KrbException exception does not contain error string although error is well-known

Osipov, Michael (SMD IT IN) michael.osipov at siemens.com
Wed Aug 9 07:30:15 UTC 2023 

Folks, Max,

consider the following code snippet configured with the Krb5LoginModule:
> LoginContext lc = new LoginContext(loginEntryName);
> lc.login();

then a LoginException is thrown with the following stacktrace:
> 2023-08-01T00:09:31.601 SCHWERWIEGEND [https-openssl-apr-8444-exec-5417] net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.getPrincipal Exception acquiring directory server connection
>     javax.naming.NamingException: null (29) [Root exception is javax.security.auth.login.LoginException: null (29)]
>         at net.sf.michaelo.dirctxsrc.DirContextSource.getGssApiDirContext(DirContextSource.java:625)
>         at net.sf.michaelo.dirctxsrc.DirContextSource.getDirContext(DirContextSource.java:685)
>         at net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.open(ActiveDirectoryRealm.java:572)
>         at net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.acquire(ActiveDirectoryRealm.java:506)
>         at net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.getPrincipal(ActiveDirectoryRealm.java:432)
>         at net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.getPrincipal(ActiveDirectoryRealm.java:461)
>         at net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.getPrincipal(ActiveDirectoryRealm.java:426)
>         at org.apache.catalina.realm.RealmBase.authenticate(RealmBase.java:497)
>         at net.sf.michaelo.tomcat.authenticator.SpnegoAuthenticator.doAuthenticate(SpnegoAuthenticator.java:163)
>         at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:564)
>         ...
>         at java.lang.Thread.run(Thread.java:750)
>     Caused by: javax.security.auth.login.LoginException: null (29)
>         at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:810)
>         at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
>         at sun.reflect.GeneratedMethodAccessor10719.invoke(Unknown Source)
>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:498)
>         at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
>         at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
>         at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
>         at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
>         at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
>         at net.sf.michaelo.dirctxsrc.DirContextSource.getGssApiDirContext(DirContextSource.java:574)
>         ... 23 more
>     Caused by: KrbException: null (29)
>         at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
>         at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:335)
>         at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:488)
>         at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:782)
>         ... 35 more
>     Caused by: KrbException: Identifier doesn't match expected value (906)
>         at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
>         at sun.security.krb5.internal.ASRep.init(ASRep.java:64)
>         at sun.security.krb5.internal.ASRep.<init>(ASRep.java:59)
>         at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
>         ... 38 more

I am trying to obtain a TGT to authenticate thorugh SASL GSSAPI to 
Active Directory via LDAP. This happened to me now repeatedly in the 
last couple of days around midnight. Looking up error code 29 says 
KDC_ERR_SVC_UNAVAILABLE, obviously the AD DC server is maintenance mode. 
What bugs me is that KDC_ERR_SVC_UNAVAILABLE(29) is documented in 
Krb5.java, has an error message and KrbException.java does use it, but 
no error message is mapped to the code.

Request: Maybe someone (Max?) log an improvement request with JBS to
add missing error codes 26--28, 51 from [1] and
 >    public static final int KRB_AP_ERR_NOREALM          = 62;
 >    public static final int KRB_AP_ERR_GEN_CRED         = 63;

look incorrect. Plus the mapping in errMsgList for those.

Note: Tried with OpenJDK 8.

Best regards,

Michael

[1] https://www.rfc-editor.org/rfc/rfc4120#section-7.5.9

More information about the security-dev mailing list