[security-dev 00031]: [Fwd: Re: JAVASEC - Problem running JAAS client from tutorial]

Weijun Max Wang Weijun.Wang at Sun.COM
Wed Jan 2 00:52:10 PST 2008


Hi All

I've tried to disable realm name case check in JDK (equals ->
equalsIgnoreCase), and it works. In fact, I do several experiments to
change the case of principal names, realm names, service names and
hostnames, and MSAD just doesn't care. This is another case of
Microsoft's long term habit of ignoring cases (BASIC language, file
names, user names...).

We already accept BILL and bill and BiLL with the pre-authentication
support in JDK 6. Are we going to embrace this ignorance again?

RFC 4120 3.1.5 says "It also verifies that the sname and srealm in the
response match those in the request (or are otherwise expected values)"
and seems MS has its own way of interpreting "match" and "expected values".

Being strict is not bad here, it just confuses (and then teaches)
careless users.

Thanks
Max

-------- Original Message --------
Subject: Re: JAVASEC - Problem running JAAS client from tutorial
Date: Tue, 01 Jan 2008 09:44:17 +0800
From: Max (Weijun) Wang <Weijun.Wang at Sun.COM>
To: Lea, Isaac <IsaacLea at SierraSystems.com>
CC: java-security at sun.com
References:
<B121C734ED030C429B1513E9FB785984011F117D at svvic2000.sierrasys.com>

>          realm is PRSDev.local
>          sname is krbtgt/PRSDev.local

The realm name should be all CAPITAL for Windows domain. Please use -
Djava.security.krb5.realm=PRSDEV.LOCAL on the command line.

Hope this helps
Max

On Jan 1, 2008, at 4:07 AM, Lea, Isaac wrote:

> I am trying to follow the tutorial for JAAS Authentication located  
> here:
> http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/tutorials/ 
> AcnOnly.html
>
> I am trying to run the sample client JaasAcn.java but am getting a  
> strange error when I try to log on to my Active Directory.
>
> I am using Java version: jre1.6.0_03
>
> I can login to Active Directory fine with the credentials I am  
> providing, just not with this client, so I know the credentials are  
> valid.
>
> Here is the error I get that I don't understand.  Any suggestions  
> would be very helpful, if you provide help for this
>
> The Error message is: [Krb5LoginModule] authentication failed
> Message stream modified (41)
>
> Here is the full output:
>
> C:\Progra~1\Java\jre1.6.0_03\bin\java - 
> Dsun.security.krb5.debug=true - 
> Djava.security.krb5.realm=PRSDev.local - 
> Djava.security.krb5.kdc=192.168.40.72 - 
> Djava.security.auth.login.config=jaas.conf JaasAcn
>
> Debug is  true storeKey false useTicketCache false useKeyTab false  
> doNotPrompt f
> alse ticketCache is null isInitiator true KeyTab is null  
> refreshKrb5Config is fa
> lse principal is null tryFirstPass is false useFirstPass is false  
> storePass is f
> alse clearPass is false
> Kerberos username [ILea]: sra
> Kerberos password for sra:
>                 [Krb5LoginModule] user entered username: sra
>
> Using builtin default etypes for default_tkt_enctypes
> default etypes for default_tkt_enctypes: 3 1 23 16 17.
> Acquire TGT using AS Exchange
> Using builtin default etypes for default_tkt_enctypes
> default etypes for default_tkt_enctypes: 3 1 23 16 17.
> >>> KrbAsReq calling createMessage
> >>> KrbAsReq in createMessage
> >>> KrbKdcReq send: kdc=192.168.40.72 UDP:88, timeout=30000, number  
> of retries =
> 3, #bytes=144
> >>> KDCCommunication: kdc=192.168.40.72 UDP:88,  
> timeout=30000,Attempt =1, #bytes
> =144
> >>> KrbKdcReq send: #bytes read=202
> >>> KrbKdcReq send: #bytes read=202
> >>> KDCRep: init() encoding tag is 126 req type is 11
> >>>KRBError:
>          sTime is Mon Dec 31 11:56:40 PST 2007 1199131000000
>          suSec is 884978
>          error code is 25
>          error Message is Additional pre-authentication required
>          realm is PRSDev.local
>          sname is krbtgt/PRSDev.local
>          eData provided.
>          msgType is 30
> >>>Pre-Authentication Data:
>          PA-DATA type = 11
>          PA-ETYPE-INFO etype = 23
> >>>Pre-Authentication Data:
>          PA-DATA type = 2
>          PA-ENC-TIMESTAMP
> >>>Pre-Authentication Data:
>          PA-DATA type = 15
> AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
> Using builtin default etypes for default_tkt_enctypes
> default etypes for default_tkt_enctypes: 3 1 23 16 17.
> Pre-Authentication: Set preferred etype = 23
> >>>KrbAsReq salt is PRSDev.localsra
> Pre-Authenticaton: find key for etype = 23
> AS-REQ: Add PA_ENC_TIMESTAMP now
> >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
> >>> KrbAsReq calling createMessage
> >>> KrbAsReq in createMessage
> >>> KrbKdcReq send: kdc=192.168.40.72 UDP:88, timeout=30000, number  
> of retries =
> 3, #bytes=210
> >>> KDCCommunication: kdc=192.168.40.72 UDP:88,  
> timeout=30000,Attempt =1, #bytes
> =210
> >>> KrbKdcReq send: #bytes read=1182
> >>> KrbKdcReq send: #bytes read=1182
> >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>                 [Krb5LoginModule] authentication failed
> Message stream modified (41)
> Authentication failed:
>   Message stream modified (41)
>
> Isaac Lea
> Sierra Systems
> 737 Courtney Street
> Victoria, BC V8W 1C3
>
> Tel | 250.385.1535.
> Fax | 250.385.4761
> IsaacLea at SierraSystems.com
> www.SierraSystems.com
>
>
> ----Notice Regarding Confidentiality----
> This email, including any and all attachments, (this "Email") is  
> intended only for the party to whom it is addressed and may contain  
> information that is confidential or privileged. Sierra Systems  
> Group Inc. and its affiliates accept no responsibility for any loss  
> or damage suffered by any person resulting from any unauthorized  
> use of or reliance upon this Email. If you are not the intended  
> recipient, you are hereby notified that any dissemination, copying  
> or other use of this Email is prohibited. Please notify us of the  
> error in communication by return email and destroy all copies of  
> this Email. Thank you.
>




More information about the security-dev mailing list