Kerberos Authentication Issue

Weijun Wang at
Mon Jul 25 08:47:05 UTC 2016

The JGSS/krb5 provider in jdk7 does not allow "insecure" hostname 
canonicalization for security reason. (A "secure" canonicalization means 
the result starts with the input. We still support this for 
compatibility). This is the reason why you see the service not found error.

When is set, the Java provider is not 
used, and whatever native GSS-API library installed in your system is 
used. In this case, you should not call JAAS (Krb5LoginModule) to launch 
JGSS. Instead, please call the JGSS-API directly.


On 7/21/2016 20:48, Carlos Gunners wrote:
> Hello,
> I have a situation here where we run an ldap service with round-robin
> dns .. so, we advertise a cname that resolves to multiple actual
> servers.  Also, this cnam is not setup as a service principal in kerberos.
> When I try to connect a java app (tomcat8 container, openjdk-7-jre v
> 7u101, debian jessie) to this ldap service via GSSAPI/kerberos using a
> keytab for auth, it repeatedly fails .. initially failing to find the
> service principal in kerberos via its non-canonical hostname (meaning
> that the java app totally ignores rdns setting, and thus does no reverse
> dns check before trying to obtain a ticket).
> When I define a JAVA_OPTION '' to
> tomcat8, then the failure changes completely to enctype mismatch type of
> errors like below :
>> LDAPException(resultCode=82 (local error), errorMessage='An error
> occurred while
>> attempting to initialize the JAAS login context for GSSAPI
> authentication:
>> Integrity check on decrypted
> field failed (31) -
>> PREAUTH_FAILED caused by KrbException: Integrity check on decrypted
> field failed (31) -
>> PREAUTH_FAILED caused by KrbException: Identifier doesn't match
> expected value (906)')
> The logs reveal the correct entypes are being used .. ktlog confirms
> that the keytab has the correct entypes ..
> It's worth noting that we have the same application setup and working
> exactly like this with openjdk-6-jre v 6b36 on debian squeeze ..
> I have spent so many days trouble-shooting this without success ..
> My questions are:
> -- how do I force java to respect rdns settings in krb5.conf, and avoid
> all these issues ?
> -- what's the best practice way to configure for a service designed in
> this way?  Or I must define the service principal in kerberos even for a
> round-robin presented service?
> -- are there any obvious issues I am overlooking ?
> Thanks in advance for suggestions, advice ..
> best regards

More information about the security-dev mailing list