Error calling function protocol status: 1312

Max (Weijun) Wang Weijun.Wang at sun.com
Fri Oct 23 10:45:44 EDT 2009 

Java does not support AES256 out of box due to some export control  
reasons. You need to apply the "Java Cryptography Extension (JCE)  
Unlimited Strength Jurisdiction Policy File". The file can be download  
from the following page:

    http://java.sun.com/javase/downloads/index.jsp

Scroll down the page and it's the last download link.

Thanks
Max

On Oct 23, 2009, at 10:04 PM, Douglas E. Engert wrote:

> Looks like NIM is getting a TGT with AES256 (enctype 18).
> And your KDC supports it too.
>
> It looks like your java is  version 5 See:
> http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/jgss-features.html
>
>
>  >>>DEBUG <CCacheInputStream>
>  >>> KrbCreds found the default ticket granting ticket in credential  
> cache.
>  >>> unsupported key type found the default TGT: 18
>  >> Acquire default native Credentials
>  >>> Found no TGT's in LSA
>
>
> Looks like the Java obtained TGT is using DES.
>  >>>KinitOptions cache name is C:\Documents and Settings\santi 
> \krb5cc_santi
>  >>>DEBUG <CCacheInputStream>  client principal is santi at ZIGIA.ORG
>  >>>DEBUG <CCacheInputStream> server principal is krbtgt/ZIGIA.ORG at ZIGIA.ORG
>  >>>DEBUG <CCacheInputStream> key type: 1
>
> But the Java version you are running supports DES, DES, RC4, 3DES  
> and 3DES
>  >>> Credentials acquireServiceCreds: same realm
>  Using builtin default etypes for default_tgs_enctypes
>  default etypes for default_tgs_enctypes: 3 1 23 16 17.
>
>
> Santiago Rivas wrote:
>> Ooops, it seems that rar attachment didin't work. I re-send the txt  
>> files...
>> 2009/10/23 Santiago Rivas <sanribu at gmail.com <mailto:sanribu at gmail.com 
>> >>
>>    Hi,
>>         The application runs from the command line. Yesterday I ran  
>> it with
>>    the option you recommended (-Dsun.security.krb5.debug=true) and  
>> here
>>    you are the different outputs.
>>         /jvm.rar/ includes both the credentials cache generated  
>> with JVM
>>    (kinit) and the output I get when I use them to run the Client.
>>         /nim.rar/ includes both the credentials cache generated  
>> with NIM and
>>    the output I get when I use them to run the Client (one specifiyng
>>    the principal in the jaas.conf and another without doing it).
>>         Regards,
>>    Santi
>>         2009/10/22 Max (Weijun) Wang <Weijun.Wang at sun.com
>>    <mailto:Weijun.Wang at sun.com>>
>>        Hi Santiago
>>        Java is coded to support type 4 ccache, it just hasn't made  
>> use
>>        of the tags inside. Can you send me a copy of your ccache?
>>        It seems you've only specified debug=true in the JAAS config
>>        file. Please also add the system property
>>        sun.security.krb5.debug=true. I don't know how you launch the
>>        program. For the command line, it looks like  ---
>>           java -Dsun.security.krb5.debug=true YourApp
>>        BTW, You mentioned the program works fine with kinit.exe from
>>        JDK. Can you show what the output in that case is?
>>        Thanks
>>        Max
>>        On Oct 22, 2009, at 4:22 AM, Douglas E. Engert wrote:
>>            Santiago Rivas wrote:
>>                After enabling debug mode, this is what I've got:
>>                Case 1: No principal is specified in jaas.conf
>>                *Debug is  true storeKey false useTicketCache true
>>                useKeyTab false
>>                doNotPrompt fa
>>                lse ticketCache is null isInitiator true KeyTab is  
>> null
>>                refreshKrb5Config is
>>                fal
>>                se principal is null tryFirstPass is false  
>> useFirstPass
>>                is false storePass
>>                is fa
>>                lse clearPass is false
>>                Acquire TGT from Cache
>>                Error calling function Protocol status: 1312
>>                A specified logon session does not exist. It may  
>> already
>>                have been
>>                terminated
>>                Principal is null
>>                null credentials from Ticket Cache
>>                Username for Kerberos [santi]:*
>>        ...
>>                IMHO, it seems like JVM is not able to parse the
>>                credentials file generated
>>                by NIM. Referring to the credentials cache, is there  
>> any
>>                "known
>>                incompatibility" between NIM and JVM which I should be
>>                aware of?
>>                Thanks again!
>>            This could be an issue of the cache version. NIM looks  
>> like
>>            it is writing
>>            a type 4 cache. (First two bytes in the file are 0x05  
>> 0x04.
>>            The 0x04 is the
>>            version.) It could be Java only knows how to handle  
>> versions
>>            up to 3.
>>            In the MIT krb5.conf used by NIM, try adding to
>>            [libdefaults] sectiom:
>>            ccache_type = 3
>>            NIM will then write a type 3 cache.
>>            (This is not the only Kerberos feature that Java is way
>>            behind on either.
>>            Using dns_lookup_kdc = 1 to use the DNS SRV records is a
>>            major one
>>            especially on Windows...)
>
> -- 
>
> Douglas E. Engert  <DEEngert at anl.gov>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois  60439
> (630) 252-5444

More information about the krbdev mailing list