Hi Hasanthi, Assuming that you are using an AD as the Kerberos Server, Have you registered a Service Principal for both the C# client and Java Server in the AD?
You can do this using the setspn.exe. Also, when you registering the SPN register all possible value that principal can take. For eg: Let's say the hostname of your java server is *server.is.local*, you can do setspn -A HTTP/server.is.local <service_account> setspn -A HTTP/server <service_account> to add your java server as a service principal in the Kerberos Server. You can do the same for the C# client as well. Can you check whether you have already registered the Service Principals by listing them out using commands specified in [1] [1] https://blogs.msdn.microsoft.com/psssql/2009/02/13/searching-for-duplicate-spns-got-a-little-easier/ Thanks, Farasath Ahamed Software Engineer, WSO2 Inc.; http://wso2.com lean.enterprise.middleware Email: farasa...@wso2.com Mobile: +94777603866 Blog: blog.farazath.com Twitter: @farazath619 <https://twitter.com/farazath619> On Tue, Jun 21, 2016 at 2:03 PM, Hasanthi Purnima Dissanayake < hasan...@wso2.com> wrote: > Hi I'm implementing Kerberos communication between java (GSSAPI) to > C#(SSPI). > > The KDC is an Active Directory. When it comes to Java client vs Java > server and C# client vs C# Server, for both the scenarios this works fine. > > When using Java client - server the process happens as below and it works > fine: > * Client uses JAAS and creates TGT in client side > * Server uses JAAS and creates TGT in server side > * Client uses service principle name of the server to create the context > and using that context it invokes initSecContext and creates SGT and pass > it to the server > * Server uses acceptSecContext() to validate the SGT > > When using C# client -server the process happens as below and it works > fine too > * Client creates credentials and invokes init() to create client TGT > * Client passes this TGT to the server and server passes this TGT to > accept(), to validate the TGT , then generates server TGT and passes it to > client > * Client gets the TGT from server and passes it to int() to create the SGT > * Client passes this SGT to server and server uses accept() to validate > the SGT > > When using C# client - Java server te process happens as below. [1][2] > * Client creates credentials and invokes init() to create TGT > * Client passes this TGT to the server and server use this TGT and passes > it to acceptSecContext() to validate the TGT and to generate server TGT and > passes it to client > * Client gets the TGT from server and passes it to int() to create the SGT > and pass the SGT to server. > * Server uses acceptSecContext() to validate the SGT > > When I'm implementing the third use case it fails to validate the TGT of > Java server from the C# client side with the following exception. > > "Failed to invoke InitializeSecurityContext for a client. The specified > principle is not known in the authentication system." > > [1] > https://msdn.microsoft.com/en-us/library/windows/desktop/aa380496(v=vs.85).aspx > [2] https://msdn.microsoft.com/en-us/library/ms995352.aspx > > Any suggestion is highly appreciated to recover this issue. > > Thanks, > > > > Hasanthi Dissanayake > > Software Engineer | WSO2 > > E: hasan...@wso2.com > M :0718407133| http://wso2.com <http://wso2.com/> >
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
