United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Bug ID: JDK-6413153 KerberosTicket throws exception when authtime field in KrbCredInfo is null
JDK-6413153 : KerberosTicket throws exception when authtime field in KrbCredInfo is null

Details
Type:
Bug
Submit Date:
2006-04-13
Status:
Resolved
Updated Date:
2010-04-02
Project Name:
JDK
Resolved Date:
2006-05-13
Component:
security-libs
OS:
windows_2000
Sub-Component:
java.security
CPU:
x86
Priority:
P1
Resolution:
Fixed
Affected Versions:
5.0
Fixed Versions:

Related Reports
Backport:
Backport:

Sub Tasks

Description
When a SSPI client talks to a Java GSS-API server, if the delegation is enabled, acceptSecContext will raise an exception "java.lang.IllegalArgumentException: Authentication time of ticket cannot be null".

The cause of the problem is that the the authtime of the forwarded ticket generated from Windows KDC is null and Sun's Kerberos implementation doesn't allow this.

According to RFC4120(http://www.ietf.org/rfc/rfc4120.txt?number=4120),  for KRB_CRED message (which is the message used to foward credentials), the authtime is really optional:
   KrbCredInfo     ::= SEQUENCE {
           key             [0] EncryptionKey,
           prealm          [1] Realm OPTIONAL,
           pname           [2] PrincipalName OPTIONAL,
           flags           [3] TicketFlags OPTIONAL,
           authtime        [4] KerberosTime OPTIONAL,
           starttime       [5] KerberosTime OPTIONAL,
           endtime         [6] KerberosTime OPTIONAL,
           renew-till      [7] KerberosTime OPTIONAL,
           srealm          [8] Realm OPTIONAL,
           sname           [9] PrincipalName OPTIONAL,
           caddr           [10] HostAddresses OPTIONAL
   }

Other Kerberos implementations, such as MSFT, IBM, MIT, they all accept the null authtime in the forwarded ticket.

Some other people on the web also encountered the same problem: http://archives.java.sun.com/cgi-bin/wa?A2=ind0210&L=java-security&P=R655&I=-3. Note that RFC1510 mentioned in the above link has been obsoleted by RFC4120.

                                    

Comments
EVALUATION

See comments for details...

Although RFC 4120 defines authtime to be optional in the KrbCredInfo, it should ideally contain the same value as from the ticket. Since most implementations do allow a null authtime, we'll go ahead and make this change to allow this.
                                     
2006-04-26
EVALUATION

Fixed to allow null authtime, as mentioned above.
                                     
2006-05-04



Hardware and Software, Engineered to Work Together