Error calling function protocol status: 1312
Santiago Rivas
sanribu at gmail.com
Fri Oct 16 13:56:58 EDT 2009
By the moment, my purpose is to *generate a TGT (anyhow, using kinit or NIM)
and configure the cache so those credentials are stored in a file*,
where Java will read them from later.
*Step 1: Configure credentials cache*
Since you told me to "*update the Identity object to use a FILE: ccache*", I
went to
NIM: Options->Identities->santi at ZIGIA.ORG (which is my test principal)
On "Kerberos v5" folder, I set the "Credential cache" option to *FILE:ccache
*. And now I can see that a file named ccache is created or deleted
everytime I generate or destroy the TGT. So I think now I have credentials
cache configured properly. Am I right?
*Step 2: Configure JAAS so that TGT is read from file (in order to obtain a
TGS)*
Here is my *jaas.conf* file for the client:
*Client {*
* com.sun.security.auth.module.Krb5LoginModule required*
* useTicketCache=true*
* ticketCache="c:\docume~1\santi\ccache";*
*}*
But when I run the client I get the following exception:
*java.lang.SecurityException: Configuration Error :*
* Line 4: expected [option key], found [null]*
* at com.sun.security.auth.login.ConfigFile.<init>(Unknown Source)*
* ...*
I guess there some information missing about the credentials, but I don't
know what. Any idea?
I never tire for saying thank you!
Regards,
Santi
2009/10/16 Douglas E. Engert <deengert at anl.gov>
>
>
> Santiago Rivas wrote:
>
>> Ok, here is what I've done:
>> I changed the JAAS config file, setting "useTicketCache=<somePath>". That
>> was enough to make de 1312 status error dissappear. But I'm still not able
>> to configure the ticket caching properly.
>> I forgot to mention that I have had already tried to set some file path
>> under
>> NIM: Options->Kerberos v5->Credential Cache ... with no results.
>> I typed the path "C:\Documents and Settings\user\krb5cc_1000" into the
>> text box and clicked the "Add" button, but it said something like "the
>> credentials cache file was not found". If I only set the path to some folder
>> (with no file name) there is no error message, but when I generate new
>> tickets no file is created. I've reset the machine and verified that the
>> user has privileges to access the path I'm typing son I don't known where
>> I'm mistaking... ¿?
>>
>
> Did you make the registry setting change as suggested bu both NIM and Java?
>
> I don't think Java actually writes tickets to the cache. It just reads a
> TGT
> from the cache, then keeps tickets in memory. (I could be wrong)
> The Java kinit.exe will write the TGT but I have never needed to use it.
> Windows and NIM/KfW also have kinit.exe files so be careful which one you
> are using.
>
> Thanks, Douglas, for introducing Jeff Altman and Weijun Wang to me.
>> Regards,
>> Santi
>> 2009/10/14 Douglas E. Engert <deengert at anl.gov <mailto:deengert at anl.gov>>
>>
>>
>>
>> P.S. The other responder to your note, Weijun Wang, is the
>> author of the Sun web page I listed below. Small world!
>>
>>
>> Douglas E. Engert wrote:
>>
>>
>> Santiago Rivas wrote:
>>
>> So, if I didn't misunderstood your words, I basically have
>> at least 2
>> alternatives to achieve ticket collection from cache under
>> Windows XP
>> environment:
>>
>> 1) Configure Network Identity Manager to store credentials
>> into a file, in
>> order to read them from Java.
>>
>>
>> One of the other responder to your first e-mail, Jeff Altman, is
>> the
>> developer of Network Identity Manager, and said:
>> " Network Identity Manager can be configured to store the user's
>> credentials in a FILE:<drive>:<path> cache which can then be
>> accessed via Java."
>>
>> Start by looking under Options->Kerberos v5->Credential Cache
>>
>> 2) Set up the configuration so that logon session is
>> authenticated with
>> Kerberos, and then retrieve the TGT ticket from LSA querying
>> via JAAS.
>>
>>
>> Also see this:
>>
>> http://java.sun.com/javase/6/docs/technotes/guides/security/kerberos/jgss-windows.html
>>
>> It talks about using the LSA, or the ticketCache=file options and
>> the use of the "TGT accessibility" registry setting for
>> allowtgtsessionkey.
>> Network Identity Manager also uses this registry setting.
>>
>> (This registry setting may be you main issue!)
>>
>> Personally, I'm more interested on the second option, since
>> the main target
>> is to achieve single sign-on with kerberos. Anyway, I would
>> appreciate to
>> read some documentation on both tasks. Could you please tell
>> me where I can
>> find it?
>>
>>
>> A third option is to use the Microsoft runas /netonly
>> /user:user at realm program
>> This will run the program with a new LSA. Program could be
>> cmd.exe or even
>> explorer.exe
>>
>>
>> Thanks a lot, guys!
>>
>> Regards,
>> Santi
>>
>>
>> 2009/10/14 Douglas E. Engert <deengert at anl.gov
>> <mailto:deengert at anl.gov>>
>>
>>
>> Santiago Rivas wrote:
>>
>> Well, I do specify "useTicketCache=true" in the JAAS
>> config file, but
>> there
>> is something I must be missing, cause I cannot get
>> it working with cached
>> tickets. In fact, I must provide username and
>> password in the config file
>> (or via command line).
>>
>> I can obtain TGT tickets with both Leash32 and
>> Network Identity Manager
>> tools, but I cannot see where they are stored, if
>> cached (just the same as
>> /tmp/krb5cc_1000 file in Linux...) ¿?
>>
>> On Unix, with JXplorer, I can add
>> -Duser.krb5ccname=$KRB5CCNAME
>> to the command line, and the JXplorer gssapi.conf has:
>>
>> com.ca.commons.jndi.JNDIOps {
>> com.sun.security.auth.module.Krb5LoginModule required
>> client=TRUE
>> ticketCache="${user.krb5ccname}"
>> doNotPrompt=TRUE
>> useTicketCache=TRUE;
>> };
>>
>> On Windows it does not have the ticketCache= line,
>> but I think it could try it.
>>
>> If Leash32 or Network Identity Manager is storing them
>> in a file,
>> say \tmp\krb5cc_username
>> you could try ticketCache=\tmp\krb5cc_username
>>
>>
>>
>>
>> So may be the question should be: How do I configure
>> the ticket cache in
>> Windows? Is it mandatory to be configured through LSA?
>>
>> Thank you very much, Max!
>>
>> Regards,
>> Santi
>>
>> 2009/10/14 Max (Weijun) Wang <Weijun.Wang at sun.com
>> <mailto:Weijun.Wang at sun.com>>
>>
>>
>> Java tries to get the credentials cache (ccache)
>> from Windows LSA if you
>>
>> specify useTicketCache=true in the JAAS config
>> file. In some cases, Java
>> believes there's a ccache at the beginning, but
>> finally it cannot get
>> one.
>> For example, you login as a AD account but then
>> purge the TGT using klist
>> or
>> kerbtray. Then, you will see this error.
>>
>> Without the ccache, Java will try the Kerberos
>> login itself, you'll need
>> to
>> provide username and password in your program.
>>
>> -- Max
>>
>> On Oct 14, 2009, at 6:55 PM, Santiago Rivas wrote:
>>
>> Hi again,
>>
>> After some tough work, it seems I've got my
>> test environment configured
>> and
>> working with DHCP server, DNS server, ldap
>> and Domain Controller,
>> running
>> on
>> a GNU Linux Debian platform. I've also
>> configured KDC + AS services on
>> that
>> machine, and I'm glad to see that I'm able
>> to create a secure context
>> between the server and other GNU Linux
>> machine. I'm using GSS-API in
>> Java
>> 1.6, and everything works fine.
>>
>> The problem comes when I run the same Java
>> code on a Windows XP SP3
>> platform
>> with jdk 1.5.0_21 version installed. Just
>> before the context is created,
>> I
>> get the message:
>>
>> *Error calling function protocol status:
>> 1312. A specified logon session
>> does not exist. It may already have been
>> terminated.*
>>
>> But the most curious thing is that execution
>> continues and secure
>> context
>> is
>> created indeed. I've also checked
>> *krb5kdc.log* and verified that both
>> TGT
>> ans TGS tickets are generated and delivered
>> correctly.
>>
>> I've searched the web and I've found many
>> posible explanations, like:
>>
>> *"There is a problem with Windows API
>> FormatMessage usage in a non
>> English
>> locale"* - forums.sun
>> *"The identity associated with a
>> **KerberosToken2*<
>>
>>
>> http://msdn.microsoft.com/en-us/library/microsoft.web.services2.security.tokens.kerberostoken2.aspx
>> * security token is being used for
>> constrained delegation, but
>> constrained
>> delegation is not configured correctly."* -
>> msdn
>> *"There is a bug in Java 1.5"* - other source
>>
>> ... but none of them convinces me.
>> So the cuestion is: Why is that message
>> appearing? Should I worry about
>> it?
>> How can I solve it?
>>
>> Thanks in advance!
>>
>> Regards,
>> Santi
>> _______________________________________________
>> krbdev mailing list
>> krbdev at mit.edu <mailto:krbdev at mit.edu>
>>
>> https://mailman.mit.edu/mailman/listinfo/krbdev
>>
>>
>> _______________________________________________
>>
>> krbdev mailing list krbdev at mit.edu
>> <mailto:krbdev at mit.edu>
>> https://mailman.mit.edu/mailman/listinfo/krbdev
>>
>>
>>
>> --
>>
>> Douglas E. Engert <DEEngert at anl.gov
>> <mailto:DEEngert at anl.gov>>
>> Argonne National Laboratory
>> 9700 South Cass Avenue
>> Argonne, Illinois 60439
>> (630) 252-5444
>>
>> _______________________________________________
>> krbdev mailing list krbdev at mit.edu
>> <mailto:krbdev at mit.edu>
>> https://mailman.mit.edu/mailman/listinfo/krbdev
>>
>>
>>
>>
>> --
>> Douglas E. Engert <DEEngert at anl.gov <mailto:DEEngert at anl.gov>>
>> Argonne National Laboratory
>> 9700 South Cass Avenue
>> Argonne, Illinois 60439
>> (630) 252-5444
>>
>>
>>
> --
>
> Douglas E. Engert <DEEngert at anl.gov>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois 60439
> (630) 252-5444
>
More information about the krbdev
mailing list