[jira] Commented: (DIRSTUDIO-606) Cannot use Windows in memory TGT (AES128/256) on Windows 7

Tue, 08 Dec 2009 23:47:44 -0800 

    [ 
https://issues.apache.org/jira/browse/DIRSTUDIO-606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12787956#action_12787956
 ] 

Michael Waldvogel commented on DIRSTUDIO-606:
---------------------------------------------

I just forgot: also upgraded to DS 1.5.1. The issue remains.

> Cannot use Windows in memory TGT (AES128/256) on Windows 7
> ----------------------------------------------------------
>
>                 Key: DIRSTUDIO-606
>                 URL: https://issues.apache.org/jira/browse/DIRSTUDIO-606
>             Project: Directory Studio
>          Issue Type: Bug
>    Affects Versions: 1.5.0, 1.5.1
>         Environment: Windows 7 Ultimate
>            Reporter: Michael Waldvogel
>   Original Estimate: 3h
>  Remaining Estimate: 3h
>
> I'm using JRE 1.6_17 together with the unlimited JCE profile. I used 
> Directory Studio 1.5.0 on Windows XP and used the option "Use native TGT". As 
> long as I was using Windows XP together with rc4-hmac, everything worked like 
> a charme. Then I changed to Windows 7 and made use of newly supported 
> encryption cipher aes256-cts-hmac-sha1-96. I think the encryption cipher id 
> is 18 as far as I could extract that from the KDC's log.
> Now I get the following error, when I try to connect to the LDAP server 
> (OpenLDAP 2.4.19):
> Fehler beim Öffnen der Verbindung (= problem when opening connection)
>  - GSSAPI
>   javax.naming.AuthenticationException: GSSAPI [Root exception is 
> javax.security.sasl.SaslException: GSS initiate failed [Caused by 
> GSSException: No valid credentials provided (Mechanism level: Integrity check 
> on decrypted field failed (31) - PROCESS_TGS)]]
>       at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)
>       at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
>       at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
>       at com.sun.jndi.ldap.LdapCtx.ensureOpen(Unknown Source)
>       at com.sun.jndi.ldap.LdapCtx.ensureOpen(Unknown Source)
>       at com.sun.jndi.ldap.LdapCtx.reconnect(Unknown Source)
>       at javax.naming.ldap.InitialLdapContext.reconnect(Unknown Source)
>       at 
> org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper$8.run(JNDIConnectionWrapper.java:1165)
>       at java.security.AccessController.doPrivileged(Native Method)
>       at javax.security.auth.Subject.doAs(Unknown Source)
>       at 
> org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.doGssapiBind(JNDIConnectionWrapper.java:1159)
>       at 
> org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.access$700(JNDIConnectionWrapper.java:106)
>       at 
> org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper$7.run(JNDIConnectionWrapper.java:1041)
>       at 
> org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.runAndMonitor(JNDIConnectionWrapper.java:1272)
>       at 
> org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.doBind(JNDIConnectionWrapper.java:1065)
>       at 
> org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.bind(JNDIConnectionWrapper.java:254)
>       at 
> org.apache.directory.studio.connection.core.jobs.OpenConnectionsRunnable.run(OpenConnectionsRunnable.java:114)
>       at 
> org.apache.directory.studio.connection.core.jobs.StudioConnectionJob.run(StudioConnectionJob.java:114)
>       at org.eclipse.core.internal.jobs.Worker.run(Worker.java:55)
> Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by 
> GSSException: No valid credentials provided (Mechanism level: Integrity check 
> on decrypted field failed (31) - PROCESS_TGS)]
>       at 
> com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
>       ... 19 more
> Caused by: GSSException: No valid credentials provided (Mechanism level: 
> Integrity check on decrypted field failed (31) - PROCESS_TGS)
>       at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
>       at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
>       at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
>       ... 20 more
> Caused by: KrbException: Integrity check on decrypted field failed (31) - 
> PROCESS_TGS
>       at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
>       at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
>       at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown 
> Source)
>       at 
> sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
>       at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
>       ... 23 more
> Caused by: KrbException: Identifier doesn't match expected value (906)
>       at sun.security.krb5.internal.KDCRep.init(Unknown Source)
>       at sun.security.krb5.internal.TGSRep.init(Unknown Source)
>       at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)
>       ... 28 more
>   GSSAPI
> If I directly connect to the KDC and retrieve the TGT from there, I can 
> connect to the LDAP server without any problem using Kerberos authentication.
> I'm not completely sure, if this is an issue with DIrectory Studio or with 
> JRE. Can you plese let me know, if you extract the TGT directly from Windows 
> or if use the Java GSSAPI to access the TGT? If it's a JRE problem I'm gonna 
> report to Sun immediately.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to