United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
JDK-6228529 : JDK on Windows does not wait for preauthorizaion record from Kerberos and causes an error

Details
Type:
Bug
Submit Date:
2005-02-11
Status:
Resolved
Updated Date:
2010-12-07
Project Name:
JDK
Resolved Date:
2005-08-19
Component:
security-libs
OS:
solaris_8,windows_2000
Sub-Component:
java.security
CPU:
x86,generic
Priority:
P4
Resolution:
Fixed
Affected Versions:
1.4.0,1.4.1_03
Fixed Versions:

Related Reports
Backport:
Backport:
Duplicate:
Relates:

Sub Tasks

Description
JDK on Windows 2003 passes value to Kerberos and does not wait for Kerberos to return a "salt" value.  As a result, the following error is generated:
KrbException: Pre-authentication information was invalid (24)
        at sun.security.krb5.KrbAsRep.<init>(DashoA6275:62)
        at sun.security.krb5.KrbAsReq.getReply(DashoA6275:308)
        at sun.security.krb5.KrbAsReq.getReply(DashoA6275:271)
        at sun.security.krb5.internal.tools.Kinit.<init>(DashoA6275:264)
        at sun.security.krb5.internal.tools.Kinit.main(DashoA6275:104)
Caused by: KrbException: Identifier doesn't match expected value (906)
        at sun.security.krb5.internal.af.a(DashoA6275:129)
        at sun.security.krb5.internal.au.a(DashoA6275:58)
        at sun.security.krb5.internal.au.<init>(DashoA6275:53)
        at sun.security.krb5.KrbAsRep.<init>(DashoA6275:48)
        ... 4 more

This is because Windows is a case insensitive platform.  This does not happen on Solaris.  There are two defects "around" this issue, which basically have been "documented out" in J2SE 1.5x (4946917, 4963731).  The customer sees this with the kinit example and with their own code.
###@###.### 2005-2-11 23:07:53 GMT

                                    

Comments
EVALUATION

This is a known issue. By convention Kerberos principal names are
case-sensitive. However, on Windows, due to issue of case-insensitivity, 
mix-in Kerberos principal names are not accepted by the Active Diretory.

Latest Kerberos specifications have defined new preauthention types to 
better handle the mix-in Kerberos principal names. Currently 
Java GSS/Kerberos does not support these new preauth types, hence the error.

NOTE: However if you use the Kerberos principal name as specified in 
the Active Directory account setting, it should all work correctly.

Support for these new preauth types is in the works, and will be 
available soon.

###@###.### 2005-2-18 19:52:31 GMT

I have added support for the new Pre-authentication types, as per the 
latest Kerberos specification. This resolves the reported issue when using
Windows KDC, and allows user to use mixed-case Kerberos Principal names.
                                     
2005-02-18
WORK AROUND


NOTE: If you use the Kerberos principal name as specified in the 
Active Directory account setting, it should all work correctly.

###@###.### 2005-2-18 19:52:32 GMT
                                     
2005-02-18



Hardware and Software, Engineered to Work Together