Error calling function protocol status: 1312

Santiago Rivas sanribu at gmail.com
Wed Oct 14 12:46:56 EDT 2009 

So, if I didn't misunderstood your words, I basically have at least 2
alternatives to achieve ticket collection from cache under Windows XP
environment:

1) Configure Network Identity Manager to store credentials into a file, in
order to read them from Java.

2) Set up the configuration so that logon session is authenticated with
Kerberos, and then retrieve the TGT ticket from LSA querying via JAAS.

Personally, I'm more interested on the second option, since the main target
is to achieve single sign-on with kerberos. Anyway, I would appreciate to
read some documentation on both tasks. Could you please tell me where I can
find it?

Thanks a lot, guys!

Regards,
Santi


2009/10/14 Douglas E. Engert <deengert at anl.gov>

>
>
> Santiago Rivas wrote:
>
>> Well, I do specify "useTicketCache=true" in the JAAS config file, but
>> there
>> is something I must be missing, cause I cannot get it working with cached
>> tickets. In fact, I must provide username and password in the config file
>> (or via command line).
>>
>> I can obtain TGT tickets with both Leash32 and Network Identity Manager
>> tools, but I cannot see where they are stored, if cached (just the same as
>> /tmp/krb5cc_1000 file in Linux...) ¿?
>>
>
> On Unix, with JXplorer, I can add -Duser.krb5ccname=$KRB5CCNAME
> to the command line, and the JXplorer gssapi.conf has:
>
> com.ca.commons.jndi.JNDIOps {
>  com.sun.security.auth.module.Krb5LoginModule required client=TRUE
>        ticketCache="${user.krb5ccname}"
>        doNotPrompt=TRUE
>        useTicketCache=TRUE;
> };
>
> On Windows it does not have the ticketCache= line,
> but I think it could try it.
>
> If Leash32 or Network Identity Manager is storing them in a file,
> say \tmp\krb5cc_username
> you could try ticketCache=\tmp\krb5cc_username
>
>
>
>
>> So may be the question should be: How do I configure the ticket cache in
>> Windows? Is it mandatory to be configured through LSA?
>>
>> Thank you very much, Max!
>>
>> Regards,
>> Santi
>>
>> 2009/10/14 Max (Weijun) Wang <Weijun.Wang at sun.com>
>>
>> Java tries to get the credentials cache (ccache) from Windows LSA if you
>>> specify useTicketCache=true in the JAAS config file. In some cases, Java
>>> believes there's a ccache at the beginning, but finally it cannot get
>>> one.
>>> For example, you login as a AD account but then purge the TGT using klist
>>> or
>>> kerbtray. Then, you will see this error.
>>>
>>> Without the ccache, Java will try the Kerberos login itself, you'll need
>>> to
>>> provide username and password in your program.
>>>
>>> -- Max
>>>
>>> On Oct 14, 2009, at 6:55 PM, Santiago Rivas wrote:
>>>
>>>  Hi again,
>>>
>>>> After some tough work, it seems I've got my test environment configured
>>>> and
>>>> working with DHCP server, DNS server, ldap and Domain Controller,
>>>> running
>>>> on
>>>> a GNU Linux Debian platform. I've also configured KDC + AS services on
>>>> that
>>>> machine, and I'm glad to see that I'm able to create a secure context
>>>> between the server and other GNU Linux machine. I'm using GSS-API in
>>>> Java
>>>> 1.6, and everything works fine.
>>>>
>>>> The problem comes when I run the same Java code on a Windows XP SP3
>>>> platform
>>>> with jdk 1.5.0_21 version installed. Just before the context is created,
>>>> I
>>>> get the message:
>>>>
>>>> *Error calling function protocol status: 1312. A specified logon session
>>>> does not exist. It may already have been terminated.*
>>>>
>>>> But the most curious thing is that execution continues and secure
>>>> context
>>>> is
>>>> created indeed. I've also checked *krb5kdc.log* and verified that both
>>>> TGT
>>>> ans TGS tickets are generated and delivered correctly.
>>>>
>>>> I've searched the web and I've found many posible explanations, like:
>>>>
>>>> *"There is a problem with Windows API FormatMessage usage in a non
>>>> English
>>>> locale"* - forums.sun
>>>> *"The identity associated with a
>>>> **KerberosToken2*<
>>>>
>>>> http://msdn.microsoft.com/en-us/library/microsoft.web.services2.security.tokens.kerberostoken2.aspx
>>>> >
>>>>
>>>> * security token is being used for constrained delegation, but
>>>> constrained
>>>> delegation is not configured correctly."* - msdn
>>>> *"There is a bug in Java 1.5"* - other source
>>>>
>>>> ... but none of them convinces me.
>>>> So the cuestion is: Why is that message appearing? Should I worry about
>>>> it?
>>>> How can I solve it?
>>>>
>>>> Thanks in advance!
>>>>
>>>> Regards,
>>>> Santi
>>>> _______________________________________________
>>>> krbdev mailing list             krbdev at mit.edu
>>>> https://mailman.mit.edu/mailman/listinfo/krbdev
>>>>
>>>>
>>> _______________________________________________
>> krbdev mailing list             krbdev at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/krbdev
>>
>>
>>
> --
>
>  Douglas E. Engert  <DEEngert at anl.gov>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439
>  (630) 252-5444
>

More information about the krbdev mailing list