[jira] Created: (DIRSTUDIO-606) Cannot use Windows in memory TGT (AES128/256) on Windows 7

Tue, 08 Dec 2009 23:45:45 -0800 

Cannot use Windows in memory TGT (AES128/256) on Windows 7
----------------------------------------------------------

                 Key: DIRSTUDIO-606
                 URL: https://issues.apache.org/jira/browse/DIRSTUDIO-606
             Project: Directory Studio
          Issue Type: Bug
    Affects Versions: 1.5.1, 1.5.0
         Environment: Windows 7 Ultimate
            Reporter: Michael Waldvogel


I'm using JRE 1.6_17 together with the unlimited JCE profile. I used Directory 
Studio 1.5.0 on Windows XP and used the option "Use native TGT". As long as I 
was using Windows XP together with rc4-hmac, everything worked like a charme. 
Then I changed to Windows 7 and made use of newly supported encryption cipher 
aes256-cts-hmac-sha1-96. I think the encryption cipher id is 18 as far as I 
could extract that from the KDC's log.

Now I get the following error, when I try to connect to the LDAP server 
(OpenLDAP 2.4.19):

Fehler beim Öffnen der Verbindung (= problem when opening connection)
 - GSSAPI
  javax.naming.AuthenticationException: GSSAPI [Root exception is 
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: 
No valid credentials provided (Mechanism level: Integrity check on decrypted 
field failed (31) - PROCESS_TGS)]]
        at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)
        at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
        at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
        at com.sun.jndi.ldap.LdapCtx.ensureOpen(Unknown Source)
        at com.sun.jndi.ldap.LdapCtx.ensureOpen(Unknown Source)
        at com.sun.jndi.ldap.LdapCtx.reconnect(Unknown Source)
        at javax.naming.ldap.InitialLdapContext.reconnect(Unknown Source)
        at 
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper$8.run(JNDIConnectionWrapper.java:1165)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Unknown Source)
        at 
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.doGssapiBind(JNDIConnectionWrapper.java:1159)
        at 
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.access$700(JNDIConnectionWrapper.java:106)
        at 
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper$7.run(JNDIConnectionWrapper.java:1041)
        at 
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.runAndMonitor(JNDIConnectionWrapper.java:1272)
        at 
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.doBind(JNDIConnectionWrapper.java:1065)
        at 
org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.bind(JNDIConnectionWrapper.java:254)
        at 
org.apache.directory.studio.connection.core.jobs.OpenConnectionsRunnable.run(OpenConnectionsRunnable.java:114)
        at 
org.apache.directory.studio.connection.core.jobs.StudioConnectionJob.run(StudioConnectionJob.java:114)
        at org.eclipse.core.internal.jobs.Worker.run(Worker.java:55)
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by 
GSSException: No valid credentials provided (Mechanism level: Integrity check 
on decrypted field failed (31) - PROCESS_TGS)]
        at 
com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
        ... 19 more
Caused by: GSSException: No valid credentials provided (Mechanism level: 
Integrity check on decrypted field failed (31) - PROCESS_TGS)
        at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
        at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
        at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
        ... 20 more
Caused by: KrbException: Integrity check on decrypted field failed (31) - 
PROCESS_TGS
        at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
        at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
        at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown 
Source)
        at 
sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
        at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
        ... 23 more
Caused by: KrbException: Identifier doesn't match expected value (906)
        at sun.security.krb5.internal.KDCRep.init(Unknown Source)
        at sun.security.krb5.internal.TGSRep.init(Unknown Source)
        at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)
        ... 28 more

  GSSAPI

If I directly connect to the KDC and retrieve the TGT from there, I can connect 
to the LDAP server without any problem using Kerberos authentication.

I'm not completely sure, if this is an issue with DIrectory Studio or with JRE. 
Can you plese let me know, if you extract the TGT directly from Windows or if 
use the Java GSSAPI to access the TGT? If it's a JRE problem I'm gonna report 
to Sun immediately.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to