Skip to Content
0
Former Member
Jul 02, 2009 at 05:42 AM

Kerberos implementation on java stack

150 Views

Hi,

I would like to implement kerberos to java stack for SSO reason, but unfortunately, I faced with a trouble while configuring the system. Actually, I want to implement this for cross domain solution, but even in same AD domain I see some errors in diagtool output, below;

Creating new instance of SpNegoState (negstate= initial, mechanism.oid= null)

Acquiring credentials for realm YASARSAP.ASTRON.GRP

Looking for credentials for realm YASARSAP.ASTRON.GRP

Looking for credentials for j2ee-cr7 @ YASARSAP.ASTRON.GRP in {}

[Security Context : [Security Session (0) for J2EE_GUEST created at Wed Jul 01 17:39:15 EEST 2009]] created from parent [Security Context : [Security Session (0) for J2EE_GUEST created at Wed Jul 01 17:39:15 EEST 2009]]

Acquiring credentials for GSS name j2ee-cr7 @ YASARSAP.ASTRON.GRP

GSS name type is: 1

GSS name type 1 is :1.2.840.113554.1.2.1.1

GSS mechanism is: 1.2.840.113554.1.2.2

Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is true principal is j2ee-cr7 @ YASARSAP.ASTRON.GRP tryFirstPass is false useFirstPass is false storePass is false clearPass is false

Refreshing Kerberos configuration

Refreshing Keytab

>>> KeyTabInputStream, readName(): YASARSAP.ASTRON.GRP

>>> KeyTabInputStream, readName(): j2ee-cr7

>>> KeyTab: load() entry length: 54; type: 3

principal's key obtained from the keytab

Acquire TGT using AS Exchange

on Exception : Error in some of the login modules.

java.lang.Exception

at com.sap.exception.BaseExceptionInfo.traceAutomatically(BaseExceptionInfo.java:1175)

at com.sap.exception.BaseExceptionInfo.<init>(BaseExceptionInfo.java:263)

.

.

.

Caused by: java.lang.NullPointerException

at java.lang.StringBuffer.append(StringBuffer.java:467)

.

.

.

at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)

at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)

at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)

at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)

at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)

at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)

at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)

at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:206)

at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:29)

at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:301)

LOGIN.FAILED

User: N/A

Authentication Stack: com.sun.security.jgss.accept

Login Module Flag Initialize Login Commit Abort Details

1. com.sun.security.auth.module.Krb5LoginModule OPTIONAL ok exception false null

#1 debug = true

#2 doNotPrompt = true

#3 principal = j2ee-cr7 @ YASARSAP.ASTRON.GRP

#4 refreshKrb5Config = true

#5 storeKey = true

#6 useKeyTab = true

#7 useTicketCache = false

Exception : Access Denied.

java.lang.Exception

at com.sap.exception.BaseExceptionInfo.traceAutomatically(BaseExceptionInfo.java:1175)

at com.sap.exception.BaseExceptionInfo.<init>(BaseExceptionInfo.java:263)

at com.sap.engine.services.security.exceptions.BaseLoginException.<init>(BaseLoginException.java:116)

Acquiring credentials for realm YASARSAP.ASTRON.GRP failed

[EXCEPTION]

GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)

at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)

at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)

I emphasise that I am using well known browsers such as IE8 and Firefox 3.0 in order to avoid problems. As far as I understand that the browser cannot send a ticket to the browser. What do you suggest about the problem?

Thank you

Orkun Gedik