is
calling into the host using SSPI routines and as a result the behavior
is different.

Is there any way to tell Java on Windows not to interact with SSPI at
all and do everything natively?

So, now I'm trying to go through the LoginContext with the Krb5LoginModule
but that's far more complicated (and should be totally unnecessary
considering I have a keytab) and I'm weeding through errors with jaas.conf
syntax, keytab files, etc.

Somebody give me a clue please.

Mike

On Tue, 7 Nov 2006 17:54:50 -0500
Michael B Allen <mba2000 at ioplex.com> wrote:

> Hi Seema,
> 
> I have narrowed things down quite a bit. If I use Firefox which uses
> raw kerberos tokens I still get the same error which means that this
> has nothing to do with SPNEGO. If I run the Filter in Jetty on Linux it
> works. So there's something about Tomcat / Windows / Java on Windows. On
> site we tried a variety of different versions of Java but the one I'm
> trying right now is Java 1.4.2_13.
> 
> The SPNs are mapped correctly and the password in fact correct. I've been
> doing a lot of the SSO stuff recently and I'm pretty good at diagnosing
> the many problems that can occur.
> 
> I have compared tickets field by field using a packet sniffer (although
> I have not resorted to decrypting the encrypted fields yet).
> 
> Do you happen to know if this particular exception is caused by a
> problem with the authenticator or decrypting the ticket in general?
> 
> My next step will be to use Configuration.setConfiguration() to explore
> the effect of Krb5LoginModule options.
> 
> Can you recommend futher action?
> 
> Thanks,
> Mike
> 
> On Tue, 07 Nov 2006 12:16:22 -0800
> Seema Malkani <Seema.Malkani at Sun.COM> wrote:
> 
> > What version of JDK are you using ? Sun's implementation of Java GSS 
> > includes support for SPNEGO starting from Java SE 6.
> > 
> > Has the SPN been setup correctly ?
> > 
> > Seema
> > 
> > Michael B Allen wrote On 11/06/06 11:26,:
> > 
> > >I wrote an SPNEGO Java Servlet Filter that decodes the SPNEGO token,
> > >plucks out the krb5 mechToken and passes it to acceptSecContext. Works
> > >great on Linux/Jetty. Tomcat on Windows gives me the following exception.
> > >Basically it looks like it's failing to decrypt the ticket as if the
> > >password was wrong (but it's not). The service account is set for DES
> > >only. For the service credential, I manually create a KerberosKey with a
> > >plaintext password and enctype of "DES".
> > >
> > >Before I start doing byte for byte checking can anyone recommend potential
> > >reasons for this error?
> > >
> > >GSSException: Failure unspecified at GSS-API level (Mechanism level:
> > >Integrity check on decrypted field failed (31))
> > >	sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:734)
> > >	sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:300)
> > >	sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246)
> > >________________________________________________
> > >Kerberos mailing list           Kerberos at mit.edu
> > >https://mailman.mit.edu/mailman/listinfo/kerberos
> > >  
> > >
> > 
> 
> 
> -- 
> Michael B Allen
> PHP Active Directory SSO
> http://www.ioplex.com/
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 


-- 
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/

More information about the Kerberos mailing list