I am facing a strange problem with Kerberos/Ldap authentication using GSSAPI. I have a simple java class that does authenticate to Kerberos then do an Ldap search.
This program does fail on some of our KDC/AD controllers with this exception:
No encryption was performed by peer.
[stderr] javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: Final handshake failed [Caused by GSSException: Token had invalid integrity check (Mechanism level: Corrupt checksum in Wrap token)]]
[stderr] at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:150)
[stderr] at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
[stderr] at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2694)
[stderr] at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
[stderr] at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
[stderr] at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
[stderr] at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
[stderr] at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
[stderr] at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
[stderr] at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
[stderr] at javax.naming.InitialContext.init(InitialContext.java:223)
[stderr] at javax.naming.InitialContext.<init>(InitialContext.java:197)
[stderr] at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
[stderr] at com.ricoh.test.LdapGSSApiTest.search(LdapGSSApiTest.java:199)
[stderr] at com.ricoh.test.JndiAction.run(LdapGSSApiTest.java:440)
[stderr] at java.security.AccessController.doPrivileged(Native Method)
[stderr] at javax.security.auth.Subject.doAs(Subject.java:337)
[stderr] at com.ricoh.test.LdapGSSApiTest.search_gssapi(LdapGSSApiTest.java:189)
[stderr] at com.ricoh.test.LdapGSSApiTest.runTest(LdapGSSApiTest.java:111)
[stderr] at com.ricoh.test.ButtonTest$1.actionPerformed(ButtonTest.java:123)
[stderr] at jp.co.ricoh.dsdk.panel.Button.processActionEvent(Unknown Source)
[stderr] at jp.co.ricoh.dsdk.panel.Button.processEvent(Unknown Source)
[stderr] at jp.co.ricoh.dsdk.panel.Button.fire(Unknown Source)
[stderr] at jp.co.ricoh.dsdk.panel.Component$MultiEventHandlerImpl.exec(Unknown Source)
[stderr] at jp.co.ricoh.dsdk.core.manager.EventRunner$Dispatcher.processEvent(Unknown Source)
[stderr] at jp.co.ricoh.dsdk.core.manager.EventRunner$Dispatcher.run(Unknown Source)
[stderr] Caused by: javax.security.sasl.SaslException: Final handshake failed [Caused by GSSException: Token had invalid integrity check (Mechanism level: Corrupt checksum in Wrap token)]
[stderr] at com.sun.security.sasl.gsskerb.GssKrb5Client.doFinalHandshake(GssKrb5Client.java:310)
[stderr] at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:169)
[stderr] at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:114)
[stderr] ... 25 more
[stderr] Caused by: GSSException: Token had invalid integrity check (Mechanism level: Corrupt checksum in Wrap token)
[stderr] at sun.security.jgss.krb5.WrapToken_v2.getDataFromBuffer(WrapToken_v2.java:257)
[stderr] at sun.security.jgss.krb5.WrapToken_v2.getData(WrapToken_v2.java:189)
[stderr] at sun.security.jgss.krb5.WrapToken_v2.getData(WrapToken_v2.java:164)
[stderr] at sun.security.jgss.krb5.Krb5Context.unwrap(Krb5Context.java:946)
[stderr] at sun.security.jgss.GSSContextImpl.unwrap(GSSContextImpl.java:384)
[stderr] at com.sun.security.sasl.gsskerb.GssKrb5Client.doFinalHandshake(GssKrb5Client.java:216)
[stderr] ... 27 moreI am running Java 1.6 and disabling RC4 encryption type one the server.
Anyone got an idea what could be the reason for this? Any known issue with the JVM?
NB: I am able to run the program properly on some of our KDC and do the ldap search properly.
Update: My program works just fine using JDK-8 so I am guessing it's a Java 1.6 related issue.
