[jira] [Created] (WSS-500) Kerberos client/server actions are only supporting NT_HOSTBASED_SERVICE service name form

Mon, 19 May 2014 04:25:28 -0700 

Boris Dushanov created WSS-500:
----------------------------------

             Summary: Kerberos client/server actions are only supporting 
NT_HOSTBASED_SERVICE service name form
                 Key: WSS-500
                 URL: https://issues.apache.org/jira/browse/WSS-500
             Project: WSS4J
          Issue Type: Bug
          Components: WSS4J Core
    Affects Versions: 1.6.4
            Reporter: Boris Dushanov
            Assignee: Colm O hEigeartaigh


I'm trying to use wss4j for Kerberos authentication against KDC based on Active 
Directory but that is not possible.

According to the Setspn tool documentation from 
Microsoft(http://technet.microsoft.com/en-us/library/cc731241%28v=ws.10%29.aspx),
 the service name form should look like this - 
serviceclass/host:port/servicename. In GSS terms this type of service name is 
of type NT_USER_NAME.

Currently the org.apache.wss4j.common.kerberos.KerberosClientAction and 
org.apache.wss4j.common.kerberos.KerberosServiceAction are only supporting a 
org.ietf.jgss.NT_HOSTBASED_SERVICE service name form which is hardcoded when 
creating GSSName for the service. This makes wss4j not operable with KDC based 
on Active Directory.

The following is the exception I'm receiving when trying to get a service 
ticket from the AD KDC while executing the wss4j KerberosTest:

KrbException: Server not found in Kerberos database (7)
        at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:70)
        at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:192)
        at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:203)
        at 
sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:311)
        at 
sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:115)
        at 
sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:449)
        at 
sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:641)
        at 
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
        at 
sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
        at 
org.apache.wss4j.common.kerberos.KerberosClientAction.run(KerberosClientAction.java:67)
        at 
org.apache.wss4j.common.kerberos.KerberosClientAction.run(KerberosClientAction.java:36)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:356)
        at 
org.apache.wss4j.dom.message.token.KerberosSecurity.retrieveServiceTicket(KerberosSecurity.java:184)
        at 
org.apache.wss4j.integration.test.kerberos.KerberosTest.testKerberosCreationAndProcessing(KerberosTest.java:148)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at 
org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:47)
        at 
org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
        at 
org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:44)
        at 
org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
        at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:271)
        at 
org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:70)
        at 
org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:50)
        at org.junit.runners.ParentRunner$3.run(ParentRunner.java:238)
        at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:63)
        at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:236)
        at org.junit.runners.ParentRunner.access$000(ParentRunner.java:53)
        at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:229)
        at 
org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
        at 
org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:27)
        at org.junit.runners.ParentRunner.run(ParentRunner.java:309)
        at 
org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:50)
        at 
org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
        at 
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:467)
        at 
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:683)
        at 
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:390)
        at 
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:197)
Caused by: KrbException: Identifier doesn't match expected value (906)
        at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143)
        at sun.security.krb5.internal.TGSRep.init(TGSRep.java:66)
        at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:61)
        at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:55)
        ... 39 more





--
This message was sent by Atlassian JIRA
(v6.2#6252)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to