Java GSSAPI Credentials with Active Directory

1k views Asked by At

Apologies in advance - I'm pretty new to Kerberos/GSSAPI, so I've probably got something really simple stuffed up.

I'm trying to run what is essentially the sample client code from the GSSAPI tutorials.

I have two VMs set up. One is named KDC-TESTING. It's a Domain Controller with Active Directory installed and a user named "testuser". It's running on the KDC.COM domain.

The second is running an IIS server named IIS-WEB that runs on the KDC.COM domain.

I also have my computer (windows 7). It's on a different domain, but it's currently using the domain controller's IP as its DNS. I'm trying to run the Basic GSSAPI client from eclipse on here.

When you go to iis-web.kdc.com (from either the domain controller vm or my computer), you're prompted for a username/password combo. You can log in using testuser (with its password, obviously).

When I run the client program, I get the following error:

org.ietf.jgss.GSSException, major code: 13, minor code: 0
    major string: Invalid credentials
    minor string: SubjectCredFinder: no JAAS Subject

It's thrown from this line:

GSSContext context = manager.createContext(clientName, krb5Mechanism, null, GSSContext.DEFAULT_LIFETIME);

Since it says the credentials are invalid, I added in the following (and tried creating the context with creds rather than null):

GSSCredential creds = manager.createCredential(clientName, GSSContext.DEFAULT_LIFETIME, krb5Mechanism, GSSCredential.INITIATE_ONLY);

That changed literally nothing (except for the stack trace).

Looking at this question and a bunch of docs/blogs, I think the problem is somewhat related to configuration, but I'm not sure what configuration needs to be done exactly.

I've got a krb5.conf file set up, and I'm running it with the command line arguments shown here.

I haven't done any Kerberos setup on my computer, but I've an SPN to testuser and maybe set up a keytab on the VMs (but I'm almost certain that that's not the cause).

EDIT/UPDATE:

I ran it from a new VM that was both on the KDC.COM domain and used KDC-TESTING.KDC.COM as its DNS and it seemed to work as expected (there was another error, this time with authenticating - progress! I think I know what's wrong with this one though).

I ran it as a JAR (as opposed to from inside eclipse) and, as expected, I was prompted in the command window for a username and password. Could this have been an issue (as in, is eclipse not able to take input, so it just crashes or something)?

I also hadn't been seeing any of the security debugging logs in eclipse (I'd been using -Djava.security.debug=all), but on the the VM it was all there (there was a lot of it).

0

There are 0 answers