[Fwd: Re: A problem with GSS-API (kdc = SEAM by SUN): GSSException Failure unspecified at GSS-API level (Mechanism level: Integrity check on decrypted field failed (31)) - GSSException: Defective token detected (Mechanism level: AP_REP token id does not ma]

[Seema Malkani]

--- Begin Message --- Typically the error "Integrity check on decrypted field failed" is seen when an incorrect key is used. Due to incorrect set-up, different keys are being used for encryption and decryption.

This is not an issue with Java GSS in J2SE 1.5. Please check your Kerberos configuration and Kerberos principals set-up for client and server. In addition, make sure the keys in the keytab are correct. Send me the details of your set-up.

I have already corresponded with Alex earlier, when this issue was posted to the Sun alias ([EMAIL PROTECTED]). Please let me know if you have any questions.

Seema

Andreas Schmid wrote:

Hi!

All this GSS-API stuff does not work in Java 1.5.
It seems to be a big bug.

In Java 1.4 all works fine!

[EMAIL PROTECTED] (Don Alex) wrote in message news:<[EMAIL PROTECTED]>...

Hi doc!!!!:

I am running the Sample with tutorial "Use of JAAS Login Utility and
Java GSS-API for Secure Messages without JAAS programming"
KDC is a SEAM in Solaris 9
JDK 1.5
The Code are SampleClient.java y SampleServer.java without relevant
modifications

If anyone has any ideas I'm all ears.

Don Alex

SERVER:
Waiting for incoming connection...
Got connection from client /157.253.50.59
Will read input token of size 517 for processing by acceptSecContext
Debug is  true storeKey true useTicketCache false useKeyTab false
doNotPrompt false ticketCache is null KeyTab is null refreshKrb5Config
is false principal is null tryFirstPass is false useFirstPass is false
storePass is false clearPass is false
Kerberos username [root]: alexmunoz/utria.uniandes.edu.co
Kerberos password for alexmunoz/utria.uniandes.edu.co: al
               [Krb5LoginModule] user entered username:
alexmunoz/utria.uniandes.edu.co

Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 16.
principal is alexmunoz/[EMAIL PROTECTED]
Acquire TGT using AS Exchange
EncryptionKey: keyType=3 keyBytes (hex dump)=0000: B9 86 13 75 13 2C
AB F1
EncryptionKey: keyType=1 keyBytes (hex dump)=0000: B9 86 13 75 13 2C
AB F1
EncryptionKey: keyType=16 keyBytes (hex dump)=0000: AD 58 02 92 1A 5E
B9 C2 BA 6D B0 64 0B 70 AE 1F .X...^...m.d.p..
0010: 6D 98 C8 16 68 A4 16 19 Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 16.

EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
KrbAsReq calling createMessage
KrbAsReq in createMessage
KrbKdcReq send: kdc=utria.uniandes.edu.co UDP:88, timeout=30000,

number of retries =3, #bytes=257

KDCCommunication: kdc=utria.uniandes.edu.co UDP:88,

timeout=30000,Attempt =1, #bytes=257

KrbKdcReq send: #bytes read=563
KrbKdcReq send: #bytes read=563
EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
KrbAsRep cons in KrbAsReq.getReply alexmunoz/utria.uniandes.edu.co

Added server's keyKerberos Principal
alexmunoz/[EMAIL PROTECTED] Version 0key
EncryptionKey: keyType=3 keyBytes (hex dump)=
0000: B9 86 13 75 13 2C AB F1

[Krb5LoginModule] added Krb5Principal alexmunoz/[EMAIL PROTECTED] to Subject
Added server's keyKerberos Principal
alexmunoz/[EMAIL PROTECTED] Version 0key
EncryptionKey: keyType=1 keyBytes (hex dump)=
0000: B9 86 13 75 13 2C AB F1

[Krb5LoginModule] added Krb5Principal alexmunoz/[EMAIL PROTECTED] to Subject
Added server's keyKerberos Principal
alexmunoz/[EMAIL PROTECTED] Version 0key
EncryptionKey: keyType=16 keyBytes (hex dump)=
0000: AD 58 02 92 1A 5E B9 C2 BA 6D B0 64 0B 70 AE 1F .X...^...m.d.p..
0010: 6D 98 C8 16 68 A4 16 19

[Krb5LoginModule] added Krb5Principal alexmunoz/[EMAIL PROTECTED] to Subject
Commit Succeeded

Found key for alexmunoz/[EMAIL PROTECTED](3)
Found key for alexmunoz/[EMAIL PROTECTED](16)
Found key for alexmunoz/[EMAIL PROTECTED](1)
Entered Krb5Context.acceptSecContext with state=STATE_NEW

EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
crc32: b2075a55
crc32: 10110010000001110101101001010101

GSSException Failure unspecified at GSS-API level (Mechanism level:
Integrity check on decrypted field failed (31))
GSSException: Failure unspecified at GSS-API level (Mechanism level:
Integrity check on decrypted field failed (31))
       at 
sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:730)
       at 
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:300)
       at 
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246)
       at SampleServer.main(SampleServer.java:117)
Caused by: KrbException: Integrity check on decrypted field failed
(31)
       at sun.security.krb5.internal.crypto.t.b(DashoA12275:154)
       at sun.security.krb5.internal.crypto.s.b(DashoA12275:77)
       at sun.security.krb5.EncryptedData.decrypt(DashoA12275:157)
       at sun.security.krb5.KrbApReq.a(DashoA12275:266)
       at sun.security.krb5.KrbApReq.<init>(DashoA12275:134)
       at 
sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
       at 
sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:715)
       ... 3 more
GSSException Failure unspecified at GSS-API level (Mechanism level:
Integrity check on decrypted field failed (31))
Will send token of size 517 from acceptSecContext.
Exception in thread "main" java.io.EOFException
       at java.io.DataInputStream.readInt(DataInputStream.java:358)
       at SampleServer.main(SampleServer.java:111)

CLIENT:
Connected to server utria.uniandes.edu.co/157.253.50.59
Debug is  true storeKey false useTicketCache false useKeyTab false
doNotPrompt false ticketCache is null KeyTab is null refreshKrb5Config
is false principal is null tryFirstPass is false useFirstPass is false
storePass is false clearPass is false
Kerberos username [root]: alexmunoz/utria.uniandes.edu.co
Kerberos password for alexmunoz/utria.uniandes.edu.co: al
               [Krb5LoginModule] user entered username:
alexmunoz/utria.uniandes.edu.co

Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 16.
principal is alexmunoz/[EMAIL PROTECTED]
Acquire TGT using AS Exchange
EncryptionKey: keyType=3 keyBytes (hex dump)=0000: B9 86 13 75 13 2C
AB F1
EncryptionKey: keyType=1 keyBytes (hex dump)=0000: B9 86 13 75 13 2C
AB F1
EncryptionKey: keyType=16 keyBytes (hex dump)=0000: AD 58 02 92 1A 5E
B9 C2 BA 6D B0 64 0B 70 AE 1F .X...^...m.d.p..
0010: 6D 98 C8 16 68 A4 16 19 Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 16.

EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
KrbAsReq calling createMessage
KrbAsReq in createMessage
KrbKdcReq send: kdc=utria.uniandes.edu.co UDP:88, timeout=30000,

number of retries =3, #bytes=257

KDCCommunication: kdc=utria.uniandes.edu.co UDP:88,

timeout=30000,Attempt =1, #bytes=257

KrbKdcReq send: #bytes read=563
KrbKdcReq send: #bytes read=563
EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
KrbAsRep cons in KrbAsReq.getReply alexmunoz/utria.uniandes.edu.co

Commit Succeeded

Found ticket for alexmunoz/[EMAIL PROTECTED] to go
to krbtgt/[EMAIL PROTECTED] expiring on Sun Nov 14
22:00:17 COT 2004
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject

Credentials acquireServiceCreds: same realm

Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 3 1 16.

CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
KrbKdcReq send: kdc=utria.uniandes.edu.co UDP:88, timeout=30000,

number of retries =3, #bytes=619

KDCCommunication: kdc=utria.uniandes.edu.co UDP:88,

timeout=30000,Attempt =1, #bytes=619

KrbKdcReq send: #bytes read=557
KrbKdcReq send: #bytes read=557
EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
KrbApReq: APOptions are 00100000 00000000 00000000 00000000
EType: sun.security.krb5.internal.crypto.DesCbcMd5EType

Krb5Context setting mySeqNumber to: -1456
Created InitSecContextToken:
0000: 30 31 20 30 30 20 36 65 20 38 32 20 30 31 20 66 01 00 6e 82
01 f
0010: 30 20 33 30 20 38 32 20 30 31 20 65 63 20 61 30 0 30 82 01 ec
a0
0020: 20 30 33 20 30 32 20 30 31 20 30 35 20 61 31 20 03 02 01 05
a1
0030: 30 33 20 30 32 20 30 31 20 30 65 20 61 32 20 30 03 02 01 0e
a2 0
0040: 37 20 30 33 20 30 35 20 30 30 20 32 30 20 30 30 7 03 05 00 20
00
0050: 20 30 30 20 30 30 20 61 33 20 38 31 20 66 64 20 00 00 a3 81
fd
0060: 36 31 20 38 31 20 66 61 20 33 30 20 38 31 20 66 61 81 fa 30
81 f
0070: 37 20 61 30 20 30 33 20 30 32 20 30 31 20 30 35 7 a0 03 02 01
05
0080: 20 61 31 20 31 31 20 31 62 20 30 66 20 35 35 20 a1 11 1b 0f
55
0090: 34 65 20 34 39 20 34 31 20 34 65 20 34 34 20 34 4e 49 41 4e
44 4
00A0: 35 20 35 33 20 32 65 20 34 35 20 34 34 20 35 35 5 53 2e 45 44
55
00B0: 20 32 65 20 34 33 20 34 66 20 61 32 20 32 34 20 2e 43 4f a2
24
00C0: 33 30 20 32 32 20 61 30 20 30 33 20 30 32 20 30 30 22 a0 03
02 0
00D0: 31 20 30 30 20 61 31 20 31 62 20 33 30 20 31 39 1 00 a1 1b 30
19
00E0: 20 31 62 20 30 36 20 36 62 20 37 32 20 36 32 20 1b 06 6b 72
62
00F0: 37 34 20 36 37 20 37 34 20 31 62 20 30 66 20 35 74 67 74 1b
0f 5
0100: 35 20 34 65 20 34 39 20 34 31 20 34 65 20 34 34 5 4e 49 41 4e
44
0110: 20 34 35 20 35 33 20 32 65 20 34 35 20 34 34 20 45 53 2e 45
44
0120: 35 35 20 32 65 20 34 33 20 34 66 20 61 33 20 38 55 2e 43 4f
a3 8
0130: 31 20 62 36 20 33 30 20 38 31 20 62 33 20 61 30 1 b6 30 81 b3
a0
0140: 20 30 33 20 30 32 20 30 31 20 30 31 20 61 32 20 03 02 01 01
a2
0150: 38 31 20 61 62 20 30 34 20 38 31 20 61 38 20 30 81 ab 04 81
a8 0
0160: 31 20 35 34 20 39 38 20 34 37 20 61 35 20 32 32 1 54 98 47 a5
22
0170: 20 66 66 20 38 33 20 39 31 20 35 36 20 65 37 20 ff 83 91 56
e7
0180: 39 64 20 30 65 20 61 65 20 63 62 20 62 61 20 38 9d 0e ae cb
ba 8
0190: 34 20 32 39 20 33 65 20 32 33 20 32 66 20 61 36 4 29 3e 23 2f
a6
01A0: 20 34 63 20 63 31 20 31 34 20 36 63 20 64 64 20 4c c1 14 6c
dd
01B0: 36 38 20 31 30 20 66 33 20 61 38 20 62 32 20 66 68 10 f3 a8
b2 f
01C0: 61 20 32 30 20 62 33 20 38 63 20 34 38 20 32 37 a 20 b3 8c 48
27
01D0: 20 31 66 20 39 39 20 33 33 20 35 65 20 31 36 20 1f 99 33 5e
16
01E0: 38 64 20 33 31 20 35 32 20 66 39 20 32 65 20 64 8d 31 52 f9
2e d
01F0: 32 20 38 35 20 30 37 20 63 64 20 64 64 20 31 64 2 85 07 cd dd
1d
0200: 20 62 64 20 37 34 20 37 62 20 30 65 20 36 62 20 bd 74 7b 0e
6b
0210: 36 39 20 33 64 20 30 65 20 35 31 20 34 31 20 64 69 3d 0e 51
41 d
0220: 66 20 62 36 20 30 35 20 66 65 20 62 37 20 37 61 f b6 05 fe b7
7a
0230: 20 62 38 20 61 32 20 61 31 20 31 65 20 65 39 20 b8 a2 a1 1e
e9
0240: 64 62 20 62 39 20 36 62 20 31 34 20 30 62 20 34 db b9 6b 14
0b 4
0250: 63 20 31 63 20 64 64 20 62 31 20 65 30 20 32 66 c 1c dd b1 e0
2f
0260: 20 62 30 20 34 36 20 39 63 20 35 35 20 30 65 20 b0 46 9c 55
0e
0270: 33 64 20 66 61 20 38 65 20 66 37 20 33 64 20 35 3d fa 8e f7
3d 5
0280: 63 20 30 65 20 66 39 20 36 36 20 64 36 20 62 63 c 0e f9 66 d6
bc
0290: 20 62 31 20 61 32 20 66 36 20 34 35 20 62 35 20 b1 a2 f6 45
b5
02A0: 39 32 20 62 62 20 65 35 20 62 31 20 63 33 20 32 92 bb e5 b1
c3 2
02B0: 65 20 64 61 20 61 62 20 65 38 20 63 35 20 31 39 e da ab e8 c5
19
02C0: 20 39 62 20 36 37 20 38 63 20 30 64 20 37 33 20 9b 67 8c 0d
73
02D0: 30 61 20 65 65 20 36 63 20 65 33 20 39 35 20 64 0a ee 6c e3
95 d
02E0: 39 20 64 32 20 34 61 20 32 66 20 38 64 20 39 65 9 d2 4a 2f 8d
9e
02F0: 20 35 35 20 38 30 20 37 33 20 32 32 20 34 61 20 55 80 73 22
4a
0300: 66 61 20 61 30 20 63 39 20 39 66 20 37 65 20 33 fa a0 c9 9f
7e 3
0310: 32 20 63 63 20 30 62 20 62 37 20 66 34 20 63 66 2 cc 0b b7 f4
cf
0320: 20 36 65 20 61 30 20 32 31 20 65 35 20 32 64 20 6e a0 21 e5
2d
0330: 32 64 20 66 62 20 34 62 20 66 34 20 39 37 20 36 2d fb 4b f4
97 6
0340: 66 20 64 66 20 35 33 20 61 35 20 36 31 20 36 33 f df 53 a5 61
63
0350: 20 61 34 20 32 31 20 61 34 20 38 31 20 64 36 20 a4 21 a4 81
d6
0360: 33 30 20 38 31 20 64 33 20 61 30 20 30 33 20 30 30 81 d3 a0
03 0
0370: 32 20 30 31 20 30 33 20 61 32 20 38 31 20 63 62 2 01 03 a2 81
cb
0380: 20 30 34 20 38 31 20 63 38 20 66 35 20 34 61 20 04 81 c8 f5
4a
0390: 39 34 20 66 37 20 64 66 20 32 35 20 31 65 20 62 94 f7 df 25
1e b
03A0: 36 20 38 32 20 38 35 20 63 36 20 37 31 20 33 30 6 82 85 c6 71
30
03B0: 20 61 62 20 64 62 20 64 66 20 38 65 20 36 38 20 ab db df 8e
68
03C0: 62 31 20 33 35 20 34 65 20 30 34 20 35 61 20 30 b1 35 4e 04
5a 0
03D0: 35 20 32 62 20 31 36 20 65 61 20 38 65 20 35 35 5 2b 16 ea 8e
55
03E0: 20 37 63 20 34 63 20 66 37 20 31 62 20 34 64 20 7c 4c f7 1b
4d
03F0: 65 33 20 63 63 20 37 33 20 64 38 20 37 38 20 64 e3 cc 73 d8
78 d
0400: 63 20 64 31 20 36 66 20 38 63 20 34 39 20 30 35 c d1 6f 8c 49
05
0410: 20 34 33 20 36 61 20 35 35 20 66 37 20 64 65 20 43 6a 55 f7
de
0420: 38 64 20 63 65 20 31 33 20 35 37 20 66 38 20 33 8d ce 13 57
f8 3
0430: 31 20 31 35 20 36 62 20 64 31 20 31 61 20 36 39 1 15 6b d1 1a
69
0440: 20 63 33 20 30 33 20 30 30 20 32 66 20 34 35 20 c3 03 00 2f
45
0450: 36 33 20 62 63 20 63 30 20 30 62 20 39 36 20 33 63 bc c0 0b
96 3
0460: 66 20 33 36 20 36 39 20 36 65 20 63 39 20 38 64 f 36 69 6e c9
8d
0470: 20 39 37 20 61 63 20 38 34 20 62 30 20 39 30 20 97 ac 84 b0
90
0480: 37 30 20 36 63 20 32 38 20 30 62 20 35 30 20 65 70 6c 28 0b
50 e
0490: 33 20 65 61 20 62 38 20 61 31 20 35 34 20 62 63 3 ea b8 a1 54
bc
04A0: 20 39 37 20 34 39 20 66 65 20 31 37 20 30 39 20 97 49 fe 17
09
04B0: 62 39 20 64 35 20 39 31 20 63 36 20 35 36 20 38 b9 d5 91 c6
56 8
04C0: 39 20 34 33 20 61 66 20 38 36 20 31 35 20 65 66 9 43 af 86 15
ef
04D0: 20 65 66 20 64 37 20 63 66 20 64 62 20 37 33 20 ef d7 cf db
73
04E0: 38 65 20 64 39 20 65 63 20 33 31 20 65 34 20 31 8e d9 ec 31
e4 1
04F0: 63 20 34 64 20 61 62 20 61 34 20 63 39 20 61 63 c 4d ab a4 c9
ac
0500: 20 65 66 20 32 62 20 30 30 20 31 66 20 38 63 20 ef 2b 00 1f
8c
0510: 31 31 20 64 36 20 39 30 20 64 36 20 66 64 20 38 11 d6 90 d6
fd 8
0520: 63 20 61 36 20 30 66 20 30 61 20 39 66 20 62 61 c a6 0f 0a 9f
ba
0530: 20 34 39 20 31 65 20 35 63 20 63 36 20 65 34 20 49 1e 5c c6
e4
0540: 36 34 20 61 61 20 63 33 20 64 66 20 32 63 20 32 64 aa c3 df
2c 2
0550: 32 20 63 34 20 30 66 20 39 30 20 64 36 20 63 62 2 c4 0f 90 d6
cb
0560: 20 35 39 20 39 31 20 63 39 20 39 39 20 36 38 20 59 91 c9 99
68
0570: 37 38 20 63 65 20 31 37 20 35 31 20 31 61 20 62 78 ce 17 51
1a b
0580: 37 20 63 30 20 66 63 20 63 33 20 36 30 20 39 30 7 c0 fc c3 60
90
0590: 20 31 39 20 61 31 20 30 62 20 35 61 20 38 31 20 19 a1 0b 5a
81
05A0: 61 34 20 31 30 20 64 37 20 34 64 20 36 39 20 61 a4 10 d7 4d
69 a
05B0: 65 20 36 61 20 63 37 20 63 35 20 66 63 20 63 39 e 6a c7 c5 fc
c9
05C0: 20 63 34 20 61 39 20 37 33 20 30 66 20 37 63 20 c4 a9 73 0f
7c
05D0: 36 32 20 62 39 20 37 61 20 65 38 20 39 39 20 36 62 b9 7a e8
99 6
05E0: 30 20 Will send token of size 517 from initSecContext.
Will read input token of size 517 for processing by initSecContext
Entered Krb5Context.initSecContext with state=STATE_IN_PROCESS
Exception in thread "main" GSSException: Defective token detected
(Mechanism level: AP_REP token id does not match!)
at sun.security.jgss.krb5.AcceptSecContextToken.<init>(AcceptSecContextToken.java:65)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:640)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:213)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:158)
at SampleClient.main(SampleClient.java:144)

________________________________________________
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

--- End Message ---

________________________________________________
Kerberos mailing list           [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos