You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ws.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2014/05/23 16:27:02 UTC

[jira] [Updated] (WSS-500) Kerberos client/server actions are only supporting NT_HOSTBASED_SERVICE service name form

     [ https://issues.apache.org/jira/browse/WSS-500?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Colm O hEigeartaigh updated WSS-500:
------------------------------------

    Fix Version/s: 2.0.1

> Kerberos client/server actions are only supporting NT_HOSTBASED_SERVICE service name form
> -----------------------------------------------------------------------------------------
>
>                 Key: WSS-500
>                 URL: https://issues.apache.org/jira/browse/WSS-500
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Core
>    Affects Versions: 1.6.4
>            Reporter: Boris Dushanov
>            Assignee: Colm O hEigeartaigh
>             Fix For: 2.0.1
>
>
> I'm trying to use wss4j for Kerberos authentication against KDC based on Active Directory but that is not possible.
> According to the Setspn tool documentation from Microsoft(http://technet.microsoft.com/en-us/library/cc731241%28v=ws.10%29.aspx), the service name form should look like this - serviceclass/host:port/servicename. In GSS terms this type of service name is of type NT_USER_NAME.
> Currently the org.apache.wss4j.common.kerberos.KerberosClientAction and org.apache.wss4j.common.kerberos.KerberosServiceAction are only supporting a org.ietf.jgss.NT_HOSTBASED_SERVICE service name form which is hardcoded when creating GSSName for the service. This makes wss4j not operable with KDC based on Active Directory.
> The following is the exception I'm receiving when trying to get a service ticket from the AD KDC while executing the wss4j KerberosTest:
> KrbException: Server not found in Kerberos database (7)
> 	at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:70)
> 	at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:192)
> 	at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:203)
> 	at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:311)
> 	at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:115)
> 	at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:449)
> 	at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:641)
> 	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
> 	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
> 	at org.apache.wss4j.common.kerberos.KerberosClientAction.run(KerberosClientAction.java:67)
> 	at org.apache.wss4j.common.kerberos.KerberosClientAction.run(KerberosClientAction.java:36)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at javax.security.auth.Subject.doAs(Subject.java:356)
> 	at org.apache.wss4j.dom.message.token.KerberosSecurity.retrieveServiceTicket(KerberosSecurity.java:184)
> 	at org.apache.wss4j.integration.test.kerberos.KerberosTest.testKerberosCreationAndProcessing(KerberosTest.java:148)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> 	at java.lang.reflect.Method.invoke(Method.java:606)
> 	at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:47)
> 	at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
> 	at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:44)
> 	at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
> 	at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:271)
> 	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:70)
> 	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:50)
> 	at org.junit.runners.ParentRunner$3.run(ParentRunner.java:238)
> 	at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:63)
> 	at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:236)
> 	at org.junit.runners.ParentRunner.access$000(ParentRunner.java:53)
> 	at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:229)
> 	at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
> 	at org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:27)
> 	at org.junit.runners.ParentRunner.run(ParentRunner.java:309)
> 	at org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:50)
> 	at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
> 	at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:467)
> 	at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:683)
> 	at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:390)
> 	at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:197)
> Caused by: KrbException: Identifier doesn't match expected value (906)
> 	at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143)
> 	at sun.security.krb5.internal.TGSRep.init(TGSRep.java:66)
> 	at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:61)
> 	at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:55)
> 	... 39 more



--
This message was sent by Atlassian JIRA
(v6.2#6252)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org