CODEWITHSUNDEEP
kerberosgssapi
pavitra
pavitra

Reputation: 31

After upgrading to JRE 6 update 45, kerberos authentication fails

We use kerberos authentication to perform SSO. Earlier our product was on JRE 6 Update 22 and everything used to work fine. We recently migrated to JRE 6 update 45, and the kerberos authentication fails.

So, basically the code performs 2 steps - the connect and login 1. The "connect" step tests if the SPN name and credentials (either password or keytab) can login to the domain controller identified by the realm and KDC info. 2. The "login" step does the same, and then also tries to bind to the AD LDAP service using the GSSAPI authentication mechanism. So, it is attempting to perform a GSSAPI bind and at this step it is failing now.

So, here's what is happening -

Server(our product) sends AS-REQ to KDC
KDC responds  back with error_code: KRB5KDC_ERR_PREAUTH_REQUIRED (25)
Server again sends AS-REQ to KDC with the timestamp
KDC responds back ( AS-REP) with TGT
MCIM sends the TGS-REQ – From our analysis, this is the problem area, this request is populated with incorrect details as explained below.
KDC responds back with  error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)

Now, the problem here is when the server is sending the TGS-REQ, it sends with Server Name (Unknown): ldap/10.213.177.3 whereas in the older JRE version it used to send the TGS-REQ as ldap/win2008.mcssoiwa.hari(hostname of kdc) even when the KDC IP is given. Now, KDC does not have an SPN registered with ldap and IP whereas it has a SPN registered with Ldap/Hostname of the KDC

If we explicitly perform a setspn command for ldap/, everything starts working. So, what has changed in later versions of JRE 6 which is causing this issue. This is really a blocker for us and we are not aware how this can be resolved. Any help/guidance would be appreciated.

The code which is doing this -

 LDAPConnection connection = new LDAPConnection(request.getServer(), request.getPort());
    GSSAPIBindRequest bindRequest = new GSSAPIBindRequest(request.getAuthnId(), null, "N/A",      null, null, "");
    connection.bind(bindRequest); //throws exception

This throws the following exception

*

    Caused by: com.unboundid.ldap.sdk.LDAPException: Unable to create the initial GSSAPI      SASL request:  javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))] caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7)) caused by KrbException: Server not found in Kerberos database (7) caused by KrbException: Identifier doesn't match expected value (906)
  at com.unboundid.ldap.sdk.SASLHelper.processSASLBind(SASLHelper.java:120)
  at com.unboundid.ldap.sdk.GSSAPIBindRequest.run(GSSAPIBindRequest.java:1022)
  ... 56 common frames omitted
Caused by: javax.security.sasl.SaslException: GSS initiate failed
  at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
  at com.unboundid.ldap.sdk.SASLHelper.processSASLBind(SASLHelper.java:114)
  ... 57 common frames omitted
Caused by: org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))
  at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
  at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
  at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
  ... 59 common frames omitted
Caused by: sun.security.krb5.KrbException: Server not found in Kerberos database (7)
  at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
  at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
  at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
  at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
  at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
  ... 62 common frames omitted
Caused by: sun.security.krb5.Asn1Exception: Identifier doesn't match expected value (906)
  at sun.security.krb5.internal.KDCRep.init(Unknown Source)
  at sun.security.krb5.internal.TGSRep.init(Unknown Source)
  at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)*

Upvotes: 0

Views: 854

Answers (1)

Robert Klemme
Robert Klemme

Reputation: 2179

Two things: briefly skimming over changes in JDK6 shows there are some mentions of LDAP between 22 and 45. I can't detect anything related immediately - maybe you have to scrutinize all changes in detail.

Release notes of UnboundID Solutions's LDAP SDK for Java could also give some indication. Maybe you need to upgrade the SDK to make up for a change in the JDK.

Upvotes: 0

Related Questions