Hi All I've tried to disable realm name case check in JDK (equals -> equalsIgnoreCase), and it works. In fact, I do several experiments to change the case of principal names, realm names, service names and hostnames, and MSAD just doesn't care. This is another case of Microsoft's long term habit of ignoring cases (BASIC language, file names, user names...).
We already accept BILL and bill and BiLL with the pre-authentication support in JDK 6. Are we going to embrace this ignorance again? RFC 4120 3.1.5 says "It also verifies that the sname and srealm in the response match those in the request (or are otherwise expected values)" and seems MS has its own way of interpreting "match" and "expected values". Being strict is not bad here, it just confuses (and then teaches) careless users. Thanks Max -------- Original Message -------- Subject: Re: JAVASEC - Problem running JAAS client from tutorial Date: Tue, 01 Jan 2008 09:44:17 +0800 From: Max (Weijun) Wang <[EMAIL PROTECTED]> To: Lea, Isaac <[EMAIL PROTECTED]> CC: [EMAIL PROTECTED] References: <[EMAIL PROTECTED]> > realm is PRSDev.local > sname is krbtgt/PRSDev.local The realm name should be all CAPITAL for Windows domain. Please use - Djava.security.krb5.realm=PRSDEV.LOCAL on the command line. Hope this helps Max On Jan 1, 2008, at 4:07 AM, Lea, Isaac wrote: > I am trying to follow the tutorial for JAAS Authentication located > here: > http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/tutorials/ > AcnOnly.html > > I am trying to run the sample client JaasAcn.java but am getting a > strange error when I try to log on to my Active Directory. > > I am using Java version: jre1.6.0_03 > > I can login to Active Directory fine with the credentials I am > providing, just not with this client, so I know the credentials are > valid. > > Here is the error I get that I don't understand. Any suggestions > would be very helpful, if you provide help for this > > The Error message is: [Krb5LoginModule] authentication failed > Message stream modified (41) > > Here is the full output: > > C:\Progra~1\Java\jre1.6.0_03\bin\java - > Dsun.security.krb5.debug=true - > Djava.security.krb5.realm=PRSDev.local - > Djava.security.krb5.kdc=192.168.40.72 - > Djava.security.auth.login.config=jaas.conf JaasAcn > > Debug is true storeKey false useTicketCache false useKeyTab false > doNotPrompt f > alse ticketCache is null isInitiator true KeyTab is null > refreshKrb5Config is fa > lse principal is null tryFirstPass is false useFirstPass is false > storePass is f > alse clearPass is false > Kerberos username [ILea]: sra > Kerberos password for sra: > [Krb5LoginModule] user entered username: sra > > Using builtin default etypes for default_tkt_enctypes > default etypes for default_tkt_enctypes: 3 1 23 16 17. > Acquire TGT using AS Exchange > Using builtin default etypes for default_tkt_enctypes > default etypes for default_tkt_enctypes: 3 1 23 16 17. > >>> KrbAsReq calling createMessage > >>> KrbAsReq in createMessage > >>> KrbKdcReq send: kdc=192.168.40.72 UDP:88, timeout=30000, number > of retries = > 3, #bytes=144 > >>> KDCCommunication: kdc=192.168.40.72 UDP:88, > timeout=30000,Attempt =1, #bytes > =144 > >>> KrbKdcReq send: #bytes read=202 > >>> KrbKdcReq send: #bytes read=202 > >>> KDCRep: init() encoding tag is 126 req type is 11 > >>>KRBError: > sTime is Mon Dec 31 11:56:40 PST 2007 1199131000000 > suSec is 884978 > error code is 25 > error Message is Additional pre-authentication required > realm is PRSDev.local > sname is krbtgt/PRSDev.local > eData provided. > msgType is 30 > >>>Pre-Authentication Data: > PA-DATA type = 11 > PA-ETYPE-INFO etype = 23 > >>>Pre-Authentication Data: > PA-DATA type = 2 > PA-ENC-TIMESTAMP > >>>Pre-Authentication Data: > PA-DATA type = 15 > AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ > Using builtin default etypes for default_tkt_enctypes > default etypes for default_tkt_enctypes: 3 1 23 16 17. > Pre-Authentication: Set preferred etype = 23 > >>>KrbAsReq salt is PRSDev.localsra > Pre-Authenticaton: find key for etype = 23 > AS-REQ: Add PA_ENC_TIMESTAMP now > >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType > >>> KrbAsReq calling createMessage > >>> KrbAsReq in createMessage > >>> KrbKdcReq send: kdc=192.168.40.72 UDP:88, timeout=30000, number > of retries = > 3, #bytes=210 > >>> KDCCommunication: kdc=192.168.40.72 UDP:88, > timeout=30000,Attempt =1, #bytes > =210 > >>> KrbKdcReq send: #bytes read=1182 > >>> KrbKdcReq send: #bytes read=1182 > >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType > [Krb5LoginModule] authentication failed > Message stream modified (41) > Authentication failed: > Message stream modified (41) > > Isaac Lea > Sierra Systems > 737 Courtney Street > Victoria, BC V8W 1C3 > > Tel | 250.385.1535. > Fax | 250.385.4761 > [EMAIL PROTECTED] > www.SierraSystems.com > > > ----Notice Regarding Confidentiality---- > This email, including any and all attachments, (this "Email") is > intended only for the party to whom it is addressed and may contain > information that is confidential or privileged. Sierra Systems > Group Inc. and its affiliates accept no responsibility for any loss > or damage suffered by any person resulting from any unauthorized > use of or reliance upon this Email. If you are not the intended > recipient, you are hereby notified that any dissemination, copying > or other use of this Email is prohibited. Please notify us of the > error in communication by return email and destroy all copies of > this Email. Thank you. >
