I'm using the Krb5LoginModule in a java application to test a web application that I'm trying to kerberized. Before testing, I authorized myself again the AS (in this case ApacheDS) by calling kinit as follows:
kinit.exe wmmnpr@EXAMPLE.COM
Password for wmmnpr@EXAMPLE.COM:
New ticket is stored in cache file C:\Users\wnpr\krb5cc_wnpr
Then I ran my test and as one can see from the log output of Krb5LoginModule below, the login module finds my credential's cache and retrieves a TGT from it.
Acquire TGT from Cache
>>>KinitOptions cache name is C:\Users\wnpr\krb5cc_wnpr
>>>DEBUG <CCacheInputStream> client principal is wmmnpr@EXAMPLE.COM
>>>DEBUG <CCacheInputStream> server principal is krbtgt/EXAMPLE.COM@EXAMPLE.COM
>>>DEBUG <CCacheInputStream> key type: 17
>>>DEBUG <CCacheInputStream> auth time: Tue Jun 03 10:03:36 CEST 2014
>>>DEBUG <CCacheInputStream> start time: null
>>>DEBUG <CCacheInputStream> end time: Wed Jun 04 10:03:36 CEST 2014
>>>DEBUG <CCacheInputStream> renew_till time: null
>>> CCacheInputStream: readFlags() INITIAL; PRE_AUTH;
Host address is /172.28.10.201
Host address is /fe80:0:0:0:e11d:3dff:8612:e63b
>>> KrbCreds found the default ticket granting ticket in credential cache.
Config name: C:\Users\wnpr\krb5.conf
>>> Obtained TGT from LSA: Credentials:
client=wmmnpr@EXAMPLE.COM
server=krbtgt/EXAMPLE.COM@EXAMPLE.COM
authTime=20140603080336Z
endTime=20140604080336Z
renewTill=null
flags: INITIAL;PRE-AUTHENT
EType (int): 17
Principal is wmmnpr@EXAMPLE.COM
Commit Succeeded
However, before trying to access the web application, the login module tries to go to the KDC (again ApacheDS) to get a ticket; however, before it gets there a KrbException is thrown (see below).
Found ticket for wmmnpr@EXAMPLE.COM to go to krbtgt/EXAMPLE.COM@EXAMPLE.COM expiring on Wed Jun 04 10:03:36 CEST 2014
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
KrbException: Invalid option setting in ticket request. (101)
at sun.security.krb5.KrbTgsReq.<init>(KrbTgsReq.java:98)
at sun.security.krb5.KrbTgsReq.<init>(KrbTgsReq.java:62)
After looking at the sun.security.krb5.KrbTgsReq code at line 98 it occurred to me that it was the "forwardable" option that was causing problems. I then ran kinit as follows, with -f:
>kinit.exe -f wmmnpr@EXAMPLE.COM
Password for wmmnpr@EXAMPLE.COM:
New ticket is stored in cache file C:\Users\wnpr\krb5cc_wnpr
And then check it with klist.
klist" -f -e -c c:\Users\wnpr\krb5cc_wnpr
Credentials cache: c:\Users\wnpr\krb5cc_wnpr
Default principal: wmmnpr@EXAMPLE.COM, 1 entry found.
[1] Service Principal: krbtgt/EXAMPLE.COM@EXAMPLE.COM
Valid starting: Jun 03, 2014 11:18
Expires: Jun 04, 2014 11:18
Encryption type: AES128 CTS mode with HMAC SHA1-96
Flags: FORWARDABLE;INITIAL;PRE-AUTHENT
No comments:
Post a Comment