KrbException exception does not contain error string although error is well-known

Wei-Jun Wang weijun.wang at oracle.com
Wed Sep 20 18:06:12 UTC 2023 

I'll look into it. Thanks!

Do you have a patch? :-)

--Max

> On Aug 9, 2023, at 3:30 AM, Osipov, Michael (SMD IT IN) <michael.osipov at siemens.com> wrote:
> 
> Folks, Max,
> 
> consider the following code snippet configured with the Krb5LoginModule:
>> LoginContext lc = new LoginContext(loginEntryName);
>> lc.login();
> 
> then a LoginException is thrown with the following stacktrace:
>> 2023-08-01T00:09:31.601 SCHWERWIEGEND [https-openssl-apr-8444-exec-5417] net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.getPrincipal Exception acquiring directory server connection
>>    javax.naming.NamingException: null (29) [Root exception is javax.security.auth.login.LoginException: null (29)]
>>        at net.sf.michaelo.dirctxsrc.DirContextSource.getGssApiDirContext(DirContextSource.java:625)
>>        at net.sf.michaelo.dirctxsrc.DirContextSource.getDirContext(DirContextSource.java:685)
>>        at net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.open(ActiveDirectoryRealm.java:572)
>>        at net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.acquire(ActiveDirectoryRealm.java:506)
>>        at net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.getPrincipal(ActiveDirectoryRealm.java:432)
>>        at net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.getPrincipal(ActiveDirectoryRealm.java:461)
>>        at net.sf.michaelo.tomcat.realm.ActiveDirectoryRealm.getPrincipal(ActiveDirectoryRealm.java:426)
>>        at org.apache.catalina.realm.RealmBase.authenticate(RealmBase.java:497)
>>        at net.sf.michaelo.tomcat.authenticator.SpnegoAuthenticator.doAuthenticate(SpnegoAuthenticator.java:163)
>>        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:564)
>>        ...
>>        at java.lang.Thread.run(Thread.java:750)
>>    Caused by: javax.security.auth.login.LoginException: null (29)
>>        at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:810)
>>        at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
>>        at sun.reflect.GeneratedMethodAccessor10719.invoke(Unknown Source)
>>        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>        at java.lang.reflect.Method.invoke(Method.java:498)
>>        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
>>        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
>>        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
>>        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
>>        at java.security.AccessController.doPrivileged(Native Method)
>>        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
>>        at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
>>        at net.sf.michaelo.dirctxsrc.DirContextSource.getGssApiDirContext(DirContextSource.java:574)
>>        ... 23 more
>>    Caused by: KrbException: null (29)
>>        at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
>>        at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:335)
>>        at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:488)
>>        at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:782)
>>        ... 35 more
>>    Caused by: KrbException: Identifier doesn't match expected value (906)
>>        at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
>>        at sun.security.krb5.internal.ASRep.init(ASRep.java:64)
>>        at sun.security.krb5.internal.ASRep.<init>(ASRep.java:59)
>>        at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
>>        ... 38 more
> 
> I am trying to obtain a TGT to authenticate thorugh SASL GSSAPI to Active Directory via LDAP. This happened to me now repeatedly in the last couple of days around midnight. Looking up error code 29 says KDC_ERR_SVC_UNAVAILABLE, obviously the AD DC server is maintenance mode. What bugs me is that KDC_ERR_SVC_UNAVAILABLE(29) is documented in Krb5.java, has an error message and KrbException.java does use it, but no error message is mapped to the code.
> 
> Request: Maybe someone (Max?) log an improvement request with JBS to
> add missing error codes 26--28, 51 from [1] and
> >    public static final int KRB_AP_ERR_NOREALM          = 62;
> >    public static final int KRB_AP_ERR_GEN_CRED         = 63;
> 
> look incorrect. Plus the mapping in errMsgList for those.
> 
> Note: Tried with OpenJDK 8.
> 
> Best regards,
> 
> Michael
> 
> [1] https://www.rfc-editor.org/rfc/rfc4120#section-7.5.9

More information about the security-dev mailing list