GSSAPI on Windows still does not work (neither to the Domaincontroller as
Directory Server nor to a Linux Directory Server running MIT Kerberos; KDC in
both cases Active Directory; so may be it's another problem than an
interoperability problem):
C:\Programme\jxplorer>rem # This version uses wild cards and is only suitable
for Java 1.6 or better
C:\Programme\jxplorer>rem # (use jxplorer_old_jvm.bat for previous versions)
C:\Programme\jxplorer>java -classpath ".;jars/*;jasper/lib/*"
-Djava.security.krb5.conf=c:\windows\krb5.ini -Dfile.encoding=utf-8 c
om.ca.directory.jxplorer.JXplorer
18.01.2013 09:44:40 com.ca.directory.jxplorer.JXplorer printTime
INFO: main start
TIME: Fri Jan 18 09:44:40 CET 2013 (928)
18.01.2013 09:44:40 com.ca.directory.jxplorer.JXplorer checkJavaEnvironment
INFO: running java from: C:\Programme\Java\jre6
18.01.2013 09:44:40 com.ca.directory.jxplorer.JXplorer checkJavaEnvironment
INFO: running java version 1.6.0_37
18.01.2013 09:44:41 com.ca.directory.jxplorer.JXConfig getConfigDirectory
WARNUNG: JX using configDirectory: C:\Programme\jxplorer\
18.01.2013 09:44:41 com.ca.directory.jxplorer.JXConfig getConfigDirectory
WARNUNG: JX using configDirectory: C:\Programme\jxplorer\
18.01.2013 09:44:41 com.ca.directory.jxplorer.JXConfig getConfigDirectory
WARNUNG: JX using configDirectory: C:\Programme\jxplorer\
18.01.2013 09:44:41 com.ca.directory.jxplorer.JXConfig setupLogger
INFO: setting up logger
XXX logging initially level WARNING with 0 parents=true
18.01.2013 09:44:41 com.ca.commons.cbutil.CBUtility readPropertyFile
WARNUNG: No property list:
C:\Programme\jxplorer\search_filters.txt
18.01.2013 09:44:41 com.ca.commons.cbutil.CBUtility readPropertyFile
WARNUNG: No property list:
bookmarks.txt
18.01.2013 09:44:41 com.ca.commons.cbutil.CBUtility readPropertyFile
WARNUNG: No property list:
quicksearch.txt
javax.naming.AuthenticationException: GSSAPI [Root exception is
javax.security.sasl.SaslException: GSS initiate failed [Caused by GS
SException: No valid credentials provided (Mechanism level: Invalid option
setting in ticket request. (101))]]
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)
at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.ldap.InitialLdapContext.<init>(Unknown Source)
at com.ca.commons.jndi.JndiAction.run(JndiAction.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at com.ca.commons.jndi.JNDIOps.setupKerberosContext(JNDIOps.java:160)
at com.ca.commons.jndi.JNDIOps.<init>(JNDIOps.java:116)
at com.ca.commons.jndi.BasicOps.<init>(BasicOps.java:55)
at com.ca.commons.jndi.AdvancedOps.<init>(AdvancedOps.java:57)
at com.ca.commons.naming.DXOps.<init>(DXOps.java:40)
at
com.ca.directory.jxplorer.broker.CBGraphicsOps.<init>(CBGraphicsOps.java:46)
at
com.ca.directory.jxplorer.broker.JNDIDataBroker.openConnection(JNDIDataBroker.java:455)
at
com.ca.directory.jxplorer.broker.JNDIDataBroker.openConnection(JNDIDataBroker.java:400)
at
com.ca.directory.jxplorer.broker.JNDIDataBroker.processRequest(JNDIDataBroker.java:374)
at
com.ca.directory.jxplorer.broker.DataBroker.processQueue(DataBroker.java:200)
at
com.ca.directory.jxplorer.broker.JNDIDataBroker.processQueue(JNDIDataBroker.java:883)
at com.ca.directory.jxplorer.broker.DataBroker.run(DataBroker.java:165)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism
level: Invalid option setting in ticket request. (101))]
at
com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
... 28 more
Caused by: GSSException: No valid credentials provided (Mechanism level:
Invalid option setting in ticket request. (101))
at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
... 29 more
Caused by: KrbException: Invalid option setting in ticket request. (101)
at sun.security.krb5.KrbTgsReq.<init>(Unknown Source)
at sun.security.krb5.KrbTgsReq.<init>(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown
Source)
at
sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
... 32 more
18.01.2013 09:44:47 com.ca.directory.jxplorer.broker.JNDIDataBroker
openConnection
WARNUNG: initial receipt of exception by jndi broker a problem with GSSAPI
occurred - couldn't create a GSSAPI directory context
javax.naming.NamingException: a problem with GSSAPI occurred - couldn't create
a GSSAPI directory context
at com.ca.commons.jndi.JNDIOps.setupKerberosContext(JNDIOps.java:165)
at com.ca.commons.jndi.JNDIOps.<init>(JNDIOps.java:116)
at com.ca.commons.jndi.BasicOps.<init>(BasicOps.java:55)
at com.ca.commons.jndi.AdvancedOps.<init>(AdvancedOps.java:57)
at com.ca.commons.naming.DXOps.<init>(DXOps.java:40)
at
com.ca.directory.jxplorer.broker.CBGraphicsOps.<init>(CBGraphicsOps.java:46)
at
com.ca.directory.jxplorer.broker.JNDIDataBroker.openConnection(JNDIDataBroker.java:455)
at
com.ca.directory.jxplorer.broker.JNDIDataBroker.openConnection(JNDIDataBroker.java:400)
at
com.ca.directory.jxplorer.broker.JNDIDataBroker.processRequest(JNDIDataBroker.java:374)
at
com.ca.directory.jxplorer.broker.DataBroker.processQueue(DataBroker.java:200)
at
com.ca.directory.jxplorer.broker.JNDIDataBroker.processQueue(JNDIDataBroker.java:883)
at com.ca.directory.jxplorer.broker.DataBroker.run(DataBroker.java:165)
at java.lang.Thread.run(Unknown Source)
Any more ideas ?
Mit freundlichen Grüßen
DI Michael Gsandtner
Magistrat Wien, MA 14, AS3 - Zentrale Dienste
Doblhoffgasse 9/2/9/4
1082 Wien
T +43 1 4000 91640 | F + 43 1 4000 99 91640
M +43 676 8118 91640
E michael.gsandt...@wien.gv.at
-----Ursprüngliche Nachricht-----
Von: Douglas E. Engert *EXTERN* [mailto:deeng...@anl.gov]
Gesendet: Dienstag, 15. Jänner 2013 17:41
An: Gsandtner Michael
Betreff: Re: AW: [Jxplorer-users] gssapi windows <-> Linux
On 1/15/2013 4:22 AM, Gsandtner Michael wrote:
> I have installed kfw (http://web.mit.edu/kerberos/kfw-4.0/kfw-4.0.html) and
> configured everything listed here. It still does not work.
> Can you send me your jxplorer.bat creating jxconfig.txt ? May be these
> settings differ.
I have been using the KfW-3.2.2, mostly because we use OpenAFS. You may not
need KfW and Java can access the Windows LSA credentials, or Jave has
its own kinit.
The info in here may be helpful:
http://cr.openjdk.java.net/~weijun/special/krb5winguide-2/raw_files/new/kwin
Java will look for the krb5.ini in a number of places. The jxplorer.bat can set
this.
Java will look for a ticket cache in a number of places.
%HOME%\krb5cc_userid for Window is first. If you have one of these file
delete it, so it does not get in the way. (If you used the Java kinit
command
it may create one of these.)
Native credentials cache (LSA, or Local Security Authority, for Windows
This is the one where Windows stores the tickets if you login to a domain
or if you do a runAs or RunAS Administrator.
KfW will have set:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Value Name: allowtgtsessionkey
Value Type: REG_DWORD
Value: 0x01
Which will allow applications like KfW and Java to fetch the TGT from the
LSA cache.
KfW may also have created a c:\Windows\krb5.ini
The connection to an AD DC would look something like:
Host: FQDN of one of the DCs
Port: 389
Protocol: LDAP v3
Base DN: dc=xxx,dc=xxx (what even the AD Domain is)
Security Level: GSSAPI
User DN: (grayed out, not used)
Password: (grayed out, not used)
Hope this helps.
>
> Mit freundlichen Grüßen
> DI Michael Gsandtner
> Magistrat Wien, MA 14, AS3 - Zentrale Dienste
> Doblhoffgasse 9/2/9/4
> 1082 Wien
> T +43 1 4000 91640 | F + 43 1 4000 99 91640
> M +43 676 8118 91640
> E michael.gsandt...@wien.gv.at
>
>
> -----Ursprüngliche Nachricht-----
> Von: Douglas E. Engert *EXTERN* [mailto:deeng...@anl.gov]
> Gesendet: Donnerstag, 10. Jänner 2013 17:07
> An: jxplorer-users@lists.sourceforge.net
> Betreff: Re: [Jxplorer-users] gssapi windows <-> Linux
>
> Attached is a jxplorer.bat file that is started from a shortcut
> with the Start in: C:\opt\jxplorer
>
> The Java Kerberos may need needs a krb5.conf or krb5.ini file which
> lists the realm and KDCs.
>
> The -Djxplorer.config=user.home ends up using the Windows USERPROFILE
> environment variable for example: C:\Users\username
> and the jxplorer directory would end up with the
> connections.txt, gssapi.conf and jxconfig.txt
>
> The gssapi.conf is created if not present. I suspect that jxplorer
> is trying to create it in the program directory. It has:
>
> com.ca.commons.jndi.JNDIOps {
> com.sun.security.auth.module.Krb5LoginModule required client=TRUE
> useTicketCache=TRUE;
> };
>
> This might be very helpful too:
> http://info.michael-simons.eu/2012/07/23/java-7-jaas-and-kerberos-single-sign-on-vs-newer-windows-systems/
>
>
> (I don't use Jxplorer on Windows much any more...)
>
> On 1/10/2013 2:33 AM, Gsandtner Michael wrote:
>> Jxplorer using kerberos authentication via GSSAPI on Red Hat works fine.
>>
>> Doing the same on Windows fails with:
>>
>> Error opening connection:
>>
>> javax.naming.NamingException: a problem with GSSAPI occurred - couldn't
>> create a GSSAPI directory context
>>
>> at
>> com.ca.commons.jndi.JNDIOps.setupKerberosContext(JNDIOps.java:165)
>>
>> at com.ca.commons.jndi.JNDIOps.<init>(JNDIOps.java:116)
>>
>> at com.ca.commons.jndi.BasicOps.<init>(BasicOps.java:55)
>>
>> at com.ca.commons.jndi.AdvancedOps.<init>(AdvancedOps.java:57)
>>
>> at com.ca.commons.naming.DXOps.<init>(DXOps.java:40)
>>
>> at
>> com.ca.directory.jxplorer.broker.CBGraphicsOps.<init>(CBGraphicsOps.java:46)
>>
>> at
>> com.ca.directory.jxplorer.broker.JNDIDataBroker.openConnection(JNDIDataBroker.java:455)
>>
>> at
>> com.ca.directory.jxplorer.broker.JNDIDataBroker.openConnection(JNDIDataBroker.java:400)
>>
>> at
>> com.ca.directory.jxplorer.broker.JNDIDataBroker.processRequest(JNDIDataBroker.java:374)
>>
>> at
>> com.ca.directory.jxplorer.broker.DataBroker.processQueue(DataBroker.java:200)
>>
>> at
>> com.ca.directory.jxplorer.broker.JNDIDataBroker.processQueue(JNDIDataBroker.java:883)
>>
>> at
>> com.ca.directory.jxplorer.broker.DataBroker.run(DataBroker.java:165)
>>
>> at java.lang.Thread.run(Unknown Source)
>>
>> Our environment:
>>
>> Directory Server: Sun-Directory-Server/11.1.1.5.0 B2011.0517.2353 (64-bit)
>> on Red Hat Enterprise Linux Server release 5.8 (Tikanga)
>>
>> KDC: Active Directory 2003 on Windows Server 2003 SP2
>>
>> Jxplorer v3.3.02 on Red Hat Enterprise Linux ES release 4 (Nahant Update 9):
>> OK
>>
>> Jxplorer v3.3.02 on Windows XP Professional SP3: fail
>>
>> Jxplorer v3.3.02 on Windows 7 SP1 32bit: fail
>>
>> Any hint welcome.
>>
>>
>> Regards
>>
>> Michael Gsandtner, Magistrat Wien
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
>> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
>> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
>> MVPs and experts. ON SALE this month only -- learn more at:
>> http://p.sf.net/sfu/learnmore_122712
>>
>>
>>
>> _______________________________________________
>> Jxplorer-users mailing list
>> Jxplorer-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/jxplorer-users
>>
>
--
Douglas E. Engert <deeng...@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
------------------------------------------------------------------------------
Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
much more. Get web development skills now with LearnDevNow -
350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122812
_______________________________________________
Jxplorer-users mailing list
Jxplorer-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jxplorer-users
