SpNego: Defective Token Detected

2.5k views Asked by At

I have a java client connecting to a WCF service. This service is configured to run on the host as a separate domain user (i.e. not as Local Service or Network Service). The Service publishes a userPrincipalName in its WSDL.

During the SpNego token exchange I get the following exception in the client

Defective token detected (Mechanism level: AP_REP token id does not match!)
This is the call stack:
    at sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java:450)
    at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
    at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)

If I configure the WCF service to run under Local System account the SpNego token exchange works. Do I need to modify the code for services not running under Local system account?

Update-1

After some debugging by getting a C# client to connect with the WCF service, I found that the C# client is using a modified version of SpNego protocol called MS-SPNG. Does Java 6 support this? When I inspect the token I get an error about unsupported mechanism 1.2.840.113554.1.2.2.3.

1

There are 1 answers

0
mihirg On

These links explains whats happening. MS has a extension for SpNego protocol, which kicks in when we run a WCF service as a user (i.e. not as Local Service etc). This is the MS specification for the new protocol, and here is the openjdk doc that xplains the workarounds.