0

We use kerberos authentication to perform SSO. Earlier our product was on JRE 6 Update 22 and everything used to work fine. We recently migrated to JRE 6 update 45, and the kerberos authentication fails.

So, basically the code performs 2 steps - the connect and login 1. The "connect" step tests if the SPN name and credentials (either password or keytab) can login to the domain controller identified by the realm and KDC info. 2. The "login" step does the same, and then also tries to bind to the AD LDAP service using the GSSAPI authentication mechanism. So, it is attempting to perform a GSSAPI bind and at this step it is failing now.

So, here's what is happening -

Server(our product) sends AS-REQ to KDC
KDC responds  back with error_code: KRB5KDC_ERR_PREAUTH_REQUIRED (25)
Server again sends AS-REQ to KDC with the timestamp
KDC responds back ( AS-REP) with TGT
MCIM sends the TGS-REQ – From our analysis, this is the problem area, this request is populated with incorrect details as explained below.
KDC responds back with  error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)

Now, the problem here is when the server is sending the TGS-REQ, it sends with Server Name (Unknown): ldap/10.213.177.3 whereas in the older JRE version it used to send the TGS-REQ as ldap/win2008.mcssoiwa.hari(hostname of kdc) even when the KDC IP is given. Now, KDC does not have an SPN registered with ldap and IP whereas it has a SPN registered with Ldap/Hostname of the KDC

If we explicitly perform a setspn command for ldap/, everything starts working. So, what has changed in later versions of JRE 6 which is causing this issue. This is really a blocker for us and we are not aware how this can be resolved. Any help/guidance would be appreciated.

The code which is doing this -

 LDAPConnection connection = new LDAPConnection(request.getServer(), request.getPort());
    GSSAPIBindRequest bindRequest = new GSSAPIBindRequest(request.getAuthnId(), null, "N/A",      null, null, "");
    connection.bind(bindRequest); //throws exception

This throws the following exception

*

    Caused by: com.unboundid.ldap.sdk.LDAPException: Unable to create the initial GSSAPI      SASL request:  javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))] caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7)) caused by KrbException: Server not found in Kerberos database (7) caused by KrbException: Identifier doesn't match expected value (906)
  at com.unboundid.ldap.sdk.SASLHelper.processSASLBind(SASLHelper.java:120)
  at com.unboundid.ldap.sdk.GSSAPIBindRequest.run(GSSAPIBindRequest.java:1022)
  ... 56 common frames omitted
Caused by: javax.security.sasl.SaslException: GSS initiate failed
  at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
  at com.unboundid.ldap.sdk.SASLHelper.processSASLBind(SASLHelper.java:114)
  ... 57 common frames omitted
Caused by: org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))
  at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
  at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
  at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
  ... 59 common frames omitted
Caused by: sun.security.krb5.KrbException: Server not found in Kerberos database (7)
  at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
  at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
  at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
  at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
  at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
  ... 62 common frames omitted
Caused by: sun.security.krb5.Asn1Exception: Identifier doesn't match expected value (906)
  at sun.security.krb5.internal.KDCRep.init(Unknown Source)
  at sun.security.krb5.internal.TGSRep.init(Unknown Source)
  at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)*
Arun Bertil
  • 4,598
  • 4
  • 33
  • 59
pavitra
  • 31
  • 2
  • I have stumbled upon this briefly too. Did you file a but with oracle and raise this on the security dev list of the OpenJDK? – Michael-O Sep 19 '13 at 20:17
  • We are unable to file bug with oracle. How did you resolve the issue? – pavitra Sep 21 '13 at 17:29
  • Why are you unable to do that? I haven't yet, we are still migrating to JDK 7 and I haven't tested the bug on that version. – Michael-O Sep 21 '13 at 20:25

1 Answers1

0

Two things: briefly skimming over changes in JDK6 shows there are some mentions of LDAP between 22 and 45. I can't detect anything related immediately - maybe you have to scrutinize all changes in detail.

Release notes of UnboundID Solutions's LDAP SDK for Java could also give some indication. Maybe you need to upgrade the SDK to make up for a change in the JDK.

Robert Klemme
  • 2,149
  • 18
  • 23
  • Yes, I tried by using the later version of Unbound jar - 2.3.3, but no luck. It is still giving me the same error. Yes, we even went through the bug list and did not find much. But, when I search for it, I see that many others also have faced this issue. We are still stuck and this is a high priority issue for us. – pavitra Sep 24 '13 at 15:57