InitialLdapContext fails with Java 6 and Java 7

Question

I am working with GSSAPI successfully with JAVA 5. With JAVA 6 and 7 the InitialLdapContext call fails with the following stacktrace:

>>>KRBError:
     sTime is Fri Jun 14 13:40:01 CEST 2013 1371210001000
     suSec is 948732
     error code is 7
     error Message is Server not found in Kerberos database
     realm is DE.XXX.NET
     sname is ldap/yyy.de.xxx.net
     msgType is 30
KrbException: Server not found in Kerberos database (7)
     at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
     at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
     at sun.security.krb5.KrbTgsReq.sendAndGetCreds(Unknown Source)
     at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
     at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
     at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
     at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
     at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
     at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
     at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
     at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)
     at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
     at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
     at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
     at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
     at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
     at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
     at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
     at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
     at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
     at javax.naming.InitialContext.init(Unknown Source)
     at javax.naming.ldap.InitialLdapContext.<init>(Unknown Source)
     at kerberos.UserRoles2.getUserRoles(UserRoles2.java:27)
     at kerberos.Server$2.run(Server.java:240)
     at kerberos.Server$2.run(Server.java:1)
     at java.security.AccessController.doPrivileged(Native Method)
     at javax.security.auth.Subject.doAs(Unknown Source)
     at kerberos.Server.getRoles(Server.java:233)
     at kerberos.Server.main(Server.java:95)
Caused by: KrbException: Identifier doesn't match expected value (906)
     at sun.security.krb5.internal.KDCRep.init(Unknown Source)
     at sun.security.krb5.internal.TGSRep.init(Unknown Source)
     at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)
     ... 29 more

Problem searching directory: javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]]

Does anybody has an idea what ist going wrong in Java 6 or 7?

The ktab file is created with the ktab tool of a jre 7.

"c:\Program Files\Java\jre7\bin\ktab.exe" -a user@DOMAIN.DE password -k my.keytab -n 0 "c:\Program Files\Java\jre7\bin\ktab.exe" -a Service/host@DOMAIN.DE password -k my.keytab -n 0

Windows server 2008 Active directory

Please remember: If I am using Java 5 the InitialLdapContext call is working as expected.

Thanks in advance

Michael

Answer 1

Problem is solved.

I have used an alias dns name for the ldap_url property. In Java 1.5 the alias dns name was resolved to the real dns name. In Java 1.6 and 1.7 the resolving does not happen.

The change to a real dns name solved the problem.