Problem getting kerberos service ticket - sname has ip address not hostname.
Hello,
I'm hoping that someone can hel here. I've posted on a couple of different forums and not had any response. I have a Java application that is running on a Windows XP client, with a windows Server 2003 AD controller. The Java application is trying to get
a service ticket to authenticate against a database running on a linux server.
My problem is that the application fails when it requests the service ticket. From the debug output it appears to be replacing the server name with the ip address in the sname field. I've pasted the Java code and the response below.
Is there a windows tool that I can test with to make sure the environment is configured correctly? Is there something the administrators need to do the AD server?
org.ietf.jgss.Oid[] desiredMechs = new org.ietf.jgss.Oid[1];
desiredMechs[0] = new org.ietf.jgss.Oid("1.2.840.113554.1.2.2");
GSSManager manager = GSSManager.getInstance();
GSSName clientName = manager.createName("MontgomeryB@LAB2K.NET", GSSName.NT_USER_NAME);
GSSCredential clientCreds = manager.createCredential( GSSCredential.INITIATE_ONLY);
GSSCredential clientCred = manager.createCredential(clientName,
8 * 3600, desiredMechs[0], GSSCredential.INITIATE_ONLY);
GSSName serverName = manager.createName("*HTTP@poe3b.lab2k.net*", GSSName.NT_HOSTBASED_SERVICE);
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
Credentials acquireServiceCreds: same realm
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 3 1 23 16 17.
CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbKdcReq send: kdc=labad2.lab2k.net UDP:88, timeout=30000, number of retries =3, #bytes=1276
KDCCommunication: kdc=labad2.lab2k.net UDP:88, timeout=30000,Attempt =1, #bytes=1276
KrbKdcReq send: #bytes read=92
KrbKdcReq send: #bytes read=92
KDCRep: init() encoding tag is 126 req type is 13
KRBError:
sTime is Mon Jul 26 12:07:34 EDT 2010 1280160454000
suSec is 65057
error code is 7
error Message is Server not found in Kerberos database
realm is LAB2K.NET
sname is *HTTP/172.16.118.89*
msgType is 30
KrbException: Server not found in Kerberos database (7)
Thanks - Bryan
August 3rd, 2010 9:49pm
Hi,
I looked at the org.ietf.jgss interfaces and I can't find anything wrong
with the code that would be causing the name to be converted to an IP
address. Perhaps it is a problem with the version of the underlying Sun
library that you are calling. My only recommendation would be to try
with the latest version of the JDK and the latest version of JAAS or
JGSS if they are bundled separately.
You might be able to get a better answer here,
http://forums.sun.com/forum.jspa?forumID=545&start=0
-- Mike Burr
Free Windows Admin Tool Kit Click here and download it now
August 3rd, 2010 11:47pm
Thanks Mike,
I have tried posting to the java forums - with some success, that got me further along.
Interestingly, after posting this I took the java code and ran it on a linux machine where it worked fine. Incidentally, the Windows Java version was one minor revision newer.
I think it may be something to do with the Windows network configuration. It's frustrating as it seems it should work - however, it looks like it might not be needed for the project anymore.
Bryan.
August 7th, 2010 6:50pm