JDK-6570062 : Kerberos authentication regression
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 6
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • OS: windows_2003,windows_xp
  • CPU: x86
  • Submitted: 2007-06-15
  • Updated: 2011-03-07
  • Resolved: 2011-03-07
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
Other JDK 6 JDK 7
1.4.2_18Fixed 6u4Fixed 7 b18Fixed
Related Reports
Duplicate :  
Description
FULL PRODUCT VERSION :
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_11-b03)
jdk-6u1-windows-i586-p.exe

ADDITIONAL OS VERSION INFORMATION :
Windows Server 2003 SP2

A DESCRIPTION OF THE PROBLEM :
We're using Kerberos for authentication since Java 1.4 against Windwos ActiveDirectory.
After our last update from 1.5_06 to 1.5_11 (1.5_12 was also checked) the Krb5LoginModule doesn't set the error cause for an Locked our or disabled user account in the KrbException any more.

  To make things more clear I put a part of the stack-trace after a login attempt against a locked out (wrong pws to often tried):

1) How it's expected (1.5_06):
...
Caused by: javax.security.auth.login.LoginException: Clients credentials have been revoked (18)
	at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:652)
	at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:512)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:585)
	at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
	at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
	at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
	at de.siemens.med.pacs.ssc.access.authentication.BasicAuthentication.authenticate(BasicAuthentication.java:151)
	at de.siemens.med.pacs.ssc.access.authentication.KerberosAuthentication.authenticateUser(KerberosAuthentication.java:370)
	... 31 more
Caused by: KrbException: Clients credentials have been revoked (18)
	at sun.security.krb5.KrbAsRep.<init>(DashoA12275:64)
	at sun.security.krb5.KrbAsReq.getReply(DashoA12275:345)
	at sun.security.krb5.Credentials.acquireTGT(DashoA12275:370)
	at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:642)
	... 44 more
Caused by: KrbException: Identifier doesn't match expected value (906)
	at sun.security.krb5.internal.aj.a(DashoA12275:133)
	at sun.security.krb5.internal.ax.a(DashoA12275:58)
	at sun.security.krb5.internal.ax.<init>(DashoA12275:53)
	at sun.security.krb5.KrbAsRep.<init>(DashoA12275:50)
	... 47 more

2) How it is since 1.5_11:

	at java.lang.Thread.run(Thread.java:595)
Caused by: javax.security.auth.login.LoginException: Identifier doesn't match expected value (906)
	at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696)
	at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:585)
	at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
	at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
	at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
	at de.siemens.med.pacs.ssc.access.authentication.BasicAuthentication.authenticate(BasicAuthentication.java:151)
	at de.siemens.med.pacs.ssc.access.authentication.KerberosAuthentication.authenticateUser(KerberosAuthentication.java:370)
	... 31 more
Caused by: KrbException: Identifier doesn't match expected value (906)
	at sun.security.krb5.internal.PAData.<init>(PAData.java:80)
	at sun.security.krb5.internal.KRBError.<init>(KRBError.java:192)
	at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:53)
	at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:486)
	at sun.security.krb5.Credentials.sendASRequest(Credentials.java:405)
	at sun.security.krb5.Credentials.acquireTGT(Credentials.java:355)
	at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:662)
	... 44 more

The part "Caused by: KrbException: Clients credentials have been revoked (18)" is missing and it's not possible to get the desired informarion (account locked out or disabled) from the exception any more.

The other reasons (e.g. wrong credential = 24) are still working.

It would be nice, if the "good old" behaviour would work with the next release.

Thanks a lot,
 Marc

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Implement a Kerberos authentication module against a Windows AD.

Lock the user out (within AD or simply try wrong password often enough) and check the LoginException.


EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Set the correct cause-error for a locked out or disabled user.
ACTUAL -
Instead of the error code 18 (locked out user), the error 906 is set.

REPRODUCIBILITY :
This bug can be reproduced always.

Release Regression From : 5.0u6
The above release value was the last known release where this 
bug was not reproducible. Since then there has been a regression.

Comments
EVALUATION Will parse eData as a sequence of PA-DATA only when errorcode is 24 or 25.
20-07-2007

EVALUATION RFC 4120 says e-data is SEQUENCE OF PA-DATA only if errorCode is KDC_ERR_PREAUTH_REQUIRED, but our code thinks it's always true. In fact, the e-data of the KRB-ERROR here looks like -- 30 15 A1 03 02 01 03 A2 0E 04 0C 72 00 00 C0 00 00 00 00 01 00 00 00 which is a SEQUENCE OF { INTEGER, OCTET STRING }
15-06-2007

EVALUATION The error occurs because now we parse PA-DATA. In this case, parsePAData throws an exception and the KRBError is not successfully initialized. As the data type to specify an error condition, KRBError's constructor should better never throw an Exception.
15-06-2007