Hi Seema, I have narrowed things down quite a bit. If I use Firefox which uses raw kerberos tokens I still get the same error which means that this has nothing to do with SPNEGO. If I run the Filter in Jetty on Linux it works. So there's something about Tomcat / Windows / Java on Windows. On site we tried a variety of different versions of Java but the one I'm trying right now is Java 1.4.2_13.
The SPNs are mapped correctly and the password in fact correct. I've been doing a lot of the SSO stuff recently and I'm pretty good at diagnosing the many problems that can occur. I have compared tickets field by field using a packet sniffer (although I have not resorted to decrypting the encrypted fields yet). Do you happen to know if this particular exception is caused by a problem with the authenticator or decrypting the ticket in general? My next step will be to use Configuration.setConfiguration() to explore the effect of Krb5LoginModule options. Can you recommend futher action? Thanks, Mike On Tue, 07 Nov 2006 12:16:22 -0800 Seema Malkani <[EMAIL PROTECTED]> wrote: > What version of JDK are you using ? Sun's implementation of Java GSS > includes support for SPNEGO starting from Java SE 6. > > Has the SPN been setup correctly ? > > Seema > > Michael B Allen wrote On 11/06/06 11:26,: > > >I wrote an SPNEGO Java Servlet Filter that decodes the SPNEGO token, > >plucks out the krb5 mechToken and passes it to acceptSecContext. Works > >great on Linux/Jetty. Tomcat on Windows gives me the following exception. > >Basically it looks like it's failing to decrypt the ticket as if the > >password was wrong (but it's not). The service account is set for DES > >only. For the service credential, I manually create a KerberosKey with a > >plaintext password and enctype of "DES". > > > >Before I start doing byte for byte checking can anyone recommend potential > >reasons for this error? > > > >GSSException: Failure unspecified at GSS-API level (Mechanism level: > >Integrity check on decrypted field failed (31)) > > > > sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:734) > > > > sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:300) > > > > sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246) > >________________________________________________ > >Kerberos mailing list [email protected] > >https://mailman.mit.edu/mailman/listinfo/kerberos > > > > > -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
