Error calling function protocol status: 1312

[Douglas E. Engert]

Santiago Rivas wrote:
> Well, I do specify "useTicketCache=true" in the JAAS config file, but there
> is something I must be missing, cause I cannot get it working with cached
> tickets. In fact, I must provide username and password in the config file
> (or via command line).
> 
> I can obtain TGT tickets with both Leash32 and Network Identity Manager
> tools, but I cannot see where they are stored, if cached (just the same as
> /tmp/krb5cc_1000 file in Linux...) ¿?

On Unix, with JXplorer, I can add -Duser.krb5ccname=$KRB5CCNAME
to the command line, and the JXplorer gssapi.conf has:

com.ca.commons.jndi.JNDIOps {
   com.sun.security.auth.module.Krb5LoginModule required client=TRUE
         ticketCache="${user.krb5ccname}"
         doNotPrompt=TRUE
         useTicketCache=TRUE;
};

On Windows it does not have the ticketCache= line,
but I think it could try it.

If Leash32 or Network Identity Manager is storing them in a file,
say \tmp\krb5cc_username
you could try ticketCache=\tmp\krb5cc_username


> 
> So may be the question should be: How do I configure the ticket cache in
> Windows? Is it mandatory to be configured through LSA?
> 
> Thank you very much, Max!
> 
> Regards,
> Santi
> 
> 2009/10/14 Max (Weijun) Wang <Weijun.Wang at sun.com>
> 
>> Java tries to get the credentials cache (ccache) from Windows LSA if you
>> specify useTicketCache=true in the JAAS config file. In some cases, Java
>> believes there's a ccache at the beginning, but finally it cannot get one.
>> For example, you login as a AD account but then purge the TGT using klist or
>> kerbtray. Then, you will see this error.
>>
>> Without the ccache, Java will try the Kerberos login itself, you'll need to
>> provide username and password in your program.
>>
>> -- Max
>>
>> On Oct 14, 2009, at 6:55 PM, Santiago Rivas wrote:
>>
>>  Hi again,
>>> After some tough work, it seems I've got my test environment configured
>>> and
>>> working with DHCP server, DNS server, ldap and Domain Controller, running
>>> on
>>> a GNU Linux Debian platform. I've also configured KDC + AS services on
>>> that
>>> machine, and I'm glad to see that I'm able to create a secure context
>>> between the server and other GNU Linux machine. I'm using GSS-API in Java
>>> 1.6, and everything works fine.
>>>
>>> The problem comes when I run the same Java code on a Windows XP SP3
>>> platform
>>> with jdk 1.5.0_21 version installed. Just before the context is created, I
>>> get the message:
>>>
>>> *Error calling function protocol status: 1312. A specified logon session
>>> does not exist. It may already have been terminated.*
>>>
>>> But the most curious thing is that execution continues and secure context
>>> is
>>> created indeed. I've also checked *krb5kdc.log* and verified that both TGT
>>> ans TGS tickets are generated and delivered correctly.
>>>
>>> I've searched the web and I've found many posible explanations, like:
>>>
>>> *"There is a problem with Windows API FormatMessage usage in a non English
>>> locale"* - forums.sun
>>> *"The identity associated with a
>>> **KerberosToken2*<
>>> http://msdn.microsoft.com/en-us/library/microsoft.web.services2.security.tokens.kerberostoken2.aspx>
>>>
>>> * security token is being used for constrained delegation, but constrained
>>> delegation is not configured correctly."* - msdn
>>> *"There is a bug in Java 1.5"* - other source
>>>
>>> ... but none of them convinces me.
>>> So the cuestion is: Why is that message appearing? Should I worry about
>>> it?
>>> How can I solve it?
>>>
>>> Thanks in advance!
>>>
>>> Regards,
>>> Santi
>>> _______________________________________________
>>> krbdev mailing list             krbdev at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/krbdev
>>>
>>
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444