Error calling function protocol status: 1312

Santiago Rivas sanribu at gmail.com
Fri Oct 16 02:33:34 EDT 2009 

Ok, here is what I've done:

I changed the JAAS config file, setting "useTicketCache=<somePath>". That
was enough to make de 1312 status error dissappear. But I'm still not able
to configure the ticket caching properly.

I forgot to mention that I have had already tried to set some file path
under

NIM: Options->Kerberos v5->Credential Cache ... with no results.

I typed the path "C:\Documents and Settings\user\krb5cc_1000" into the text
box and clicked the "Add" button, but it said something like "the
credentials cache file was not found". If I only set the path to some folder
(with no file name) there is no error message, but when I generate new
tickets no file is created. I've reset the machine and verified that the
user has privileges to access the path I'm typing son I don't known where
I'm mistaking... ¿?

Thanks, Douglas, for introducing Jeff Altman and Weijun Wang to me.

Regards,
Santi


2009/10/14 Douglas E. Engert <deengert at anl.gov>

> P.S. The other responder to your note, Weijun Wang, is the
> author of the Sun web page I listed below. Small world!
>
>
> Douglas E. Engert wrote:
>
>>
>> Santiago Rivas wrote:
>>
>>> So, if I didn't misunderstood your words, I basically have at least 2
>>> alternatives to achieve ticket collection from cache under Windows XP
>>> environment:
>>>
>>> 1) Configure Network Identity Manager to store credentials into a file,
>>> in
>>> order to read them from Java.
>>>
>>
>> One of the other responder to your first e-mail, Jeff Altman, is the
>> developer of Network Identity Manager, and said:
>>  " Network Identity Manager can be configured to store the user's
>>    credentials in a FILE:<drive>:<path> cache which can then be
>>    accessed via Java."
>>
>>    Start by looking under Options->Kerberos v5->Credential Cache
>>
>> 2) Set up the configuration so that logon session is authenticated with
>>> Kerberos, and then retrieve the TGT ticket from LSA querying via JAAS.
>>>
>>>
>> Also see this:
>>
>> http://java.sun.com/javase/6/docs/technotes/guides/security/kerberos/jgss-windows.html
>>
>> It talks about using the LSA, or the ticketCache=file options and
>> the use of the "TGT accessibility" registry setting for
>> allowtgtsessionkey.
>> Network Identity Manager also uses this registry setting.
>>
>> (This registry setting may be you main issue!)
>>
>> Personally, I'm more interested on the second option, since the main
>>> target
>>> is to achieve single sign-on with kerberos. Anyway, I would appreciate to
>>> read some documentation on both tasks. Could you please tell me where I
>>> can
>>> find it?
>>>
>>
>> A third option is to use the Microsoft runas /netonly /user:user at realmprogram
>> This will run the program with a new LSA. Program could be cmd.exe or even
>> explorer.exe
>>
>>
>> Thanks a lot, guys!
>>>
>>> Regards,
>>> Santi
>>>
>>>
>>> 2009/10/14 Douglas E. Engert <deengert at anl.gov>
>>>
>>> Santiago Rivas wrote:
>>>>
>>>> Well, I do specify "useTicketCache=true" in the JAAS config file, but
>>>>> there
>>>>> is something I must be missing, cause I cannot get it working with
>>>>> cached
>>>>> tickets. In fact, I must provide username and password in the config
>>>>> file
>>>>> (or via command line).
>>>>>
>>>>> I can obtain TGT tickets with both Leash32 and Network Identity Manager
>>>>> tools, but I cannot see where they are stored, if cached (just the same
>>>>> as
>>>>> /tmp/krb5cc_1000 file in Linux...) ¿?
>>>>>
>>>>> On Unix, with JXplorer, I can add -Duser.krb5ccname=$KRB5CCNAME
>>>> to the command line, and the JXplorer gssapi.conf has:
>>>>
>>>> com.ca.commons.jndi.JNDIOps {
>>>>  com.sun.security.auth.module.Krb5LoginModule required client=TRUE
>>>>       ticketCache="${user.krb5ccname}"
>>>>       doNotPrompt=TRUE
>>>>       useTicketCache=TRUE;
>>>> };
>>>>
>>>> On Windows it does not have the ticketCache= line,
>>>> but I think it could try it.
>>>>
>>>> If Leash32 or Network Identity Manager is storing them in a file,
>>>> say \tmp\krb5cc_username
>>>> you could try ticketCache=\tmp\krb5cc_username
>>>>
>>>>
>>>>
>>>>
>>>> So may be the question should be: How do I configure the ticket cache in
>>>>> Windows? Is it mandatory to be configured through LSA?
>>>>>
>>>>> Thank you very much, Max!
>>>>>
>>>>> Regards,
>>>>> Santi
>>>>>
>>>>> 2009/10/14 Max (Weijun) Wang <Weijun.Wang at sun.com>
>>>>>
>>>>> Java tries to get the credentials cache (ccache) from Windows LSA if
>>>>> you
>>>>>
>>>>>> specify useTicketCache=true in the JAAS config file. In some cases,
>>>>>> Java
>>>>>> believes there's a ccache at the beginning, but finally it cannot get
>>>>>> one.
>>>>>> For example, you login as a AD account but then purge the TGT using
>>>>>> klist
>>>>>> or
>>>>>> kerbtray. Then, you will see this error.
>>>>>>
>>>>>> Without the ccache, Java will try the Kerberos login itself, you'll
>>>>>> need
>>>>>> to
>>>>>> provide username and password in your program.
>>>>>>
>>>>>> -- Max
>>>>>>
>>>>>> On Oct 14, 2009, at 6:55 PM, Santiago Rivas wrote:
>>>>>>
>>>>>>  Hi again,
>>>>>>
>>>>>> After some tough work, it seems I've got my test environment
>>>>>>> configured
>>>>>>> and
>>>>>>> working with DHCP server, DNS server, ldap and Domain Controller,
>>>>>>> running
>>>>>>> on
>>>>>>> a GNU Linux Debian platform. I've also configured KDC + AS services
>>>>>>> on
>>>>>>> that
>>>>>>> machine, and I'm glad to see that I'm able to create a secure context
>>>>>>> between the server and other GNU Linux machine. I'm using GSS-API in
>>>>>>> Java
>>>>>>> 1.6, and everything works fine.
>>>>>>>
>>>>>>> The problem comes when I run the same Java code on a Windows XP SP3
>>>>>>> platform
>>>>>>> with jdk 1.5.0_21 version installed. Just before the context is
>>>>>>> created,
>>>>>>> I
>>>>>>> get the message:
>>>>>>>
>>>>>>> *Error calling function protocol status: 1312. A specified logon
>>>>>>> session
>>>>>>> does not exist. It may already have been terminated.*
>>>>>>>
>>>>>>> But the most curious thing is that execution continues and secure
>>>>>>> context
>>>>>>> is
>>>>>>> created indeed. I've also checked *krb5kdc.log* and verified that
>>>>>>> both
>>>>>>> TGT
>>>>>>> ans TGS tickets are generated and delivered correctly.
>>>>>>>
>>>>>>> I've searched the web and I've found many posible explanations, like:
>>>>>>>
>>>>>>> *"There is a problem with Windows API FormatMessage usage in a non
>>>>>>> English
>>>>>>> locale"* - forums.sun
>>>>>>> *"The identity associated with a
>>>>>>> **KerberosToken2*<
>>>>>>>
>>>>>>>
>>>>>>> http://msdn.microsoft.com/en-us/library/microsoft.web.services2.security.tokens.kerberostoken2.aspx
>>>>>>> * security token is being used for constrained delegation, but
>>>>>>> constrained
>>>>>>> delegation is not configured correctly."* - msdn
>>>>>>> *"There is a bug in Java 1.5"* - other source
>>>>>>>
>>>>>>> ... but none of them convinces me.
>>>>>>> So the cuestion is: Why is that message appearing? Should I worry
>>>>>>> about
>>>>>>> it?
>>>>>>> How can I solve it?
>>>>>>>
>>>>>>> Thanks in advance!
>>>>>>>
>>>>>>> Regards,
>>>>>>> Santi
>>>>>>> _______________________________________________
>>>>>>> krbdev mailing list             krbdev at mit.edu
>>>>>>> https://mailman.mit.edu/mailman/listinfo/krbdev
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>
>>>>> krbdev mailing list             krbdev at mit.edu
>>>>> https://mailman.mit.edu/mailman/listinfo/krbdev
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>
>>>>  Douglas E. Engert  <DEEngert at anl.gov>
>>>>  Argonne National Laboratory
>>>>  9700 South Cass Avenue
>>>>  Argonne, Illinois  60439
>>>>  (630) 252-5444
>>>>
>>>> _______________________________________________
>>> krbdev mailing list             krbdev at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/krbdev
>>>
>>>
>>>
>>
> --
>
>  Douglas E. Engert  <DEEngert at anl.gov>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439
>  (630) 252-5444
>

More information about the krbdev mailing list