Kerberos service ticket issue!!!

Douglas E. Engert deengert at anl.gov
Fri Sep 4 16:13:18 EDT 2009



Priya B wrote:
> Thank you so much for your response!
> 
> We modified the krb5.conf file (as below) and also switched from UDP
> to TCP. Now we're not getting any errors in the trace. But still we
> don't get the service ticket (same exception). In the trace for some
> reason, after the client gets the TGS response, the client closes the
> TCP connection, and never tries to get a service ticket. It is not
> querying regarding the service at all.
> 
> Anyway, below are some answers to your questions:
> 
> What version of Java?
>>>> 1.6
> 
> 
> Do you have cross realm setup between the two realms?
>>>> It should be there, because we have another application (based on SSPI) using which we are able to sign-in to the same service.
> 
> 
> Do you have the krb5.conf on the client setup for cross realm?
>>>> We have. Below is the conf file. Do let us know if it needs any corrections.

Note that Kerberos implementations just ignore unknown lines in the
krb5.conf, so you must be careful to get them correct.


> 
> --------------------------------------------------------------
> 
> 
> [libdefaults]
> udp_preference_limit = 1
> 	default_realm = REALM1.COM
>     dns_lookup_kdc = true
> [realms]
> 	REALM1.COM = {
>                 kdc = host1.realm1.com
> 		default_domain = realm1.com
> 
>        }
> 
> REALM2.COM = {
> 
>     realm_type   = WINNTv1
> 
>     ENC_TYPES_LIST = RC4_HMAC, DES_CBC_MD5, DES_CBC_CRC
> 

What are the above two lines? What documentation where you reading on how to
setup a krb5.conf for Java? And what is "WINNTv1"? "NT" implies a very old OS.
Windows 2000 was the first that I know of that supports Kerberos.


> 
>     kdc = {
> 
>        name = host2.realm2.com
>        default_domain = .realm2.com
> 
>        protocol = TCP
> 
>  }
> 
>   }
> 
> 
> 
> [domain_realm]
> .realm1.com = REALM1.COM
> .realm2.com =REALM2.COM
> 
> 
> 
> 
> [capaths]
> REALM1.COM = {
> REALM2.COM = .
> }
> 
> REALM2.COM  = {
>  REALM1.COM = .
> }
> 
> 
> [logging]
> 
> 
> --------------------------------------------------------------
> 
> Is one or both of the realms Window AD?
>>>> Shall confirm that soon.
> 
> 
> You appear to have done some tracing, but have not said where you are
> seeing these messages or how far along the process of getting tickets
> has gotten. i.e. client to client's KDC or client to server's KDC.
>>>> client to client's KDC
> 
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list