[31446] in Kerberos
Re: Kerberos service ticket issue!!!
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Wed Sep 2 13:03:52 2009
Message-ID: <4A9E930F.5010502@anl.gov>
Date: Wed, 02 Sep 2009 10:45:19 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: Priya B <priya9907@gmail.com>
In-Reply-To: <c42a51c5-acc2-4789-8807-eafd497bd18c@38g2000yqr.googlegroups.com>
Cc: srini.csit@gmail.com, kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Priya B wrote:
> Hello everybody,
>
> We are in the process of implementing Kerberos Authentication (Single
> Sign On) using JAAS. We've been facing a problem to which we (and
> everybody we've approached so far :) ) have no solution since many
> weeks.
What version of Java?
>
> We're trying to get the service ticket from the KDC but unable to.
> (NOTE - The client and the service are in different realms.)
Do you have cross realm setup between the two realms?
Do you have the krb5.conf on the client setup for cross realm?
>
> Java throws the following exception:
> GSSException: No valid credentials provided (Mechanism level: Fail to
> create credential. (63) - No service creds)
>
> When we monitor the packets, we observed the below errors:
> KRB_ERR_RESPONSE_TOO_BIG
Is one or both of the realms Window AD?
The KRB_ERR_RESPONSE_TOO_BIG could be caused by Windows adding a PAC
to the ticket, and the older versions of Java can only use UDP.
New versions might be able to use TCP to handle large tickets,
In which case the request would have been retried using TCP.
If you don't need the PAC, there are ways to tell the DC not to add it.
(The PAC can be 12K or more, where as a ticket with out a PAC can is
about 400 bytes.)
> KDC_ERR_WRONG_REALM
Sounds like either krb5.conf is not setup correctly,
or AD gave you a referral which Java could not handle.
You appear to have done some tracing, but have not said where you are
seeing these messages or how far along the process of getting tickets
has gotten. i.e. client to client's KDC or client to server's KDC.
>
> We have tried setting the Registry value as mentioned in the other
> posts, but to no avail.
>
> Any solution please? It would be gratefully appreciated !!
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
