Dynamic kerberos auth against 2 realms?

Mon Feb 9 21:41:13 EST 2004

Hi,

I hope someone can answer this one quickly.
I am writing an auth module to dynamically authenticate someone into 
either one of two realms at the university.

I verified that I can authenticate by setting the auth module to auth 
against the 1st realm and then changed the code to auth against the 2nd 
realm and each worked fine.  I am running into this strange 'null (68)' 
exception when trying to auth to both (one will fail because the user 
doesn't exists, but the second one should succeed)  Here is my debug 
output based on this scenario. (Note: I am properly resetting the realm 
and kdc properties in my java code)

 >>> Start console output <<<<<<

Debug is  true storeKey false useTicketCache false useKeyTab false 
doNotPrompt false ticketCache is null KeyTab is null principal is null 
tryFirstPass is false useFirstPass is false storePass is false clearPass 
is true
                 [Krb5LoginModule] user entered username: 
uniconstudent at CSC.CC.IL.US

principal is uniconstudent at CSC.CC.IL.US
                 [Krb5LoginModule] authentication failed
Client not found in Kerberos database (6)
                 [Krb5LoginModule]: logged out Subject

Debug is  true storeKey false useTicketCache false useKeyTab false 
doNotPrompt false ticketCache is null KeyTab is null principal is null 
tryFirstPass is false useFirstPass is false storePass is false clearPass 
is true
                 [Krb5LoginModule] user entered username: 
uniconstudent at STUDENT.CSC.CC.IL.US

principal is uniconstudent at STUDENT.CSC.CC.IL.US
                 [Krb5LoginModule] authentication failed
null (68)
javax.security.auth.login.LoginException: null (68)
         at 
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:568)
         at 
com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:458)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
         at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
         at java.lang.reflect.Method.invoke(Method.java:324)
         at 
javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
         at 
javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
         at 
javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
         at java.security.AccessController.doPrivileged(Native Method)
         at 
javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
         at 
javax.security.auth.login.LoginContext.login(LoginContext.java:534)
         at 
org.jasig.portal.security.provider.FacultyOrStudentJAASSecurityContext.authenticate(FacultyOrStudentJAASSecurityContext.java:143)
         at 
org.jasig.portal.security.provider.ChainingSecurityContext.authenticate(ChainingSecurityContext.java:109)
         at 
org.jasig.portal.security.provider.UnionSecurityContext.authenticate(UnionSecurityContext.java:63)
         at 
org.jasig.portal.services.Authentication.authenticate(Authentication.java:103)
         at 
org.jasig.portal.AuthenticationServlet.doGet(AuthenticationServlet.java:150)
         at 
org.jasig.portal.AuthenticationServlet.doPost(AuthenticationServlet.java:125)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown 
Source)
         at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown Source)
         at org.apache.catalina.core.StandardWrapperValve.invoke(Unknown 
Source)
         at 
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(Unknown 
Source)
         at org.apache.catalina.core.StandardPipeline.invoke(Unknown Source)
         at org.apache.catalina.core.ContainerBase.invoke(Unknown Source)
         at org.apache.catalina.core.StandardContextValve.invoke(Unknown 
Source)
         at 
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(Unknown 
Source)
         at org.apache.catalina.core.StandardPipeline.invoke(Unknown Source)
         at org.apache.catalina.core.ContainerBase.invoke(Unknown Source)
         at org.apache.catalina.core.StandardContext.invoke(Unknown Source)
         at org.apache.catalina.core.StandardHostValve.invoke(Unknown 
Source)
         at 
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(Unknown 
Source)
         at 
org.apache.catalina.valves.ErrorDispatcherValve.invoke(Unknown Source)
         at 
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(Unknown 
Source)
         at org.apache.catalina.valves.ErrorReportValve.invoke(Unknown 
Source)
         at 
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(Unknown 
Source)
         at org.apache.catalina.core.StandardPipeline.invoke(Unknown Source)
         at org.apache.catalina.core.ContainerBase.invoke(Unknown Source)
         at org.apache.catalina.core.StandardEngineValve.invoke(Unknown 
Source)
         at 
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(Unknown 
Source)
         at org.apache.catalina.core.StandardPipeline.invoke(Unknown Source)
         at org.apache.catalina.core.ContainerBase.invoke(Unknown Source)
         at 
org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:193)
         at 
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:781)
         at 
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:549)
         at 
org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:589)
         at 
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:666)
         at java.lang.Thread.run(Thread.java:536)
Caused by: KrbException: null (68)
         at sun.security.krb5.KrbAsRep.<init>(DashoA6275:62)
         at sun.security.krb5.KrbAsReq.getReply(DashoA6275:308)
         at sun.security.krb5.Credentials.acquireTGT(DashoA6275:333)
         at 
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:559)
         ... 48 more
Caused by: KrbException: Identifier doesn't match expected value (906)
         at sun.security.krb5.internal.af.a(DashoA6275:129)
         at sun.security.krb5.internal.at.a(DashoA6275:58)
         at sun.security.krb5.internal.at.<init>(DashoA6275:53)
         at sun.security.krb5.KrbAsRep.<init>(DashoA6275:48)
         ... 51 more

====
This message and any attachments are confidential. Unauthorized use
or disclosure of this message is strictly prohibited, and this message
must be destroyed immediately if received by an unauthorized recipient.
====