Uploaded image for project: 'WSS4J'
  1. WSS4J
  2. WSS-500

Kerberos client/server actions are only supporting NT_HOSTBASED_SERVICE service name form

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 1.6.4
    • 1.6.16, 2.0.1
    • WSS4J Core
    • None

    Description

      I'm trying to use wss4j for Kerberos authentication against KDC based on Active Directory but that is not possible.

      According to the Setspn tool documentation from Microsoft(http://technet.microsoft.com/en-us/library/cc731241%28v=ws.10%29.aspx), the service name form should look like this - serviceclass/host:port/servicename. In GSS terms this type of service name is of type NT_USER_NAME.

      Currently the org.apache.wss4j.common.kerberos.KerberosClientAction and org.apache.wss4j.common.kerberos.KerberosServiceAction are only supporting a org.ietf.jgss.NT_HOSTBASED_SERVICE service name form which is hardcoded when creating GSSName for the service. This makes wss4j not operable with KDC based on Active Directory.

      The following is the exception I'm receiving when trying to get a service ticket from the AD KDC while executing the wss4j KerberosTest:

      KrbException: Server not found in Kerberos database (7)
      at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:70)
      at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:192)
      at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:203)
      at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:311)
      at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:115)
      at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:449)
      at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:641)
      at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
      at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
      at org.apache.wss4j.common.kerberos.KerberosClientAction.run(KerberosClientAction.java:67)
      at org.apache.wss4j.common.kerberos.KerberosClientAction.run(KerberosClientAction.java:36)
      at java.security.AccessController.doPrivileged(Native Method)
      at javax.security.auth.Subject.doAs(Subject.java:356)
      at org.apache.wss4j.dom.message.token.KerberosSecurity.retrieveServiceTicket(KerberosSecurity.java:184)
      at org.apache.wss4j.integration.test.kerberos.KerberosTest.testKerberosCreationAndProcessing(KerberosTest.java:148)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.lang.reflect.Method.invoke(Method.java:606)
      at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:47)
      at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
      at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:44)
      at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
      at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:271)
      at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:70)
      at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:50)
      at org.junit.runners.ParentRunner$3.run(ParentRunner.java:238)
      at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:63)
      at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:236)
      at org.junit.runners.ParentRunner.access$000(ParentRunner.java:53)
      at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:229)
      at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
      at org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:27)
      at org.junit.runners.ParentRunner.run(ParentRunner.java:309)
      at org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:50)
      at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
      at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:467)
      at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:683)
      at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:390)
      at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:197)
      Caused by: KrbException: Identifier doesn't match expected value (906)
      at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143)
      at sun.security.krb5.internal.TGSRep.init(TGSRep.java:66)
      at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:61)
      at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:55)
      ... 39 more

      Attachments

        Issue Links

          is required by

          Bug - A problem which impairs or prevents the functions of the product. WSS-501 Kerberos token decoder default implementation fails to extract the session when validating a ticket issued by a KDC based on Active Directory

          • Major - Major loss of function.
          • Closed

          Activity

            People

              coheigea Colm O hEigeartaigh
              b.dushanov Boris Dushanov
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: