What you have is a GSS token using the SPNEGO mechanism that contains a Kerberos AS_REQ message as one of its components. You need to wrap the extracted Kerberos AS_REQ message in a new GSS token using the Kerberos mechanism before passing it to acceptSecurityContext(). You also need to extract the AS_REP message from the GSS token returned from that call and wrap it in a new GSS token using the SPNEGO mechanism before sending it to the client. RFCs 1964 and 4121 show how to do this.
Or, you can use a version of JGSS that understands GSS/SPNEGO as well as GSS/Kerberos. --David -- W. David Shambroom, Ph.D. Security Architect 617.551.2143 InterSystems Corporation [EMAIL PROTECTED] > Message: 2 > Date: Mon, 6 Nov 2006 14:26:20 -0500 (EST) > From: "Michael B Allen" <[EMAIL PROTECTED]> > Subject: JGSS: Integrity check on decrypted field failed (31) > To: kerberos@mit.edu > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain;charset=iso-8859-1 > > I wrote an SPNEGO Java Servlet Filter that decodes the SPNEGO token, > plucks out the krb5 mechToken and passes it to acceptSecContext. Works > great on Linux/Jetty. Tomcat on Windows gives me the following exception. > Basically it looks like it's failing to decrypt the ticket as if the > password was wrong (but it's not). The service account is set for DES > only. For the service credential, I manually create a KerberosKey with a > plaintext password and enctype of "DES". > > Before I start doing byte for byte checking can anyone recommend potential > reasons for this error? > > GSSException: Failure unspecified at GSS-API level (Mechanism level: > Integrity check on decrypted field failed (31)) > > sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:734) > > sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:300) > > sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246) > com.ibi.security.spnego.SpnegoFilter.doFilter(SpnegoFilter.java:262) > > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos