Kerberos service ticket issue!!!

Douglas E. Engert deengert at anl.gov
Wed Sep 2 11:45:19 EDT 2009



Priya B wrote:
> Hello everybody,
> 
> We are in the process of implementing Kerberos Authentication (Single
> Sign On) using JAAS. We've been facing a problem to which we (and
> everybody we've approached so far :) ) have no solution since many
> weeks.

What version of Java?

> 
> We're trying to get the service ticket from the KDC but unable to.
> (NOTE - The client and the service are in different realms.)

Do you have cross realm setup between the two realms?
Do you have the krb5.conf on the client setup for cross realm?

> 
> Java throws the following exception:
> GSSException: No valid credentials provided (Mechanism level: Fail to
> create credential. (63) - No service creds)
> 
> When we monitor the packets, we observed the below errors:
> KRB_ERR_RESPONSE_TOO_BIG

Is one or both of the realms Window AD?
The KRB_ERR_RESPONSE_TOO_BIG could be caused by Windows adding a PAC
to the ticket, and the older versions of Java can only use UDP.
New versions might be able to use TCP to handle large tickets,
In which case the request would have been retried using TCP.
If you don't need the PAC, there are ways to tell the DC not to add it.
(The PAC can be 12K or more, where as a ticket with out a PAC can is
about 400 bytes.)

> KDC_ERR_WRONG_REALM

Sounds like either krb5.conf is not setup correctly,
or AD gave you a referral which Java could not handle.

You appear to have done some tracing, but have not said where you are
seeing these messages or how far along the process of getting tickets
has gotten. i.e. client to client's KDC or client to server's KDC.

> 
> We have tried setting the Registry value as mentioned in the other
> posts, but to no avail.
> 
> Any solution please? It would be gratefully appreciated !!
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list