directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stefan Seelmann (JIRA)" <j...@apache.org>
Subject [jira] Commented: (DIRSTUDIO-606) Cannot use Windows in memory TGT (AES128/256) on Windows 7
Date Wed, 09 Dec 2009 09:30:18 GMT

    [ https://issues.apache.org/jira/browse/DIRSTUDIO-606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12787999#action_12787999
] 

Stefan Seelmann commented on DIRSTUDIO-606:
-------------------------------------------

I never tried with Windows7, only XP and Vista clients against a Windows Server 2003. We use
JNDI, which uses JAAS, which uses JGSS. For XP and Vista it is necessary to to set a registry
key [1] to be able to access the TGT, do you know if this is still possible with Windows 7?

Have you tried to choose the option "Obtain TGT from KDC" ("TGT vom KDC anfordern") and provide
username and password? Does it work with this option?

In Studio we create our own JAAS Configuration, based on the settings in the connection properties.
But you could disable this feature and provide your own JAAS config file (see [1] again).
You need to activate "Window"->"Preferences"->"Apache Directory Studio"->"Connections"->"Use
Kerberos System Settings" (this disables the Kerberor configuration in connection properties).
Maybe you could find your own settings to make it work.

[1] http://java.sun.com/javase/6/docs/technotes/guides/security/kerberos/jgss-windows.html

> Cannot use Windows in memory TGT (AES128/256) on Windows 7
> ----------------------------------------------------------
>
>                 Key: DIRSTUDIO-606
>                 URL: https://issues.apache.org/jira/browse/DIRSTUDIO-606
>             Project: Directory Studio
>          Issue Type: Bug
>    Affects Versions: 1.5.0, 1.5.1
>         Environment: Windows 7 Ultimate
>            Reporter: Michael Waldvogel
>   Original Estimate: 3h
>  Remaining Estimate: 3h
>
> I'm using JRE 1.6_17 together with the unlimited JCE profile. I used Directory Studio
1.5.0 on Windows XP and used the option "Use native TGT". As long as I was using Windows XP
together with rc4-hmac, everything worked like a charme. Then I changed to Windows 7 and made
use of newly supported encryption cipher aes256-cts-hmac-sha1-96. I think the encryption cipher
id is 18 as far as I could extract that from the KDC's log.
> Now I get the following error, when I try to connect to the LDAP server (OpenLDAP 2.4.19):
> Fehler beim Öffnen der Verbindung (= problem when opening connection)
>  - GSSAPI
>   javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException:
GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level:
Integrity check on decrypted field failed (31) - PROCESS_TGS)]]
> 	at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)
> 	at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
> 	at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
> 	at com.sun.jndi.ldap.LdapCtx.ensureOpen(Unknown Source)
> 	at com.sun.jndi.ldap.LdapCtx.ensureOpen(Unknown Source)
> 	at com.sun.jndi.ldap.LdapCtx.reconnect(Unknown Source)
> 	at javax.naming.ldap.InitialLdapContext.reconnect(Unknown Source)
> 	at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper$8.run(JNDIConnectionWrapper.java:1165)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at javax.security.auth.Subject.doAs(Unknown Source)
> 	at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.doGssapiBind(JNDIConnectionWrapper.java:1159)
> 	at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.access$700(JNDIConnectionWrapper.java:106)
> 	at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper$7.run(JNDIConnectionWrapper.java:1041)
> 	at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.runAndMonitor(JNDIConnectionWrapper.java:1272)
> 	at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.doBind(JNDIConnectionWrapper.java:1065)
> 	at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.bind(JNDIConnectionWrapper.java:254)
> 	at org.apache.directory.studio.connection.core.jobs.OpenConnectionsRunnable.run(OpenConnectionsRunnable.java:114)
> 	at org.apache.directory.studio.connection.core.jobs.StudioConnectionJob.run(StudioConnectionJob.java:114)
> 	at org.eclipse.core.internal.jobs.Worker.run(Worker.java:55)
> Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException:
No valid credentials provided (Mechanism level: Integrity check on decrypted field failed
(31) - PROCESS_TGS)]
> 	at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
> 	... 19 more
> Caused by: GSSException: No valid credentials provided (Mechanism level: Integrity check
on decrypted field failed (31) - PROCESS_TGS)
> 	at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
> 	at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
> 	at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
> 	... 20 more
> Caused by: KrbException: Integrity check on decrypted field failed (31) - PROCESS_TGS
> 	at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
> 	at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
> 	at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
> 	at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
> 	at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
> 	... 23 more
> Caused by: KrbException: Identifier doesn't match expected value (906)
> 	at sun.security.krb5.internal.KDCRep.init(Unknown Source)
> 	at sun.security.krb5.internal.TGSRep.init(Unknown Source)
> 	at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)
> 	... 28 more
>   GSSAPI
> If I directly connect to the KDC and retrieve the TGT from there, I can connect to the
LDAP server without any problem using Kerberos authentication.
> I'm not completely sure, if this is an issue with DIrectory Studio or with JRE. Can you
plese let me know, if you extract the TGT directly from Windows or if use the Java GSSAPI
to access the TGT? If it's a JRE problem I'm gonna report to Sun immediately.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message