Re: SpnegoAuthenticator gives GSSException (Desired initLifetime) wih IBM JDK
Am 2013-10-09 17:28, schrieb Chawla, Rachit:
Hi All,
I am struggling on SSO configuration using SPENGO mechanism on Tomcat 7.0.42
but not able to get it working. We tried on 7.0.29 version too. Since I get
Login Successful in logs, I assume Kerberos login was successful. Its
SpnegoAuthentication that is failing.
Exception:
java.security.PrivilegedActionException: org.ietf.jgss.GSSException, major
code: 11, minor code: 0
major string: General failure, unspecified at GSSAPI level
minor string: Desired initLifetime zero or less
Used http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html as
reference. On decompiling SpnegoAuthenticator code, we saw that we are using
GSSCredential.DEFAULT_LIFETIME in createCredential method, which might be the
reason for the exception.
final PrivilegedExceptionAction action =
new PrivilegedExceptionAction() {
@Override
public GSSCredential run() throws GSSException {
return manager.createCredential(null,
GSSCredential.DEFAULT_LIFETIME,
new Oid("1.3.6.1.5.5.2"),
GSSCredential.ACCEPT_ONLY);
}
};
Hi,
I am using the same source code for my SpnegoAuthenticator with an Oracle JVM
on Windows and a HP VM on HP-UX.
Something must be different/wrong with the JGSS Provider from IBM.
What you could do is download my source [1], change the lifetime to
GSSCredential.INDEFINITE_LIFETIME and see whether it fixes the problem.
Michael
[1] http://tomcatspnegoad.sourceforge.net/download.html
Thanks Michael. It did solve the issue.
Not sure, if it will be acceptable as a fix, due to constraints and stuff.
Appreciate the effort :).
If this one works, are you able to file a bug with IBM's JVM?
The behavior should be the same as in Oracle's VM or MIT/Heimdal Kerberos.
Michael
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SpnegoAuthenticator gives GSSException (Desired initLifetime) wih IBM JDK
> Hi All,
>
> I am struggling on SSO configuration using SPENGO mechanism on Tomcat 7.0.42
> but not able to get it working. We tried on 7.0.29 version too. Since I get
> Login Successful in logs, I assume Kerberos login was successful. Its
> SpnegoAuthentication that is failing.
>
> Exception:
>
> java.security.PrivilegedActionException: org.ietf.jgss.GSSException, major
> code: 11, minor code: 0
> major string: General failure, unspecified at GSSAPI level
> minor string: Desired initLifetime zero or less
>
>
> Used http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html as
> reference. On decompiling SpnegoAuthenticator code, we saw that we are using
> GSSCredential.DEFAULT_LIFETIME in createCredential method, which might be the
> reason for the exception.
>
> final PrivilegedExceptionAction action =
> new PrivilegedExceptionAction() {
> @Override
> public GSSCredential run() throws GSSException {
> return manager.createCredential(null,
> GSSCredential.DEFAULT_LIFETIME,
> new Oid("1.3.6.1.5.5.2"),
> GSSCredential.ACCEPT_ONLY);
> }
> };
Hi,
I am using the same source code for my SpnegoAuthenticator with an Oracle JVM
on Windows and a HP VM on HP-UX.
Something must be different/wrong with the JGSS Provider from IBM.
What you could do is download my source [1], change the lifetime to
GSSCredential.INDEFINITE_LIFETIME and see whether it fixes the problem.
Michael
[1] http://tomcatspnegoad.sourceforge.net/download.html
Thanks Michael. It did solve the issue.
Not sure, if it will be acceptable as a fix, due to constraints and stuff.
Appreciate the effort :).
This email and any files transmitted with it are confidential, proprietary and
intended solely for the individual or entity to whom they are addressed. If you
have received this email in error please delete it immediately.
Re: SpnegoAuthenticator gives GSSException (Desired initLifetime) wih IBM JDK
Am 2013-10-08 10:39, schrieb Chawla, Rachit:
Hi All,
I am struggling on SSO configuration using SPENGO mechanism on Tomcat 7.0.42
but not able to get it working. We tried on 7.0.29 version too. Since I get
Login Successful in logs, I assume Kerberos login was successful. Its
SpnegoAuthentication that is failing.
Exception:
java.security.PrivilegedActionException: org.ietf.jgss.GSSException, major
code: 11, minor code: 0
major string: General failure, unspecified at GSSAPI level
minor string: Desired initLifetime zero or less
Used http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html as
reference. On decompiling SpnegoAuthenticator code, we saw that we are using
GSSCredential.DEFAULT_LIFETIME in createCredential method, which might be the
reason for the exception.
final PrivilegedExceptionAction action =
new PrivilegedExceptionAction() {
@Override
public GSSCredential run() throws GSSException {
return manager.createCredential(null,
GSSCredential.DEFAULT_LIFETIME,
new Oid("1.3.6.1.5.5.2"),
GSSCredential.ACCEPT_ONLY);
}
};
Hi,
I am using the same source code for my SpnegoAuthenticator with an
Oracle JVM on Windows and a HP VM on HP-UX.
Something must be different/wrong with the JGSS Provider from IBM.
What you could do is download my source [1], change the lifetime to
GSSCredential.INDEFINITE_LIFETIME and see whether it fixes the problem.
Michael
[1] http://tomcatspnegoad.sourceforge.net/download.html
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
SpnegoAuthenticator gives GSSException (Desired initLifetime) wih IBM JDK
Hi All,
I am struggling on SSO configuration using SPENGO mechanism on Tomcat 7.0.42
but not able to get it working. We tried on 7.0.29 version too. Since I get
Login Successful in logs, I assume Kerberos login was successful. Its
SpnegoAuthentication that is failing.
Exception:
java.security.PrivilegedActionException: org.ietf.jgss.GSSException, major
code: 11, minor code: 0
major string: General failure, unspecified at GSSAPI level
minor string: Desired initLifetime zero or less
Used http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html as
reference. On decompiling SpnegoAuthenticator code, we saw that we are using
GSSCredential.DEFAULT_LIFETIME in createCredential method, which might be the
reason for the exception.
final PrivilegedExceptionAction action =
new PrivilegedExceptionAction() {
@Override
public GSSCredential run() throws GSSException {
return manager.createCredential(null,
GSSCredential.DEFAULT_LIFETIME,
new Oid("1.3.6.1.5.5.2"),
GSSCredential.ACCEPT_ONLY);
}
};
Environment detail are:
OS: AIX
Java: java version "1.6.0"
Java(TM) SE Runtime Environment (build pap3260sr11-20120806_01(SR11))
IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 AIX ppc-32
jvmap3260sr11-20120801_118201 (JIT enabled, AOT enabled)
J9VM - 20120801_118201
JIT - r9_20120608_24176ifx1
GC - 20120516_AA)
JCL - 20120713_01
Tomcat Version : 7.0.42
I tried with Java 6 (SR9), 7 (SR1,SR5), but I always get stuck on below error.
java.security.PrivilegedActionException: org.ietf.jgss.GSSException, major
code: 11, minor code: 0
major string: General failure, unspecified at GSSAPI level
minor string: Desired initLifetime zero or less
We get following output from catalina/log.
[JGSS_DBG_CRED] JAAS config: debug=true
[JGSS_DBG_CRED] JAAS config: credsType=accept only
[JGSS_DBG_CRED] config: useDefaultCcache=false (default)
[JGSS_DBG_CRED] config: useCcache=null
[JGSS_DBG_CRED] config: useDefaultKeytab=false
[JGSS_DBG_CRED] config:
useKeytab=file:/home/qauser1/racTemp/apache-tomcat-7.0.29/conf/qafalcon.keytab
[JGSS_DBG_CRED] JAAS config: forwardable=false (default)
[JGSS_DBG_CRED] JAAS config: renewable=false (default)
[JGSS_DBG_CRED] JAAS config: proxiable=false (default)
[JGSS_DBG_CRED] JAAS config: noAddress=false (default)
[JGSS_DBG_CRED] JAAS config: tryFirstPass=false (default)
[JGSS_DBG_CRED] JAAS config: useFirstPass=false (default)
[JGSS_DBG_CRED] JAAS config: moduleBanner=false (default)
[JGSS_DBG_CRED] JAAS config: interactive login? no
[JGSS_DBG_CRED] Retrieving Kerberos creds from keytab for principal=null
[JGSS_DBG_CRED] No Kerberos creds in keytab :
java.io.BufferedInputStream@28502850
[JGSS_DBG_CRED] Done retrieving Kerberos creds from keytab
[JGSS_DBG_CRED] Login successful
[JGSS_DBG_CRED] HTTP/a...@zzz.net added to Subject
[JGSS_DBG_CRED] Attempting to add 1 Kerberos key(s) to Subject for
HTTP/a...@zzz.net
[JGSS_DBG_CRED] added key of type rc4-hmac
[JGSS_DBG_CRED] Successfully added 1 keys to Subject.
[JGSS_DBG_PROV] Number of system providers=9
[JGSS_DBG_PROV] getMechOidFromProperty: mech oid string = 1.3.6.1.5.5.2
[JGSS_DBG_PROV] getMechOidFromProperty: mech oid string = 1.2.840.113554.1.2.2
[JGSS_DBG_PROV] getMechOidFromProperty: mech oid string = 1.3.6.1.5.5.2
[JGSS_DBG_PROV] 3 system providers found/added
[JGSS_DBG_PROV] getMechOidFromProperty: mech oid string = 1.3.6.1.5.5.2
[JGSS_DBG_PROV] getMechOidFromProperty: mech oid string = 1.2.840.113554.1.2.2
[JGSS_DBG_PROV] getMechs: Mechanism(s) supported by provider IBMJGSSProvider
[JGSS_DBG_PROV] 1.3.6.1.5.5.2
[JGSS_DBG_PROV] getMechOidFromProperty: mech oid string = 1.3.6.1.5.5.2
[JGSS_DBG_PROV] getMechOidFromProperty: mech oid string = 1.2.840.113554.1.2.2
[JGSS_DBG_PROV] getMechs: Mechanism(s) supported by provider IBMJGSSProvider
[JGSS_DBG_PROV] 1.2.840.113554.1.2.2
[JGSS_DBG_PROV] getMechOidFromProperty: mech oid string = 1.3.6.1.5.5.2
[JGSS_DBG_PROV] getMechs: Mechanism(s) supported by provider IBMSPNEGO
[JGSS_DBG_PROV] 1.3.6.1.5.5.2
[JGSS_DBG_PROV] getMechs: 2 unique mechanism(s) found
[JGSS_DBG_PROV] [0]: 1.3.6.1.5.5.2
[JGSS_DBG_PROV] [1]: 1.2.840.113554.1.2.2
[JGSS_DBG_CRED] Creating mech cred for null, mech 1.3.6.1.5.5.2, usage accept
only
[JGSS_DBG_PROV] Provider Entry: provider: IBMJGSSProvider, mechanism:
1.3.6.1.5.5.2 get Factory for mech: 1.3.6.1.5.5.2 caller:-1
[JGSS_DBG_PROV] Created new (empty) factory list (size=1) for provider
IBMJGSSProvider version 1.6
[JGSS_DBG_PROV] Loading factory
[JGSS_DBG_PROV] Factory class name for provider IBMJGSSProvider version 1.6 is
com.ibm.security.jgss.mech.spnego.SPNEGOMechFactory
[JGSS_DBG_PROV] Prior to load
[JGSS_DBG_PROV] Done to load
[JGSS_DBG_PROV] Loaded factory for provider IBMJGSSProvider ver
