Java/Tomcat app with Kerberos

Question

I'm a Kerberos newbie and I'm trying to configure a Java/Tomcat app to talk to a database using Kerberos for authentication. I'm getting stack trace that it's not able to connect and that there are no valid credentials but I can't tell what the problem is.

Here's my krb5.conf...

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_keytab_name = FILE:C:\Users\QZAJ\Documents\repos\secure.qzaj\qzaj.keytab
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
# default_realm = WINDOWSKDCDOMAIN
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
WINDOWSKDCDOMAIN = {
kdc = DEVDC01.DEV.MYDOMAIN.COM :88
}

[domain_realm]
#.MYDOMAIN.com = WINDOWSKDCDOMAIN
#MYDOMAIN.com = WINDOWSKDCDOMAIN

And my jaas.conf...

com.sun.security.jgss.krb5.initiate {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    doNotPrompt=true
    keyTab="C:\Users\QZAJ\Documents\repos\secure.qzaj\qzaj.keytab"
    principal="QZAJ@MYDOMAIN.NET"
    debug=true
};
com.sun.security.jgss.krb5.accept {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    doNotPrompt=true
    keyTab="C:\Users\QZAJ\Documents\repos\secure.qzaj\qzaj.keytab"
    principal="QZAJ@MYDOMAIN.NET"
    debug=true
};

My keytab file...

MYDOMAIN.NET QZAJ   X\e  �...
MYDOMAIN.NET QZAJ   X\e   �...

And the error/stack trace when I run it...

>>>KinitOptions cache name is C:\Users\QZAJ\krb5cc_qzaj
>> Acquire default native Credentials
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23.
>>> Obtained TGT from LSA: Credentials:
      client=QZAJ@MYDOMAIN.NET
      server=krbtgt/MYDOMAIN.NET@MYDOMAIN.NET
    authTime=20161228220909Z
   startTime=20161228220909Z
     endTime=20161229073249Z
   renewTill=20170104213249Z
       flags=FORWARDABLE;RENEWABLE;PRE-AUTHENT
EType (skey)=17
   (tkt key)=18
Found ticket for QZAJ@MYDOMAIN.NET to go to krbtgt/MYDOMAIN.NET@MYDOMAIN.NET expiring on Wed Dec 28 23:32:49 PST 2016
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 17 16 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=a0319dc17.MYDOMAIN.net. TCP:88, timeout=30000, number of retries =3, #bytes=2108
>>> KDCCommunication: kdc=a0319dc17.MYDOMAIN.net. TCP:88, timeout=30000,Attempt =1, #bytes=2108
>>>DEBUG: TCPClient reading 2050 bytes
>>> KrbKdcReq send: #bytes read=2050
>>> KdcAccessibility: remove a0319dc17.MYDOMAIN.net.:88
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
KrbException: Message stream modified (41)
    at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:50)
    at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:87)
    at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:259)
    at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:270)
    at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:302)
    at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:120)
    at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:458)
    at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:693)
    at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
    at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
    at com.microsoft.sqlserver.jdbc.KerbAuthentication.intAuthHandShake(KerbAuthentication.java:226)
    at com.microsoft.sqlserver.jdbc.KerbAuthentication.GenerateClientContext(KerbAuthentication.java:314)
    at com.microsoft.sqlserver.jdbc.SQLServerConnection.sendLogon(SQLServerConnection.java:4116)
    at com.microsoft.sqlserver.jdbc.SQLServerConnection.logon(SQLServerConnection.java:3188)
    at com.microsoft.sqlserver.jdbc.SQLServerConnection.access$100(SQLServerConnection.java:61)
    at com.microsoft.sqlserver.jdbc.SQLServerConnection$LogonCommand.doExecute(SQLServerConnection.java:3151)
    at com.microsoft.sqlserver.jdbc.TDSCommand.execute(IOBuffer.java:7535)
    at com.microsoft.sqlserver.jdbc.SQLServerConnection.executeCommand(SQLServerConnection.java:2438)
    at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:1973)
    at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:1616)
    at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectInternal(SQLServerConnection.java:1447)
    at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:788)
    at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:1187)
    at java.sql.DriverManager.getConnection(DriverManager.java:664)
    at java.sql.DriverManager.getConnection(DriverManager.java:270)
    ...
com.microsoft.sqlserver.jdbc.SQLServerException: Integrated authentication failed. ClientConnectionId:a27a8ca0-5c80-4f88-9908-49650040a303
    at com.microsoft.sqlserver.jdbc.SQLServerConnection.terminate(SQLServerConnection.java:2392)
    at com.microsoft.sqlserver.jdbc.KerbAuthentication.intAuthHandShake(KerbAuthentication.java:247)
    at com.microsoft.sqlserver.jdbc.KerbAuthentication.GenerateClientContext(KerbAuthentication.java:314)
    at com.microsoft.sqlserver.jdbc.SQLServerConnection.sendLogon(SQLServerConnection.java:4116)
    at com.microsoft.sqlserver.jdbc.SQLServerConnection.logon(SQLServerConnection.java:3188)
    at com.microsoft.sqlserver.jdbc.SQLServerConnection.access$100(SQLServerConnection.java:61)
    at com.microsoft.sqlserver.jdbc.SQLServerConnection$LogonCommand.doExecute(SQLServerConnection.java:3151)
    at com.microsoft.sqlserver.jdbc.TDSCommand.execute(IOBuffer.java:7535)
    at com.microsoft.sqlserver.jdbc.SQLServerConnection.executeCommand(SQLServerConnection.java:2438)
    at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:1973)
    at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:1616)
    at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectInternal(SQLServerConnection.java:1447)
    at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:788)
    at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:1187)
    at java.sql.DriverManager.getConnection(DriverManager.java:664)
    at java.sql.DriverManager.getConnection(DriverManager.java:270)
    ...
Caused by: GSSException: No valid credentials provided (Mechanism level: Message stream modified (41))
    at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:770)
    at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
    at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
    at com.microsoft.sqlserver.jdbc.KerbAuthentication.intAuthHandShake(KerbAuthentication.java:226)
    ...
Caused by: KrbException: Message stream modified (41)
    at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:50)
    at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:87)
    at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:259)
    at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:270)
    at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:302)
    at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:120)
    at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:458)
    at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:693)
    ...

I don't understand where it's going wrong. Any suggestions would be appreciated.

Answer 1

Try removing renew_lifetime I discovered this solution through trial and error, and the only backing up material I've found online is this: http://mail-archives.apache.org/mod_mbox/hadoop-yarn-dev/201909.mbox/%3CCAKRKJ1O3yrYKDZ=WhU=i6A+zqxFnUidxvwQzNCTW0mnEv2WFPA@mail.gmail.com%3E