krb5 debug:
Config name: C:\Windows\krb5.ini
>>> KdcAccessibility: reset
>>> KdcAccessibility: reset
Acquire TGT from Cache
>>>KinitOptions cache name is C:\Users\my_user\krb5cc_my_user
>>>DEBUG <CCacheInputStream> client principal is my_user@somedomain
>>>DEBUG <CCacheInputStream> server principal is
krbtgt/somedomain@somedomain
>>>DEBUG <CCacheInputStream> key type: 23
>>>DEBUG <CCacheInputStream> auth time: Fri Oct 31 14:59:37 CET 2014
>>>DEBUG <CCacheInputStream> start time: Fri Oct 31 14:59:37 CET 2014
>>>DEBUG <CCacheInputStream> end time: Sat Nov 01 00:59:37 CET 2014
>>>DEBUG <CCacheInputStream> renew_till time: Thu Jan 01 01:00:00 CET 1970
>>> CCacheInputStream: readFlags() INITIAL; PRE_AUTH;
Host address is /10.x.x.x
Host address is /0:0:0:0:0:0:0:1
>>> KrbCreds found the default ticket granting ticket in credential cache.
>>> LSA contains TGT for my_user@somedomain not testuser@somedomain
Principal is testuser@somedomain
null credentials from Ticket Cache
>>> KeyTabInputStream, readName(): somedomain
>>> KeyTabInputStream, readName(): testuser
>>> KeyTab: load() entry length: 54; type: 23
>>> KeyTabInputStream, readName(): somedomain
>>> KeyTabInputStream, readName(): testuser
>>> KeyTab: load() entry length: 70; type: 18
>>> KeyTabInputStream, readName(): somedomain
>>> KeyTabInputStream, readName(): testuser
>>> KeyTab: load() entry length: 54; type: 17
>>> KeyTabInputStream, readName(): somedomain
>>> KeyTabInputStream, readName(): testuser
>>> KeyTab: load() entry length: 62; type: 16
>>> KeyTabInputStream, readName(): somedomain
>>> KeyTabInputStream, readName(): testuser
>>> KeyTab: load() entry length: 46; type: 3
>>> KeyTabInputStream, readName(): somedomain
>>> KeyTabInputStream, readName(): testuser
>>> KeyTab: load() entry length: 46; type: 1
Added key: 1version: 1
Added key: 3version: 1
Added key: 16version: 1
Added key: 17version: 1
Added key: 18version: 1
Added key: 23version: 1
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17 16 3 1.
0: EncryptionKey: keyType=23 kvno=1 keyValue (hex dump)=
0000: 9B 47 C6 62 E6 06 7F 82 AF 3D B2 A8 37 0C 14 AE .G.b.....=..7...
1: EncryptionKey: keyType=18 kvno=1 keyValue (hex dump)=
0000: 05 83 E7 FD 3C 71 A5 56 07 07 A9 8D 96 88 04 63 ....<q.V.......c
0010: 50 34 D0 D7 A3 0C 08 A0 F8 EA DB B3 8A DC 3D 0E P4............=.
2: EncryptionKey: keyType=17 kvno=1 keyValue (hex dump)=
0000: EB F3 B4 06 42 9A 6D 6C 9D FE 93 F8 E0 5B 47 65 ....B.ml.....[Ge
3: EncryptionKey: keyType=16 kvno=1 keyValue (hex dump)=
0000: B5 04 3B CE 0E EC 3D 68 68 0B A2 70 1C 37 13 67 ..;...=hh..p.7.g
0010: B9 1C 3E 04 08 80 73 EF
4: EncryptionKey: keyType=3 kvno=1 keyValue (hex dump)=
0000: 6B 51 67 C7 02 51 FD CE
5: EncryptionKey: keyType=1 kvno=1 keyValue (hex dump)=
0000: 6B 51 67 C7 02 51 FD CE
principal's key obtained from the keytab
Acquire TGT using AS Exchange
default etypes for default_tkt_enctypes: 23 18 17 16 3 1.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=somekdc UDP:88, timeout=30000, number of retries =3,
>>> #bytes=151
>>> KDCCommunication: kdc=somekdc UDP:88, timeout=30000,Attempt =1,
>>> #bytes=151
>>> KrbKdcReq send: #bytes read=213
>>> KrbKdcReq send: #bytes read=213
>>> KdcAccessibility: remove somekdc
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Tue Nov 04 09:14:25 CET 2014 1415088865000
suSec is 764190
error code is 25
error Message is Additional pre-authentication required
realm is somedomain
sname is krbtgt/somedomain
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18
PA-ETYPE-INFO2 salt = somedomaintestuser
PA-ETYPE-INFO2 s2kparams = null
PA-ETYPE-INFO2 etype = 23
PA-ETYPE-INFO2 salt = null
PA-ETYPE-INFO2 s2kparams = null
PA-ETYPE-INFO2 etype = 3
PA-ETYPE-INFO2 salt = somedomaintestuser
PA-ETYPE-INFO2 s2kparams = null
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
Updated salt from pre-auth = somedomaintestuser
>>>KrbAsReq salt is somedomaintestuser
default etypes for default_tkt_enctypes: 23 18 17 16 3 1.
Pre-Authenticaton: find key for etype = 18
AS-REQ: Add PA_ENC_TIMESTAMP now
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=somekdc UDP:88, timeout=30000, number of retries =3,
>>> #bytes=238
>>> KDCCommunication: kdc=somekdc UDP:88, timeout=30000,Attempt =1,
>>> #bytes=238
>>> KrbKdcReq send: #bytes read=1365
>>> KrbKdcReq send: #bytes read=1365
>>> KdcAccessibility: remove somekdc
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply testuser
principal is testuser@somedomain
Commit Succeeded
equals = false
Found ticket for testuser@somedomain to go to krbtgt/somedomain@somedomain
expiring on Tue Nov 04 19:14:25 CET 2014
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
default etypes for default_tgs_enctypes: 23 18 17 16 3 1.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbKdcReq send: kdc=somekdc UDP:88, timeout=30000, number of retries =3,
>>> #bytes=1325
>>> KDCCommunication: kdc=somekdc UDP:88, timeout=30000,Attempt =1,
>>> #bytes=1325
>>> KrbKdcReq send: #bytes read=1288
>>> KrbKdcReq send: #bytes read=1288
>>> KdcAccessibility: remove somekdc
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbApReq: APOptions are 00000000 00000000 00000000 00000000
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Krb5Context setting mySeqNumber to: 6323637
Krb5Context setting peerSeqNumber to: 0
Created InitSecContextToken:
0000: 01 00 6E 82 04 C6 30 82 04 C2 A0 03 02 01 05 A1 ..n...0.........
--
View this message in context:
http://cxf.547215.n5.nabble.com/possible-wss4j-bug-tp5750539p5750648.html
Sent from the cxf-user mailing list archive at Nabble.com.
