Error calling function protocol status: 1312
Douglas E. Engert
deengert at anl.gov
Fri Oct 16 12:44:45 EDT 2009
Santiago Rivas wrote:
> Ok, here is what I've done:
>
> I changed the JAAS config file, setting "useTicketCache=<somePath>".
> That was enough to make de 1312 status error dissappear. But I'm still
> not able to configure the ticket caching properly.
>
> I forgot to mention that I have had already tried to set some file path
> under
>
> NIM: Options->Kerberos v5->Credential Cache ... with no results.
>
> I typed the path "C:\Documents and Settings\user\krb5cc_1000" into the
> text box and clicked the "Add" button, but it said something like "the
> credentials cache file was not found". If I only set the path to some
> folder (with no file name) there is no error message, but when I
> generate new tickets no file is created. I've reset the machine and
> verified that the user has privileges to access the path I'm typing son
> I don't known where I'm mistaking... ¿?
Did you make the registry setting change as suggested bu both NIM and Java?
I don't think Java actually writes tickets to the cache. It just reads a TGT
from the cache, then keeps tickets in memory. (I could be wrong)
The Java kinit.exe will write the TGT but I have never needed to use it.
Windows and NIM/KfW also have kinit.exe files so be careful which one you are using.
>
> Thanks, Douglas, for introducing Jeff Altman and Weijun Wang to me.
>
> Regards,
> Santi
>
>
> 2009/10/14 Douglas E. Engert <deengert at anl.gov <mailto:deengert at anl.gov>>
>
> P.S. The other responder to your note, Weijun Wang, is the
> author of the Sun web page I listed below. Small world!
>
>
> Douglas E. Engert wrote:
>
>
> Santiago Rivas wrote:
>
> So, if I didn't misunderstood your words, I basically have
> at least 2
> alternatives to achieve ticket collection from cache under
> Windows XP
> environment:
>
> 1) Configure Network Identity Manager to store credentials
> into a file, in
> order to read them from Java.
>
>
> One of the other responder to your first e-mail, Jeff Altman, is the
> developer of Network Identity Manager, and said:
> " Network Identity Manager can be configured to store the user's
> credentials in a FILE:<drive>:<path> cache which can then be
> accessed via Java."
>
> Start by looking under Options->Kerberos v5->Credential Cache
>
> 2) Set up the configuration so that logon session is
> authenticated with
> Kerberos, and then retrieve the TGT ticket from LSA querying
> via JAAS.
>
>
> Also see this:
> http://java.sun.com/javase/6/docs/technotes/guides/security/kerberos/jgss-windows.html
>
> It talks about using the LSA, or the ticketCache=file options and
> the use of the "TGT accessibility" registry setting for
> allowtgtsessionkey.
> Network Identity Manager also uses this registry setting.
>
> (This registry setting may be you main issue!)
>
> Personally, I'm more interested on the second option, since
> the main target
> is to achieve single sign-on with kerberos. Anyway, I would
> appreciate to
> read some documentation on both tasks. Could you please tell
> me where I can
> find it?
>
>
> A third option is to use the Microsoft runas /netonly
> /user:user at realm program
> This will run the program with a new LSA. Program could be
> cmd.exe or even
> explorer.exe
>
>
> Thanks a lot, guys!
>
> Regards,
> Santi
>
>
> 2009/10/14 Douglas E. Engert <deengert at anl.gov
> <mailto:deengert at anl.gov>>
>
> Santiago Rivas wrote:
>
> Well, I do specify "useTicketCache=true" in the JAAS
> config file, but
> there
> is something I must be missing, cause I cannot get
> it working with cached
> tickets. In fact, I must provide username and
> password in the config file
> (or via command line).
>
> I can obtain TGT tickets with both Leash32 and
> Network Identity Manager
> tools, but I cannot see where they are stored, if
> cached (just the same as
> /tmp/krb5cc_1000 file in Linux...) ¿?
>
> On Unix, with JXplorer, I can add
> -Duser.krb5ccname=$KRB5CCNAME
> to the command line, and the JXplorer gssapi.conf has:
>
> com.ca.commons.jndi.JNDIOps {
> com.sun.security.auth.module.Krb5LoginModule required
> client=TRUE
> ticketCache="${user.krb5ccname}"
> doNotPrompt=TRUE
> useTicketCache=TRUE;
> };
>
> On Windows it does not have the ticketCache= line,
> but I think it could try it.
>
> If Leash32 or Network Identity Manager is storing them
> in a file,
> say \tmp\krb5cc_username
> you could try ticketCache=\tmp\krb5cc_username
>
>
>
>
> So may be the question should be: How do I configure
> the ticket cache in
> Windows? Is it mandatory to be configured through LSA?
>
> Thank you very much, Max!
>
> Regards,
> Santi
>
> 2009/10/14 Max (Weijun) Wang <Weijun.Wang at sun.com
> <mailto:Weijun.Wang at sun.com>>
>
> Java tries to get the credentials cache (ccache)
> from Windows LSA if you
>
> specify useTicketCache=true in the JAAS config
> file. In some cases, Java
> believes there's a ccache at the beginning, but
> finally it cannot get
> one.
> For example, you login as a AD account but then
> purge the TGT using klist
> or
> kerbtray. Then, you will see this error.
>
> Without the ccache, Java will try the Kerberos
> login itself, you'll need
> to
> provide username and password in your program.
>
> -- Max
>
> On Oct 14, 2009, at 6:55 PM, Santiago Rivas wrote:
>
> Hi again,
>
> After some tough work, it seems I've got my
> test environment configured
> and
> working with DHCP server, DNS server, ldap
> and Domain Controller,
> running
> on
> a GNU Linux Debian platform. I've also
> configured KDC + AS services on
> that
> machine, and I'm glad to see that I'm able
> to create a secure context
> between the server and other GNU Linux
> machine. I'm using GSS-API in
> Java
> 1.6, and everything works fine.
>
> The problem comes when I run the same Java
> code on a Windows XP SP3
> platform
> with jdk 1.5.0_21 version installed. Just
> before the context is created,
> I
> get the message:
>
> *Error calling function protocol status:
> 1312. A specified logon session
> does not exist. It may already have been
> terminated.*
>
> But the most curious thing is that execution
> continues and secure
> context
> is
> created indeed. I've also checked
> *krb5kdc.log* and verified that both
> TGT
> ans TGS tickets are generated and delivered
> correctly.
>
> I've searched the web and I've found many
> posible explanations, like:
>
> *"There is a problem with Windows API
> FormatMessage usage in a non
> English
> locale"* - forums.sun
> *"The identity associated with a
> **KerberosToken2*<
>
> http://msdn.microsoft.com/en-us/library/microsoft.web.services2.security.tokens.kerberostoken2.aspx
> * security token is being used for
> constrained delegation, but
> constrained
> delegation is not configured correctly."* - msdn
> *"There is a bug in Java 1.5"* - other source
>
> ... but none of them convinces me.
> So the cuestion is: Why is that message
> appearing? Should I worry about
> it?
> How can I solve it?
>
> Thanks in advance!
>
> Regards,
> Santi
> _______________________________________________
> krbdev mailing list
> krbdev at mit.edu <mailto:krbdev at mit.edu>
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
>
> _______________________________________________
>
> krbdev mailing list krbdev at mit.edu
> <mailto:krbdev at mit.edu>
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
>
>
> --
>
> Douglas E. Engert <DEEngert at anl.gov
> <mailto:DEEngert at anl.gov>>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois 60439
> (630) 252-5444
>
> _______________________________________________
> krbdev mailing list krbdev at mit.edu
> <mailto:krbdev at mit.edu>
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
>
>
>
> --
>
> Douglas E. Engert <DEEngert at anl.gov <mailto:DEEngert at anl.gov>>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois 60439
> (630) 252-5444
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the krbdev
mailing list