Duplicate :
|
|
Duplicate :
|
|
Relates :
|
|
Relates :
|
FULL PRODUCT VERSION : java version "1.8.0_05" Java(TM) SE Runtime Environment (build 1.8.0_05-b13) Java HotSpot(TM) 64-Bit Server VM (build 25.5-b02, mixed mode) ADDITIONAL OS VERSION INFORMATION : Microsoft Windows [Version 6.1.7601] A DESCRIPTION OF THE PROBLEM : Server account has constrained delegation. After SpNego is established with the client, GSSContext.getDelegCred() returns a GSSCredential that is wrapping a Krb5ProxyCredential Then, trying to that GSSCredential to create another GSSContext, and call GSSContext.initSecContext. Receives the following exception: ... Caused by: GSSException: No valid credentials provided (Mechanism level: Failure unspecified at GSS-API level (Mechanism level: Generic error (description in e-text) (60) - Client principal does not match)) at sun.security.jgss.spnego.SpNegoContext.initSecContext(Unknown Source) at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source) at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source) at com.mellmo.roambi.http.auth.spnego.SPNEGOAuthScheme.authenticate(SPNEGOAuthScheme.java:368) ... 404 more Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Generic error (description in e-text) (60) - Client principal does not match) at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source) at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source) at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source) at sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(Unknown Source) ... 408 more Caused by: KrbException: Generic error (description in e-text) (60) - Client principal does not match at sun.security.krb5.KrbCred.<init>(Unknown Source) at sun.security.jgss.krb5.InitialToken$OverloadedChecksum.<init>(Unknown Source) at sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source) ... 412 more STEPS TO FOLLOW TO REPRODUCE THE PROBLEM : Server account has constrained delegation. After SpNego is established with the client, GSSContext.getDelegCred() returns a GSSCredential that is wrapping a Krb5ProxyCredential Then, trying to that GSSCredential to create another GSSContext, and call GSSContext.initSecContext. EXPECTED VERSUS ACTUAL BEHAVIOR : EXPECTED - expected GSSContext.initSecContext to be successful. ACTUAL - saw an exception ... Caused by: GSSException: No valid credentials provided (Mechanism level: Failure unspecified at GSS-API level (Mechanism level: Generic error (description in e-text) (60) - Client principal does not match)) at sun.security.jgss.spnego.SpNegoContext.initSecContext(Unknown Source) at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source) at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source) at com.mellmo.roambi.http.auth.spnego.SPNEGOAuthScheme.authenticate(SPNEGOAuthScheme.java:368) ... 404 more Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Generic error (description in e-text) (60) - Client principal does not match) at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source) at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source) at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source) at sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(Unknown Source) ... 408 more Caused by: KrbException: Generic error (description in e-text) (60) - Client principal does not match at sun.security.krb5.KrbCred.<init>(Unknown Source) at sun.security.jgss.krb5.InitialToken$OverloadedChecksum.<init>(Unknown Source) at sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source) ... 412 more REPRODUCIBILITY : This bug can be reproduced always. CUSTOMER SUBMITTED WORKAROUND : I patched KrbCred.java but removing the following check: /* if (!serviceTicket.getClient().equals(client)) throw new KrbException(Krb5.KRB_ERR_GENERIC, "Client principal does not match"); */ and I was able to proceed.