Error calling function protocol status: 1312

Douglas E. Engert deengert at anl.gov
Wed Oct 14 14:54:48 EDT 2009 

P.S. The other responder to your note, Weijun Wang, is the
author of the Sun web page I listed below. Small world!

Douglas E. Engert wrote:
> 
> Santiago Rivas wrote:
>> So, if I didn't misunderstood your words, I basically have at least 2
>> alternatives to achieve ticket collection from cache under Windows XP
>> environment:
>>
>> 1) Configure Network Identity Manager to store credentials into a file, in
>> order to read them from Java.
> 
> One of the other responder to your first e-mail, Jeff Altman, is the
> developer of Network Identity Manager, and said:
>   " Network Identity Manager can be configured to store the user's
>     credentials in a FILE:<drive>:<path> cache which can then be
>     accessed via Java."
> 
>     Start by looking under Options->Kerberos v5->Credential Cache
> 
>> 2) Set up the configuration so that logon session is authenticated with
>> Kerberos, and then retrieve the TGT ticket from LSA querying via JAAS.
>>
> 
> Also see this:
> http://java.sun.com/javase/6/docs/technotes/guides/security/kerberos/jgss-windows.html
> 
> It talks about using the LSA, or the ticketCache=file options and
> the use of the "TGT accessibility" registry setting for allowtgtsessionkey.
> Network Identity Manager also uses this registry setting.
> 
> (This registry setting may be you main issue!)
> 
>> Personally, I'm more interested on the second option, since the main target
>> is to achieve single sign-on with kerberos. Anyway, I would appreciate to
>> read some documentation on both tasks. Could you please tell me where I can
>> find it?
> 
> A third option is to use the Microsoft runas /netonly /user:user at realm program
> This will run the program with a new LSA. Program could be cmd.exe or even
> explorer.exe
> 
> 
>> Thanks a lot, guys!
>>
>> Regards,
>> Santi
>>
>>
>> 2009/10/14 Douglas E. Engert <deengert at anl.gov>
>>
>>> Santiago Rivas wrote:
>>>
>>>> Well, I do specify "useTicketCache=true" in the JAAS config file, but
>>>> there
>>>> is something I must be missing, cause I cannot get it working with cached
>>>> tickets. In fact, I must provide username and password in the config file
>>>> (or via command line).
>>>>
>>>> I can obtain TGT tickets with both Leash32 and Network Identity Manager
>>>> tools, but I cannot see where they are stored, if cached (just the same as
>>>> /tmp/krb5cc_1000 file in Linux...) ¿?
>>>>
>>> On Unix, with JXplorer, I can add -Duser.krb5ccname=$KRB5CCNAME
>>> to the command line, and the JXplorer gssapi.conf has:
>>>
>>> com.ca.commons.jndi.JNDIOps {
>>>  com.sun.security.auth.module.Krb5LoginModule required client=TRUE
>>>        ticketCache="${user.krb5ccname}"
>>>        doNotPrompt=TRUE
>>>        useTicketCache=TRUE;
>>> };
>>>
>>> On Windows it does not have the ticketCache= line,
>>> but I think it could try it.
>>>
>>> If Leash32 or Network Identity Manager is storing them in a file,
>>> say \tmp\krb5cc_username
>>> you could try ticketCache=\tmp\krb5cc_username
>>>
>>>
>>>
>>>
>>>> So may be the question should be: How do I configure the ticket cache in
>>>> Windows? Is it mandatory to be configured through LSA?
>>>>
>>>> Thank you very much, Max!
>>>>
>>>> Regards,
>>>> Santi
>>>>
>>>> 2009/10/14 Max (Weijun) Wang <Weijun.Wang at sun.com>
>>>>
>>>> Java tries to get the credentials cache (ccache) from Windows LSA if you
>>>>> specify useTicketCache=true in the JAAS config file. In some cases, Java
>>>>> believes there's a ccache at the beginning, but finally it cannot get
>>>>> one.
>>>>> For example, you login as a AD account but then purge the TGT using klist
>>>>> or
>>>>> kerbtray. Then, you will see this error.
>>>>>
>>>>> Without the ccache, Java will try the Kerberos login itself, you'll need
>>>>> to
>>>>> provide username and password in your program.
>>>>>
>>>>> -- Max
>>>>>
>>>>> On Oct 14, 2009, at 6:55 PM, Santiago Rivas wrote:
>>>>>
>>>>>  Hi again,
>>>>>
>>>>>> After some tough work, it seems I've got my test environment configured
>>>>>> and
>>>>>> working with DHCP server, DNS server, ldap and Domain Controller,
>>>>>> running
>>>>>> on
>>>>>> a GNU Linux Debian platform. I've also configured KDC + AS services on
>>>>>> that
>>>>>> machine, and I'm glad to see that I'm able to create a secure context
>>>>>> between the server and other GNU Linux machine. I'm using GSS-API in
>>>>>> Java
>>>>>> 1.6, and everything works fine.
>>>>>>
>>>>>> The problem comes when I run the same Java code on a Windows XP SP3
>>>>>> platform
>>>>>> with jdk 1.5.0_21 version installed. Just before the context is created,
>>>>>> I
>>>>>> get the message:
>>>>>>
>>>>>> *Error calling function protocol status: 1312. A specified logon session
>>>>>> does not exist. It may already have been terminated.*
>>>>>>
>>>>>> But the most curious thing is that execution continues and secure
>>>>>> context
>>>>>> is
>>>>>> created indeed. I've also checked *krb5kdc.log* and verified that both
>>>>>> TGT
>>>>>> ans TGS tickets are generated and delivered correctly.
>>>>>>
>>>>>> I've searched the web and I've found many posible explanations, like:
>>>>>>
>>>>>> *"There is a problem with Windows API FormatMessage usage in a non
>>>>>> English
>>>>>> locale"* - forums.sun
>>>>>> *"The identity associated with a
>>>>>> **KerberosToken2*<
>>>>>>
>>>>>> http://msdn.microsoft.com/en-us/library/microsoft.web.services2.security.tokens.kerberostoken2.aspx
>>>>>> * security token is being used for constrained delegation, but
>>>>>> constrained
>>>>>> delegation is not configured correctly."* - msdn
>>>>>> *"There is a bug in Java 1.5"* - other source
>>>>>>
>>>>>> ... but none of them convinces me.
>>>>>> So the cuestion is: Why is that message appearing? Should I worry about
>>>>>> it?
>>>>>> How can I solve it?
>>>>>>
>>>>>> Thanks in advance!
>>>>>>
>>>>>> Regards,
>>>>>> Santi
>>>>>> _______________________________________________
>>>>>> krbdev mailing list             krbdev at mit.edu
>>>>>> https://mailman.mit.edu/mailman/listinfo/krbdev
>>>>>>
>>>>>>
>>>>> _______________________________________________
>>>> krbdev mailing list             krbdev at mit.edu
>>>> https://mailman.mit.edu/mailman/listinfo/krbdev
>>>>
>>>>
>>>>
>>> --
>>>
>>>  Douglas E. Engert  <DEEngert at anl.gov>
>>>  Argonne National Laboratory
>>>  9700 South Cass Avenue
>>>  Argonne, Illinois  60439
>>>  (630) 252-5444
>>>
>> _______________________________________________
>> krbdev mailing list             krbdev at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/krbdev
>>
>>
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list