Error calling function protocol status: 1312

Douglas E. Engert deengert at anl.gov
Wed Oct 14 14:33:27 EDT 2009 


Santiago Rivas wrote:
> So, if I didn't misunderstood your words, I basically have at least 2
> alternatives to achieve ticket collection from cache under Windows XP
> environment:
> 
> 1) Configure Network Identity Manager to store credentials into a file, in
> order to read them from Java.

One of the other responder to your first e-mail, Jeff Altman, is the
developer of Network Identity Manager, and said:
  " Network Identity Manager can be configured to store the user's
    credentials in a FILE:<drive>:<path> cache which can then be
    accessed via Java."

    Start by looking under Options->Kerberos v5->Credential Cache

> 
> 2) Set up the configuration so that logon session is authenticated with
> Kerberos, and then retrieve the TGT ticket from LSA querying via JAAS.
> 

Also see this:
http://java.sun.com/javase/6/docs/technotes/guides/security/kerberos/jgss-windows.html

It talks about using the LSA, or the ticketCache=file options and
the use of the "TGT accessibility" registry setting for allowtgtsessionkey.
Network Identity Manager also uses this registry setting.

(This registry setting may be you main issue!)

> Personally, I'm more interested on the second option, since the main target
> is to achieve single sign-on with kerberos. Anyway, I would appreciate to
> read some documentation on both tasks. Could you please tell me where I can
> find it?

A third option is to use the Microsoft runas /netonly /user:user at realm program
This will run the program with a new LSA. Program could be cmd.exe or even
explorer.exe


> 
> Thanks a lot, guys!
> 
> Regards,
> Santi
> 
> 
> 2009/10/14 Douglas E. Engert <deengert at anl.gov>
> 
>>
>> Santiago Rivas wrote:
>>
>>> Well, I do specify "useTicketCache=true" in the JAAS config file, but
>>> there
>>> is something I must be missing, cause I cannot get it working with cached
>>> tickets. In fact, I must provide username and password in the config file
>>> (or via command line).
>>>
>>> I can obtain TGT tickets with both Leash32 and Network Identity Manager
>>> tools, but I cannot see where they are stored, if cached (just the same as
>>> /tmp/krb5cc_1000 file in Linux...) ¿?
>>>
>> On Unix, with JXplorer, I can add -Duser.krb5ccname=$KRB5CCNAME
>> to the command line, and the JXplorer gssapi.conf has:
>>
>> com.ca.commons.jndi.JNDIOps {
>>  com.sun.security.auth.module.Krb5LoginModule required client=TRUE
>>        ticketCache="${user.krb5ccname}"
>>        doNotPrompt=TRUE
>>        useTicketCache=TRUE;
>> };
>>
>> On Windows it does not have the ticketCache= line,
>> but I think it could try it.
>>
>> If Leash32 or Network Identity Manager is storing them in a file,
>> say \tmp\krb5cc_username
>> you could try ticketCache=\tmp\krb5cc_username
>>
>>
>>
>>
>>> So may be the question should be: How do I configure the ticket cache in
>>> Windows? Is it mandatory to be configured through LSA?
>>>
>>> Thank you very much, Max!
>>>
>>> Regards,
>>> Santi
>>>
>>> 2009/10/14 Max (Weijun) Wang <Weijun.Wang at sun.com>
>>>
>>> Java tries to get the credentials cache (ccache) from Windows LSA if you
>>>> specify useTicketCache=true in the JAAS config file. In some cases, Java
>>>> believes there's a ccache at the beginning, but finally it cannot get
>>>> one.
>>>> For example, you login as a AD account but then purge the TGT using klist
>>>> or
>>>> kerbtray. Then, you will see this error.
>>>>
>>>> Without the ccache, Java will try the Kerberos login itself, you'll need
>>>> to
>>>> provide username and password in your program.
>>>>
>>>> -- Max
>>>>
>>>> On Oct 14, 2009, at 6:55 PM, Santiago Rivas wrote:
>>>>
>>>>  Hi again,
>>>>
>>>>> After some tough work, it seems I've got my test environment configured
>>>>> and
>>>>> working with DHCP server, DNS server, ldap and Domain Controller,
>>>>> running
>>>>> on
>>>>> a GNU Linux Debian platform. I've also configured KDC + AS services on
>>>>> that
>>>>> machine, and I'm glad to see that I'm able to create a secure context
>>>>> between the server and other GNU Linux machine. I'm using GSS-API in
>>>>> Java
>>>>> 1.6, and everything works fine.
>>>>>
>>>>> The problem comes when I run the same Java code on a Windows XP SP3
>>>>> platform
>>>>> with jdk 1.5.0_21 version installed. Just before the context is created,
>>>>> I
>>>>> get the message:
>>>>>
>>>>> *Error calling function protocol status: 1312. A specified logon session
>>>>> does not exist. It may already have been terminated.*
>>>>>
>>>>> But the most curious thing is that execution continues and secure
>>>>> context
>>>>> is
>>>>> created indeed. I've also checked *krb5kdc.log* and verified that both
>>>>> TGT
>>>>> ans TGS tickets are generated and delivered correctly.
>>>>>
>>>>> I've searched the web and I've found many posible explanations, like:
>>>>>
>>>>> *"There is a problem with Windows API FormatMessage usage in a non
>>>>> English
>>>>> locale"* - forums.sun
>>>>> *"The identity associated with a
>>>>> **KerberosToken2*<
>>>>>
>>>>> http://msdn.microsoft.com/en-us/library/microsoft.web.services2.security.tokens.kerberostoken2.aspx
>>>>> * security token is being used for constrained delegation, but
>>>>> constrained
>>>>> delegation is not configured correctly."* - msdn
>>>>> *"There is a bug in Java 1.5"* - other source
>>>>>
>>>>> ... but none of them convinces me.
>>>>> So the cuestion is: Why is that message appearing? Should I worry about
>>>>> it?
>>>>> How can I solve it?
>>>>>
>>>>> Thanks in advance!
>>>>>
>>>>> Regards,
>>>>> Santi
>>>>> _______________________________________________
>>>>> krbdev mailing list             krbdev at mit.edu
>>>>> https://mailman.mit.edu/mailman/listinfo/krbdev
>>>>>
>>>>>
>>>> _______________________________________________
>>> krbdev mailing list             krbdev at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/krbdev
>>>
>>>
>>>
>> --
>>
>>  Douglas E. Engert  <DEEngert at anl.gov>
>>  Argonne National Laboratory
>>  9700 South Cass Avenue
>>  Argonne, Illinois  60439
>>  (630) 252-5444
>>
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list