directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Waldvogel (JIRA)" <j...@apache.org>
Subject [jira] Resolved: (DIRSTUDIO-606) Cannot use Windows in memory TGT (AES128/256) on Windows 7
Date Wed, 09 Dec 2009 15:41:18 GMT

     [ https://issues.apache.org/jira/browse/DIRSTUDIO-606?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Michael Waldvogel resolved DIRSTUDIO-606.
-----------------------------------------

    Resolution: Not A Problem

> Cannot use Windows in memory TGT (AES128/256) on Windows 7
> ----------------------------------------------------------
>
>                 Key: DIRSTUDIO-606
>                 URL: https://issues.apache.org/jira/browse/DIRSTUDIO-606
>             Project: Directory Studio
>          Issue Type: Bug
>    Affects Versions: 1.5.0, 1.5.1
>         Environment: Windows 7 Ultimate
>            Reporter: Michael Waldvogel
>   Original Estimate: 3h
>  Remaining Estimate: 3h
>
> I'm using JRE 1.6_17 together with the unlimited JCE profile. I used Directory Studio
1.5.0 on Windows XP and used the option "Use native TGT". As long as I was using Windows XP
together with rc4-hmac, everything worked like a charme. Then I changed to Windows 7 and made
use of newly supported encryption cipher aes256-cts-hmac-sha1-96. I think the encryption cipher
id is 18 as far as I could extract that from the KDC's log.
> Now I get the following error, when I try to connect to the LDAP server (OpenLDAP 2.4.19):
> Fehler beim Öffnen der Verbindung (= problem when opening connection)
>  - GSSAPI
>   javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException:
GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level:
Integrity check on decrypted field failed (31) - PROCESS_TGS)]]
> 	at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)
> 	at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
> 	at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
> 	at com.sun.jndi.ldap.LdapCtx.ensureOpen(Unknown Source)
> 	at com.sun.jndi.ldap.LdapCtx.ensureOpen(Unknown Source)
> 	at com.sun.jndi.ldap.LdapCtx.reconnect(Unknown Source)
> 	at javax.naming.ldap.InitialLdapContext.reconnect(Unknown Source)
> 	at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper$8.run(JNDIConnectionWrapper.java:1165)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at javax.security.auth.Subject.doAs(Unknown Source)
> 	at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.doGssapiBind(JNDIConnectionWrapper.java:1159)
> 	at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.access$700(JNDIConnectionWrapper.java:106)
> 	at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper$7.run(JNDIConnectionWrapper.java:1041)
> 	at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.runAndMonitor(JNDIConnectionWrapper.java:1272)
> 	at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.doBind(JNDIConnectionWrapper.java:1065)
> 	at org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.bind(JNDIConnectionWrapper.java:254)
> 	at org.apache.directory.studio.connection.core.jobs.OpenConnectionsRunnable.run(OpenConnectionsRunnable.java:114)
> 	at org.apache.directory.studio.connection.core.jobs.StudioConnectionJob.run(StudioConnectionJob.java:114)
> 	at org.eclipse.core.internal.jobs.Worker.run(Worker.java:55)
> Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException:
No valid credentials provided (Mechanism level: Integrity check on decrypted field failed
(31) - PROCESS_TGS)]
> 	at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
> 	... 19 more
> Caused by: GSSException: No valid credentials provided (Mechanism level: Integrity check
on decrypted field failed (31) - PROCESS_TGS)
> 	at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
> 	at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
> 	at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
> 	... 20 more
> Caused by: KrbException: Integrity check on decrypted field failed (31) - PROCESS_TGS
> 	at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
> 	at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
> 	at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
> 	at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
> 	at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
> 	... 23 more
> Caused by: KrbException: Identifier doesn't match expected value (906)
> 	at sun.security.krb5.internal.KDCRep.init(Unknown Source)
> 	at sun.security.krb5.internal.TGSRep.init(Unknown Source)
> 	at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)
> 	... 28 more
>   GSSAPI
> If I directly connect to the KDC and retrieve the TGT from there, I can connect to the
LDAP server without any problem using Kerberos authentication.
> I'm not completely sure, if this is an issue with DIrectory Studio or with JRE. Can you
plese let me know, if you extract the TGT directly from Windows or if use the Java GSSAPI
to access the TGT? If it's a JRE problem I'm gonna report to Sun immediately.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message