JDK-6413153 : KerberosTicket throws exception when authtime field in KrbCredInfo is null
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 5.0
  • Priority: P1
  • Status: Resolved
  • Resolution: Fixed
  • OS: windows_2000
  • CPU: x86
  • Submitted: 2006-04-13
  • Updated: 2010-04-02
  • Resolved: 2006-05-13
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
Other JDK 6
1.4.2_13Fixed 6 b85Fixed
When a SSPI client talks to a Java GSS-API server, if the delegation is enabled, acceptSecContext will raise an exception "java.lang.IllegalArgumentException: Authentication time of ticket cannot be null".

The cause of the problem is that the the authtime of the forwarded ticket generated from Windows KDC is null and Sun's Kerberos implementation doesn't allow this.

According to RFC4120(http://www.ietf.org/rfc/rfc4120.txt?number=4120),  for KRB_CRED message (which is the message used to foward credentials), the authtime is really optional:
   KrbCredInfo     ::= SEQUENCE {
           key             [0] EncryptionKey,
           prealm          [1] Realm OPTIONAL,
           pname           [2] PrincipalName OPTIONAL,
           flags           [3] TicketFlags OPTIONAL,
           authtime        [4] KerberosTime OPTIONAL,
           starttime       [5] KerberosTime OPTIONAL,
           endtime         [6] KerberosTime OPTIONAL,
           renew-till      [7] KerberosTime OPTIONAL,
           srealm          [8] Realm OPTIONAL,
           sname           [9] PrincipalName OPTIONAL,
           caddr           [10] HostAddresses OPTIONAL

Other Kerberos implementations, such as MSFT, IBM, MIT, they all accept the null authtime in the forwarded ticket.

Some other people on the web also encountered the same problem: http://archives.java.sun.com/cgi-bin/wa?A2=ind0210&L=java-security&P=R655&I=-3. Note that RFC1510 mentioned in the above link has been obsoleted by RFC4120.

EVALUATION Fixed to allow null authtime, as mentioned above.

EVALUATION See comments for details... Although RFC 4120 defines authtime to be optional in the KrbCredInfo, it should ideally contain the same value as from the ticket. Since most implementations do allow a null authtime, we'll go ahead and make this change to allow this.