Am 2013-10-09 17:28, schrieb Chawla, Rachit:
Hi All, I am struggling on SSO configuration using SPENGO mechanism on Tomcat 7.0.42 but not able to get it working. We tried on 7.0.29 version too. Since I get Login Successful in logs, I assume Kerberos login was successful. Its SpnegoAuthentication that is failing. Exception: java.security.PrivilegedActionException: org.ietf.jgss.GSSException, major code: 11, minor code: 0 major string: General failure, unspecified at GSSAPI level minor string: Desired initLifetime zero or less Used http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html as reference. On decompiling SpnegoAuthenticator code, we saw that we are using GSSCredential.DEFAULT_LIFETIME in createCredential method, which might be the reason for the exception. final PrivilegedExceptionAction<GSSCredential> action = new PrivilegedExceptionAction<GSSCredential>() { @Override public GSSCredential run() throws GSSException { return manager.createCredential(null, GSSCredential.DEFAULT_LIFETIME, new Oid("1.3.6.1.5.5.2"), GSSCredential.ACCEPT_ONLY); } };Hi, I am using the same source code for my SpnegoAuthenticator with an Oracle JVM on Windows and a HP VM on HP-UX. Something must be different/wrong with the JGSS Provider from IBM. What you could do is download my source [1], change the lifetime to GSSCredential.INDEFINITE_LIFETIME and see whether it fixes the problem. Michael [1] http://tomcatspnegoad.sourceforge.net/download.html Thanks Michael. It did solve the issue. Not sure, if it will be acceptable as a fix, due to constraints and stuff. Appreciate the effort :).
If this one works, are you able to file a bug with IBM's JVM? The behavior should be the same as in Oracle's VM or MIT/Heimdal Kerberos. Michael --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
