Error calling function protocol status: 1312
Max (Weijun) Wang
Weijun.Wang at Sun.COM
Fri Oct 16 19:57:40 EDT 2009
Sorry I'm not an expert on NIM.
On Oct 17, 2009, at 1:56 AM, Santiago Rivas wrote:
> By the moment, my purpose is to *generate a TGT (anyhow, using kinit
> or NIM)
> and configure the cache so those credentials are stored in a file*,
Then you can use any kinit.exe, the one from JDK or MIT. To use a file
cache, you don't need to care about the registry key mentioned by
Douglas at all.
In fact, I had thought you were trying to use the LSA cache (non-file
in-memory Windows-specific cache). BTW, if you do want to use the LSA
cache, please make sure that the file cache is not there, since Java
always try to use the file cache first. You can check this out by
calling the klist.exe command in JDK.
> where Java will read them from later.
>
> *Step 1: Configure credentials cache*
>
> Since you told me to "*update the Identity object to use a FILE:
> ccache*", I
> went to
>
> NIM: Options->Identities->santi at ZIGIA.ORG (which is my test principal)
>
> On "Kerberos v5" folder, I set the "Credential cache" option to
> *FILE:ccache
> *. And now I can see that a file named ccache is created or deleted
> everytime I generate or destroy the TGT. So I think now I have
> credentials
> cache configured properly. Am I right?
>
> *Step 2: Configure JAAS so that TGT is read from file (in order to
> obtain a
> TGS)*
>
> Here is my *jaas.conf* file for the client:
>
> *Client {*
> * com.sun.security.auth.module.Krb5LoginModule required*
> * useTicketCache=true*
> * ticketCache="c:\docume~1\santi\ccache";*
> *}*
>
> But when I run the client I get the following exception:
>
> *java.lang.SecurityException: Configuration Error :*
> * Line 4: expected [option key], found [null]*
> * at com.sun.security.auth.login.ConfigFile.<init>(Unknown Source)*
> * ...*
I think Java is complaining about the ticketCache value. It does not
like Windows style "\" in path. You can try "\\" or "/".
In fact, if you have not provided special argument to kinit, the cache
file should be generated at the default location, and you don't need
to specify ticketCache in the JAAS conf file at all.
To debug, add "debug=true" into the JAAS conf file, *and* add -
Dsun.security.krb5.debug=true into you Java command line, you will see
a lot of things.
Hope this helps
Weijun (aka Max)
>
> I guess there some information missing about the credentials, but I
> don't
> know what. Any idea?
>
> I never tire for saying thank you!
>
> Regards,
> Santi
>
> 2009/10/16 Douglas E. Engert <deengert at anl.gov>
>
>>
>>
>> Santiago Rivas wrote:
>>
>>> Ok, here is what I've done:
>>> I changed the JAAS config file, setting
>>> "useTicketCache=<somePath>". That
>>> was enough to make de 1312 status error dissappear. But I'm still
>>> not able
>>> to configure the ticket caching properly.
>>> I forgot to mention that I have had already tried to set some file
>>> path
>>> under
>>> NIM: Options->Kerberos v5->Credential Cache ... with no results.
>>> I typed the path "C:\Documents and Settings\user\krb5cc_1000" into
>>> the
>>> text box and clicked the "Add" button, but it said something like
>>> "the
>>> credentials cache file was not found". If I only set the path to
>>> some folder
>>> (with no file name) there is no error message, but when I generate
>>> new
>>> tickets no file is created. I've reset the machine and verified
>>> that the
>>> user has privileges to access the path I'm typing son I don't
>>> known where
>>> I'm mistaking... ¿?
>>>
>>
>> Did you make the registry setting change as suggested bu both NIM
>> and Java?
>>
>> I don't think Java actually writes tickets to the cache. It just
>> reads a
>> TGT
>> from the cache, then keeps tickets in memory. (I could be wrong)
>> The Java kinit.exe will write the TGT but I have never needed to
>> use it.
>> Windows and NIM/KfW also have kinit.exe files so be careful which
>> one you
>> are using.
>>
>> Thanks, Douglas, for introducing Jeff Altman and Weijun Wang to me.
>>> Regards,
>>> Santi
>>> 2009/10/14 Douglas E. Engert <deengert at anl.gov <mailto:deengert at anl.gov
>>> >>
>>>
>>>
>>>
>>> P.S. The other responder to your note, Weijun Wang, is the
>>> author of the Sun web page I listed below. Small world!
>>>
>>>
>>> Douglas E. Engert wrote:
>>>
>>>
>>> Santiago Rivas wrote:
>>>
>>> So, if I didn't misunderstood your words, I basically have
>>> at least 2
>>> alternatives to achieve ticket collection from cache under
>>> Windows XP
>>> environment:
>>>
>>> 1) Configure Network Identity Manager to store credentials
>>> into a file, in
>>> order to read them from Java.
>>>
>>>
>>> One of the other responder to your first e-mail, Jeff
>>> Altman, is
>>> the
>>> developer of Network Identity Manager, and said:
>>> " Network Identity Manager can be configured to store the
>>> user's
>>> credentials in a FILE:<drive>:<path> cache which can then
>>> be
>>> accessed via Java."
>>>
>>> Start by looking under Options->Kerberos v5->Credential
>>> Cache
>>>
>>> 2) Set up the configuration so that logon session is
>>> authenticated with
>>> Kerberos, and then retrieve the TGT ticket from LSA
>>> querying
>>> via JAAS.
>>>
>>>
>>> Also see this:
>>>
>>> http://java.sun.com/javase/6/docs/technotes/guides/security/kerberos/jgss-windows.html
>>>
>>> It talks about using the LSA, or the ticketCache=file
>>> options and
>>> the use of the "TGT accessibility" registry setting for
>>> allowtgtsessionkey.
>>> Network Identity Manager also uses this registry setting.
>>>
>>> (This registry setting may be you main issue!)
>>>
>>> Personally, I'm more interested on the second option,
>>> since
>>> the main target
>>> is to achieve single sign-on with kerberos. Anyway, I
>>> would
>>> appreciate to
>>> read some documentation on both tasks. Could you please
>>> tell
>>> me where I can
>>> find it?
>>>
>>>
>>> A third option is to use the Microsoft runas /netonly
>>> /user:user at realm program
>>> This will run the program with a new LSA. Program could be
>>> cmd.exe or even
>>> explorer.exe
>>>
>>>
>>> Thanks a lot, guys!
>>>
>>> Regards,
>>> Santi
>>>
>>>
>>> 2009/10/14 Douglas E. Engert <deengert at anl.gov
>>> <mailto:deengert at anl.gov>>
>>>
>>>
>>> Santiago Rivas wrote:
>>>
>>> Well, I do specify "useTicketCache=true" in the
>>> JAAS
>>> config file, but
>>> there
>>> is something I must be missing, cause I cannot get
>>> it working with cached
>>> tickets. In fact, I must provide username and
>>> password in the config file
>>> (or via command line).
>>>
>>> I can obtain TGT tickets with both Leash32 and
>>> Network Identity Manager
>>> tools, but I cannot see where they are stored, if
>>> cached (just the same as
>>> /tmp/krb5cc_1000 file in Linux...) ¿?
>>>
>>> On Unix, with JXplorer, I can add
>>> -Duser.krb5ccname=$KRB5CCNAME
>>> to the command line, and the JXplorer gssapi.conf has:
>>>
>>> com.ca.commons.jndi.JNDIOps {
>>> com.sun.security.auth.module.Krb5LoginModule required
>>> client=TRUE
>>> ticketCache="${user.krb5ccname}"
>>> doNotPrompt=TRUE
>>> useTicketCache=TRUE;
>>> };
>>>
>>> On Windows it does not have the ticketCache= line,
>>> but I think it could try it.
>>>
>>> If Leash32 or Network Identity Manager is storing them
>>> in a file,
>>> say \tmp\krb5cc_username
>>> you could try ticketCache=\tmp\krb5cc_username
>>>
>>>
>>>
>>>
>>> So may be the question should be: How do I
>>> configure
>>> the ticket cache in
>>> Windows? Is it mandatory to be configured
>>> through LSA?
>>>
>>> Thank you very much, Max!
>>>
>>> Regards,
>>> Santi
>>>
>>> 2009/10/14 Max (Weijun) Wang <Weijun.Wang at sun.com
>>> <mailto:Weijun.Wang at sun.com>>
>>>
>>>
>>> Java tries to get the credentials cache (ccache)
>>> from Windows LSA if you
>>>
>>> specify useTicketCache=true in the JAAS config
>>> file. In some cases, Java
>>> believes there's a ccache at the beginning,
>>> but
>>> finally it cannot get
>>> one.
>>> For example, you login as a AD account but
>>> then
>>> purge the TGT using klist
>>> or
>>> kerbtray. Then, you will see this error.
>>>
>>> Without the ccache, Java will try the Kerberos
>>> login itself, you'll need
>>> to
>>> provide username and password in your program.
>>>
>>> -- Max
>>>
>>> On Oct 14, 2009, at 6:55 PM, Santiago Rivas
>>> wrote:
>>>
>>> Hi again,
>>>
>>> After some tough work, it seems I've got
>>> my
>>> test environment configured
>>> and
>>> working with DHCP server, DNS server, ldap
>>> and Domain Controller,
>>> running
>>> on
>>> a GNU Linux Debian platform. I've also
>>> configured KDC + AS services on
>>> that
>>> machine, and I'm glad to see that I'm able
>>> to create a secure context
>>> between the server and other GNU Linux
>>> machine. I'm using GSS-API in
>>> Java
>>> 1.6, and everything works fine.
>>>
>>> The problem comes when I run the same Java
>>> code on a Windows XP SP3
>>> platform
>>> with jdk 1.5.0_21 version installed. Just
>>> before the context is created,
>>> I
>>> get the message:
>>>
>>> *Error calling function protocol status:
>>> 1312. A specified logon session
>>> does not exist. It may already have been
>>> terminated.*
>>>
>>> But the most curious thing is that
>>> execution
>>> continues and secure
>>> context
>>> is
>>> created indeed. I've also checked
>>> *krb5kdc.log* and verified that both
>>> TGT
>>> ans TGS tickets are generated and
>>> delivered
>>> correctly.
>>>
>>> I've searched the web and I've found many
>>> posible explanations, like:
>>>
>>> *"There is a problem with Windows API
>>> FormatMessage usage in a non
>>> English
>>> locale"* - forums.sun
>>> *"The identity associated with a
>>> **KerberosToken2*<
>>>
>>>
>>> http://msdn.microsoft.com/en-us/library/microsoft.web.services2.security.tokens.kerberostoken2.aspx
>>> * security token is being used for
>>> constrained delegation, but
>>> constrained
>>> delegation is not configured
>>> correctly."* -
>>> msdn
>>> *"There is a bug in Java 1.5"* - other
>>> source
>>>
>>> ... but none of them convinces me.
>>> So the cuestion is: Why is that message
>>> appearing? Should I worry about
>>> it?
>>> How can I solve it?
>>>
>>> Thanks in advance!
>>>
>>> Regards,
>>> Santi
>>>
>>> _______________________________________________
>>> krbdev mailing list
>>> krbdev at mit.edu <mailto:krbdev at mit.edu>
>>>
>>> https://mailman.mit.edu/mailman/listinfo/krbdev
>>>
>>>
>>>
>>> _______________________________________________
>>>
>>> krbdev mailing list krbdev at mit.edu
>>> <mailto:krbdev at mit.edu>
>>> https://mailman.mit.edu/mailman/listinfo/krbdev
>>>
>>>
>>>
>>> --
>>>
>>> Douglas E. Engert <DEEngert at anl.gov
>>> <mailto:DEEngert at anl.gov>>
>>> Argonne National Laboratory
>>> 9700 South Cass Avenue
>>> Argonne, Illinois 60439
>>> (630) 252-5444
>>>
>>> _______________________________________________
>>> krbdev mailing list krbdev at mit.edu
>>> <mailto:krbdev at mit.edu>
>>> https://mailman.mit.edu/mailman/listinfo/krbdev
>>>
>>>
>>>
>>>
>>> --
>>> Douglas E. Engert <DEEngert at anl.gov <mailto:DEEngert at anl.gov>>
>>> Argonne National Laboratory
>>> 9700 South Cass Avenue
>>> Argonne, Illinois 60439
>>> (630) 252-5444
>>>
>>>
>>>
>> --
>>
>> Douglas E. Engert <DEEngert at anl.gov>
>> Argonne National Laboratory
>> 9700 South Cass Avenue
>> Argonne, Illinois 60439
>> (630) 252-5444
>>
> _______________________________________________
> krbdev mailing list krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
More information about the krbdev
mailing list