[
https://issues.apache.org/jira/browse/DIRSTUDIO-606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12787999#action_12787999
]
Stefan Seelmann commented on DIRSTUDIO-606:
-------------------------------------------
I never tried with Windows7, only XP and Vista clients against a Windows Server
2003. We use JNDI, which uses JAAS, which uses JGSS. For XP and Vista it is
necessary to to set a registry key [1] to be able to access the TGT, do you
know if this is still possible with Windows 7?
Have you tried to choose the option "Obtain TGT from KDC" ("TGT vom KDC
anfordern") and provide username and password? Does it work with this option?
In Studio we create our own JAAS Configuration, based on the settings in the
connection properties. But you could disable this feature and provide your own
JAAS config file (see [1] again). You need to activate
"Window"->"Preferences"->"Apache Directory Studio"->"Connections"->"Use
Kerberos System Settings" (this disables the Kerberor configuration in
connection properties). Maybe you could find your own settings to make it work.
[1]
http://java.sun.com/javase/6/docs/technotes/guides/security/kerberos/jgss-windows.html
> Cannot use Windows in memory TGT (AES128/256) on Windows 7
> ----------------------------------------------------------
>
> Key: DIRSTUDIO-606
> URL: https://issues.apache.org/jira/browse/DIRSTUDIO-606
> Project: Directory Studio
> Issue Type: Bug
> Affects Versions: 1.5.0, 1.5.1
> Environment: Windows 7 Ultimate
> Reporter: Michael Waldvogel
> Original Estimate: 3h
> Remaining Estimate: 3h
>
> I'm using JRE 1.6_17 together with the unlimited JCE profile. I used
> Directory Studio 1.5.0 on Windows XP and used the option "Use native TGT". As
> long as I was using Windows XP together with rc4-hmac, everything worked like
> a charme. Then I changed to Windows 7 and made use of newly supported
> encryption cipher aes256-cts-hmac-sha1-96. I think the encryption cipher id
> is 18 as far as I could extract that from the KDC's log.
> Now I get the following error, when I try to connect to the LDAP server
> (OpenLDAP 2.4.19):
> Fehler beim Öffnen der Verbindung (= problem when opening connection)
> - GSSAPI
> javax.naming.AuthenticationException: GSSAPI [Root exception is
> javax.security.sasl.SaslException: GSS initiate failed [Caused by
> GSSException: No valid credentials provided (Mechanism level: Integrity check
> on decrypted field failed (31) - PROCESS_TGS)]]
> at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)
> at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
> at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
> at com.sun.jndi.ldap.LdapCtx.ensureOpen(Unknown Source)
> at com.sun.jndi.ldap.LdapCtx.ensureOpen(Unknown Source)
> at com.sun.jndi.ldap.LdapCtx.reconnect(Unknown Source)
> at javax.naming.ldap.InitialLdapContext.reconnect(Unknown Source)
> at
> org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper$8.run(JNDIConnectionWrapper.java:1165)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Unknown Source)
> at
> org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.doGssapiBind(JNDIConnectionWrapper.java:1159)
> at
> org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.access$700(JNDIConnectionWrapper.java:106)
> at
> org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper$7.run(JNDIConnectionWrapper.java:1041)
> at
> org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.runAndMonitor(JNDIConnectionWrapper.java:1272)
> at
> org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.doBind(JNDIConnectionWrapper.java:1065)
> at
> org.apache.directory.studio.connection.core.io.jndi.JNDIConnectionWrapper.bind(JNDIConnectionWrapper.java:254)
> at
> org.apache.directory.studio.connection.core.jobs.OpenConnectionsRunnable.run(OpenConnectionsRunnable.java:114)
> at
> org.apache.directory.studio.connection.core.jobs.StudioConnectionJob.run(StudioConnectionJob.java:114)
> at org.eclipse.core.internal.jobs.Worker.run(Worker.java:55)
> Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by
> GSSException: No valid credentials provided (Mechanism level: Integrity check
> on decrypted field failed (31) - PROCESS_TGS)]
> at
> com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
> ... 19 more
> Caused by: GSSException: No valid credentials provided (Mechanism level:
> Integrity check on decrypted field failed (31) - PROCESS_TGS)
> at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
> at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
> at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
> ... 20 more
> Caused by: KrbException: Integrity check on decrypted field failed (31) -
> PROCESS_TGS
> at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
> at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
> at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown
> Source)
> at
> sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
> at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
> ... 23 more
> Caused by: KrbException: Identifier doesn't match expected value (906)
> at sun.security.krb5.internal.KDCRep.init(Unknown Source)
> at sun.security.krb5.internal.TGSRep.init(Unknown Source)
> at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)
> ... 28 more
> GSSAPI
> If I directly connect to the KDC and retrieve the TGT from there, I can
> connect to the LDAP server without any problem using Kerberos authentication.
> I'm not completely sure, if this is an issue with DIrectory Studio or with
> JRE. Can you plese let me know, if you extract the TGT directly from Windows
> or if use the Java GSSAPI to access the TGT? If it's a JRE problem I'm gonna
> report to Sun immediately.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
