Error calling function protocol status: 1312

Douglas E. Engert deengert at
Wed Oct 14 12:01:12 EDT 2009

Santiago Rivas wrote:
> Well, I do specify "useTicketCache=true" in the JAAS config file, but there
> is something I must be missing, cause I cannot get it working with cached
> tickets. In fact, I must provide username and password in the config file
> (or via command line).
> I can obtain TGT tickets with both Leash32 and Network Identity Manager
> tools, but I cannot see where they are stored, if cached (just the same as
> /tmp/krb5cc_1000 file in Linux...) ¿?

On Unix, with JXplorer, I can add -Duser.krb5ccname=$KRB5CCNAME
to the command line, and the JXplorer gssapi.conf has: { required client=TRUE

On Windows it does not have the ticketCache= line,
but I think it could try it.

If Leash32 or Network Identity Manager is storing them in a file,
say \tmp\krb5cc_username
you could try ticketCache=\tmp\krb5cc_username

> So may be the question should be: How do I configure the ticket cache in
> Windows? Is it mandatory to be configured through LSA?
> Thank you very much, Max!
> Regards,
> Santi
> 2009/10/14 Max (Weijun) Wang <Weijun.Wang at>
>> Java tries to get the credentials cache (ccache) from Windows LSA if you
>> specify useTicketCache=true in the JAAS config file. In some cases, Java
>> believes there's a ccache at the beginning, but finally it cannot get one.
>> For example, you login as a AD account but then purge the TGT using klist or
>> kerbtray. Then, you will see this error.
>> Without the ccache, Java will try the Kerberos login itself, you'll need to
>> provide username and password in your program.
>> -- Max
>> On Oct 14, 2009, at 6:55 PM, Santiago Rivas wrote:
>>  Hi again,
>>> After some tough work, it seems I've got my test environment configured
>>> and
>>> working with DHCP server, DNS server, ldap and Domain Controller, running
>>> on
>>> a GNU Linux Debian platform. I've also configured KDC + AS services on
>>> that
>>> machine, and I'm glad to see that I'm able to create a secure context
>>> between the server and other GNU Linux machine. I'm using GSS-API in Java
>>> 1.6, and everything works fine.
>>> The problem comes when I run the same Java code on a Windows XP SP3
>>> platform
>>> with jdk 1.5.0_21 version installed. Just before the context is created, I
>>> get the message:
>>> *Error calling function protocol status: 1312. A specified logon session
>>> does not exist. It may already have been terminated.*
>>> But the most curious thing is that execution continues and secure context
>>> is
>>> created indeed. I've also checked *krb5kdc.log* and verified that both TGT
>>> ans TGS tickets are generated and delivered correctly.
>>> I've searched the web and I've found many posible explanations, like:
>>> *"There is a problem with Windows API FormatMessage usage in a non English
>>> locale"* - forums.sun
>>> *"The identity associated with a
>>> **KerberosToken2*<
>>> * security token is being used for constrained delegation, but constrained
>>> delegation is not configured correctly."* - msdn
>>> *"There is a bug in Java 1.5"* - other source
>>> ... but none of them convinces me.
>>> So the cuestion is: Why is that message appearing? Should I worry about
>>> it?
>>> How can I solve it?
>>> Thanks in advance!
>>> Regards,
>>> Santi
>>> _______________________________________________
>>> krbdev mailing list             krbdev at
> _______________________________________________
> krbdev mailing list             krbdev at


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list