Dynamic kerberos auth against 2 realms?

Tue Feb 10 01:39:52 EST 2004

Please repost your query to either kerberos at mit.edu or one of the Java 
security newsgroups.
The krbdev at mit.edu mailing list is for discussions related to the 
development of the MIT Kerberos 5
distribution, not for how to use Kerberos by developers.

Freddy Lopez wrote:

> Hi,
>
> I hope someone can answer this one quickly.
> I am writing an auth module to dynamically authenticate someone into 
> either one of two realms at the university.
>
> I verified that I can authenticate by setting the auth module to auth 
> against the 1st realm and then changed the code to auth against the 
> 2nd realm and each worked fine.  I am running into this strange 'null 
> (68)' exception when trying to auth to both (one will fail because the 
> user doesn't exists, but the second one should succeed)  Here is my 
> debug output based on this scenario. (Note: I am properly resetting 
> the realm and kdc properties in my java code)
>
>
> >>> Start console output <<<<<<
>
> Debug is  true storeKey false useTicketCache false useKeyTab false 
> doNotPrompt false ticketCache is null KeyTab is null principal is null 
> tryFirstPass is false useFirstPass is false storePass is false 
> clearPass is true
>                 [Krb5LoginModule] user entered username: 
> uniconstudent at CSC.CC.IL.US
>
> principal is uniconstudent at CSC.CC.IL.US
>                 [Krb5LoginModule] authentication failed
> Client not found in Kerberos database (6)
>                 [Krb5LoginModule]: logged out Subject
>
> Debug is  true storeKey false useTicketCache false useKeyTab false 
> doNotPrompt false ticketCache is null KeyTab is null principal is null 
> tryFirstPass is false useFirstPass is false storePass is false 
> clearPass is true
>                 [Krb5LoginModule] user entered username: 
> uniconstudent at STUDENT.CSC.CC.IL.US
>
> principal is uniconstudent at STUDENT.CSC.CC.IL.US
>                 [Krb5LoginModule] authentication failed
> null (68)
> javax.security.auth.login.LoginException: null (68)
>         at 
> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:568) 
>
>         at 
> com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:458) 
>
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) 
>
>         at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) 
>
>         at java.lang.reflect.Method.invoke(Method.java:324)
>         at 
> javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
>         at 
> javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
>         at 
> javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at 
> javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607) 
>
>         at 
> javax.security.auth.login.LoginContext.login(LoginContext.java:534)
>         at 
> org.jasig.portal.security.provider.FacultyOrStudentJAASSecurityContext.authenticate(FacultyOrStudentJAASSecurityContext.java:143) 
>
>         at 
> org.jasig.portal.security.provider.ChainingSecurityContext.authenticate(ChainingSecurityContext.java:109) 
>
>         at 
> org.jasig.portal.security.provider.UnionSecurityContext.authenticate(UnionSecurityContext.java:63) 
>
>         at 
> org.jasig.portal.services.Authentication.authenticate(Authentication.java:103) 
>
>         at 
> org.jasig.portal.AuthenticationServlet.doGet(AuthenticationServlet.java:150) 
>
>         at 
> org.jasig.portal.AuthenticationServlet.doPost(AuthenticationServlet.java:125) 
>
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
>         at 
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown 
> Source)
>         at 
> org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown Source)
>         at 
> org.apache.catalina.core.StandardWrapperValve.invoke(Unknown Source)
>         at 
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(Unknown 
> Source)
>         at org.apache.catalina.core.StandardPipeline.invoke(Unknown 
> Source)
>         at org.apache.catalina.core.ContainerBase.invoke(Unknown Source)
>         at 
> org.apache.catalina.core.StandardContextValve.invoke(Unknown Source)
>         at 
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(Unknown 
> Source)
>         at org.apache.catalina.core.StandardPipeline.invoke(Unknown 
> Source)
>         at org.apache.catalina.core.ContainerBase.invoke(Unknown Source)
>         at org.apache.catalina.core.StandardContext.invoke(Unknown 
> Source)
>         at org.apache.catalina.core.StandardHostValve.invoke(Unknown 
> Source)
>         at 
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(Unknown 
> Source)
>         at 
> org.apache.catalina.valves.ErrorDispatcherValve.invoke(Unknown Source)
>         at 
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(Unknown 
> Source)
>         at org.apache.catalina.valves.ErrorReportValve.invoke(Unknown 
> Source)
>         at 
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(Unknown 
> Source)
>         at org.apache.catalina.core.StandardPipeline.invoke(Unknown 
> Source)
>         at org.apache.catalina.core.ContainerBase.invoke(Unknown Source)
>         at org.apache.catalina.core.StandardEngineValve.invoke(Unknown 
> Source)
>         at 
> org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(Unknown 
> Source)
>         at org.apache.catalina.core.StandardPipeline.invoke(Unknown 
> Source)
>         at org.apache.catalina.core.ContainerBase.invoke(Unknown Source)
>         at 
> org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:193)
>         at 
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:781) 
>
>         at 
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:549) 
>
>         at 
> org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:589) 
>
>         at 
> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:666) 
>
>         at java.lang.Thread.run(Thread.java:536)
> Caused by: KrbException: null (68)
>         at sun.security.krb5.KrbAsRep.<init>(DashoA6275:62)
>         at sun.security.krb5.KrbAsReq.getReply(DashoA6275:308)
>         at sun.security.krb5.Credentials.acquireTGT(DashoA6275:333)
>         at 
> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:559) 
>
>         ... 48 more
> Caused by: KrbException: Identifier doesn't match expected value (906)
>         at sun.security.krb5.internal.af.a(DashoA6275:129)
>         at sun.security.krb5.internal.at.a(DashoA6275:58)
>         at sun.security.krb5.internal.at.<init>(DashoA6275:53)
>         at sun.security.krb5.KrbAsRep.<init>(DashoA6275:48)
>         ... 51 more
>
>
>
> ====
> This message and any attachments are confidential. Unauthorized use
> or disclosure of this message is strictly prohibited, and this message
> must be destroyed immediately if received by an unauthorized recipient.
> ====
>
>
>
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev