LoginException: Cannot get kdc for realm

Giuseppe Catalano gpcatalano at gmail.com
Wed May 30 12:29:44 EDT 2007 

Hi to all.

We have a problem using JAAS for autenticating against Microsoft
Active Directory LDAP and a security service based on Microsoft
Kerberos V5.

We have a krb5.conf like this:

#
# All rights reserved.
#
#pragma ident   @(#)krb5.conf   1.1 00/12/08

[libdefaults]
        default_realm = AAA.IT.xxx.YYYY.COM

[realms]
        IT.XXX.YYYY.COM = {
            kdc = SERVER1:88
        }
        AAA.IT.XXX.YYYY.COM = {
            kdc = SERVER2.AAA.IT.XXXP.YYYY.COM:88
        }
        BBB.IT.XXX.YYYY.COM = {
            kdc = SERVER3.BBB.IT.XXX.YYYY.COM:88
        }
        CCC.IT.XXX.YYYY.COM = {
            kdc = SERVER4.CCC.IT.XXX.YYYY.COM:88
        }
        DDD.IT.XXX.YYYY.COM = {
            kdc = SERVER5.DDD.IT.XXX.YYYY.COM:88
        }

[domain_realm]
        .bbb.it.xxx.yyyy.com = BBB.IT.XXX.YYYY.COM
        .aaa.it.xxx.yyyy.com = AAA.IT.XXX.YYYY.COM
        .it.xxx.yyyy.com = IT.XXX.YYYY.COM
        .ccc.it.xxx.yyyy.com = CCC.IT.XXX.YYYY.COM
        .ddd.it.xxx.yyyy.com = DDD.IT.XXX.YYYY.COM

We are developing under Oracle Application Server 10.1.3. We load
krb5.conf file in a servlet with this code:
System.setProperty("java.security.krb5.conf"..

We autenticate users with these calls:

lc = new LoginContext("MyLogin", new CallbackHandler(args));
lc.login();

We have deployed our web application under a test environment and
everything works. Now we are trying to go on production, where we have
the following error:


 javax.security.auth.login.LoginException: Cannot get kdc for realm
CC.IT.XXX.YYYY.COM
     at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:652)

     at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:512)

     at sun.reflect.GeneratedMethodAccessor1909.invoke(Unknown Source)

    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

     at java.lang.reflect.Method.invoke(Method.java:585)

     at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)

     at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)

     at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)...
 .....
 ....
 Caused by: KrbException: Cannot get kdc for realm CCC.IT.XXX.YYYY.COM

     at sun.security.krb5.KrbKdcReq.send(DashoA12275:133)

     at sun.security.krb5.KrbKdcReq.send(DashoA12275:106)

     at sun.security.krb5.KrbAsReq.send(DashoA12275:330)

     at sun.security.krb5.Credentials.acquireTGT(DashoA12275:369)

    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:642)

We have deployed another web application inside the same application
server that uses the same framework for autentication, that is the
same classes that we have developed for autentication. The other web
application works correctly, the only difference is that we have added
two more domains in krb5.conf that is deployed with each web
application.

Using kinit the autentication works for the added domains.

Does anyone has some suggestion to solve this problem?

Thanks in advance.
Best Regards,
Giuseppe

More information about the Kerberos mailing list