directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Waldvogel (JIRA)" <j...@apache.org>
Subject [jira] Created: (DIRSTUDIO-606) Cannot use Windows in memory TGT (AES128/256) on Windows 7
Date Wed, 09 Dec 2009 07:45:18 GMT
Cannot use Windows in memory TGT (AES128/256) on Windows 7
----------------------------------------------------------

                 Key: DIRSTUDIO-606
                 URL: https://issues.apache.org/jira/browse/DIRSTUDIO-606
             Project: Directory Studio
          Issue Type: Bug
    Affects Versions: 1.5.1, 1.5.0
         Environment: Windows 7 Ultimate
            Reporter: Michael Waldvogel


I'm using JRE 1.6_17 together with the unlimited JCE profile. I used Directory Studio 1.5.0
on Windows XP and used the option "Use native TGT". As long as I was using Windows XP together
with rc4-hmac, everything worked like a charme. Then I changed to Windows 7 and made use of
newly supported encryption cipher aes256-cts-hmac-sha1-96. I think the encryption cipher id
is 18 as far as I could extract that from the KDC's log.

Now I get the following error, when I try to connect to the LDAP server (OpenLDAP 2.4.19):

Fehler beim Öffnen der Verbindung (= problem when opening connection)
 - GSSAPI
  javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException:
GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level:
Integrity check on decrypted field failed (31) - PROCESS_TGS)]]
	at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)
	at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
	at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
	at com.sun.jndi.ldap.LdapCtx.ensureOpen(Unknown Source)
	at com.sun.jndi.ldap.LdapCtx.ensureOpen(Unknown Source)
	at com.sun.jndi.ldap.LdapCtx.reconnect(Unknown Source)
	at javax.naming.ldap.InitialLdapContext.reconnect(Unknown Source)
	at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper$8.run(JNDIConnectionWrapper.java:1165)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAs(Unknown Source)
	at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.doGssapiBind(JNDIConnectionWrapper.java:1159)
	at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.access$700(JNDIConnectionWrapper.java:106)
	at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper$7.run(JNDIConnectionWrapper.java:1041)
	at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.runAndMonitor(JNDIConnectionWrapper.java:1272)
	at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.doBind(JNDIConnectionWrapper.java:1065)
	at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.bind(JNDIConnectionWrapper.java:254)
	at org.apache.directory.studio.connection.core.jobs.OpenConnectionsRunnable.run(OpenConnectionsRunnable.java:114)
	at org.apache.directory.studio.connection.core.jobs.StudioConnectionJob.run(StudioConnectionJob.java:114)
	at org.eclipse.core.internal.jobs.Worker.run(Worker.java:55)
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException:
No valid credentials provided (Mechanism level: Integrity check on decrypted field failed
(31) - PROCESS_TGS)]
	at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
	... 19 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Integrity check on
decrypted field failed (31) - PROCESS_TGS)
	at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
	at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
	at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
	... 20 more
Caused by: KrbException: Integrity check on decrypted field failed (31) - PROCESS_TGS
	at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
	at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
	at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
	at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
	at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
	... 23 more
Caused by: KrbException: Identifier doesn't match expected value (906)
	at sun.security.krb5.internal.KDCRep.init(Unknown Source)
	at sun.security.krb5.internal.TGSRep.init(Unknown Source)
	at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)
	... 28 more

  GSSAPI

If I directly connect to the KDC and retrieve the TGT from there, I can connect to the LDAP
server without any problem using Kerberos authentication.

I'm not completely sure, if this is an issue with DIrectory Studio or with JRE. Can you plese
let me know, if you extract the TGT directly from Windows or if use the Java GSSAPI to access
the TGT? If it's a JRE problem I'm gonna report to Sun immediately.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message