JDK-6582600 : Kerberos parsing e-data for error codes other than 25
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 6
  • Priority: P4
  • Status: Closed
  • Resolution: Duplicate
  • OS: windows_xp
  • CPU: x86
  • Submitted: 2007-07-19
  • Updated: 2011-02-16
  • Resolved: 2007-07-19
Related Reports
Duplicate :  
java version "1.6.0"
Java(TM) SE Runtime Environment (build 1.6.0-b105)
Java HotSpot(TM) Client VM (build 1.6.0-b105, mixed mode)

Microsoft Windows XP [Version 5.1.2600]

I am authenticating users using JAAS/Kerberos against Active Directory.

When authenticating a user with a locked account, I expect to get  back
Kerberos error 18 (Client credentials have been revoked), but instead I
get error 906 (Identifier doesn't match expected value).

Looking at the debug trace, I can see that Active Directory is returning the correct error I want (error code 18).

But during the parsing of the returned message, another exception is occuring inside "PAData.java" that is overriding the original error.
(stack trace included)

  To debug the problem, I downloaded PAData.java and KRBError.java
from the OpenJDK project and added them to my bootclasspath.
What I found was that the code was trying to make a KRBError instance
for the correct error message (error 18), but there was "eData" in the
message returned from AD.

It passes this data (in a DerValue object) to the PAData class
constructor to parse. The PAData class calls DerValue.getTag()
and this returns a value of -95. But if the value is anthing but the
constant "DerValue.tag_Sequence" (48), than PAData throws a
new Kerberos Exception with "Identifier doesn't match expected
value (906)", which ends up trumping the original error.

According to RFC 4120 (page 96), e-data is a "SEQUENCE OF PA-DATA"
only when the error code is KDC_ERR_PREAUTH_REQUIRED
(error code 25).

In this case, the error code was KDC_ERR_CLIENT_REVOKED
(error code 18), and thus the e-data is "implementation-defined"
and should not be parsed.

Debug is  true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
17:44:17,562 INFO  [STDOUT] 		[Krb5LoginModule] user entered username: locked_user
17:44:17,562 INFO  [STDOUT] Using builtin default etypes for default_tkt_enctypes
17:44:17,562 INFO  [STDOUT] default etypes for default_tkt_enctypes:
17:44:17,562 INFO  [STDOUT]  3
17:44:17,562 INFO  [STDOUT]  1
17:44:17,562 INFO  [STDOUT]  23
17:44:17,562 INFO  [STDOUT]  16
17:44:17,562 INFO  [STDOUT]  17
17:44:17,562 INFO  [STDOUT] .
17:44:17,671 INFO  [STDOUT] Acquire TGT using AS Exchange
17:44:17,671 INFO  [STDOUT] Using builtin default etypes for default_tkt_enctypes
17:44:17,671 INFO  [STDOUT] default etypes for default_tkt_enctypes:
17:44:17,671 INFO  [STDOUT]  3
17:44:17,671 INFO  [STDOUT]  1
17:44:17,671 INFO  [STDOUT]  23
17:44:17,671 INFO  [STDOUT]  16
17:44:17,671 INFO  [STDOUT]  17
17:44:17,671 INFO  [STDOUT] .
17:44:17,687 INFO  [STDOUT] >>> KrbAsReq calling createMessage
17:44:17,687 INFO  [STDOUT] >>> KrbAsReq in createMessage
17:44:17,687 INFO  [STDOUT] >>> KrbKdcReq send: kdc=ad.mydomain.com UDP:88, timeout=30000, number of retries =3, #bytes=153
17:44:17,687 INFO  [STDOUT] >>> KDCCommunication: kdc=ad.mydomain.com UDP:88, timeout=30000,Attempt =1, #bytes=153
17:44:17,687 INFO  [STDOUT] >>> KrbKdcReq send: #bytes read=123
17:44:17,687 INFO  [STDOUT] >>> KrbKdcReq send: #bytes read=123
17:44:17,687 INFO  [STDOUT] >>> KDCRep: init() encoding tag is 126 req type is 11
17:44:17,687 INFO  [STDOUT] >>>KRBError:
17:44:17,687 INFO  [STDOUT] 	 sTime is Thu Jul 12 17:45:36 EDT 2007 1184276736000
17:44:17,687 INFO  [STDOUT] 	 suSec is 912064
17:44:17,687 INFO  [STDOUT] 	 error code is 18
17:44:17,687 INFO  [STDOUT] 	 error Message is Clients credentials have been revoked
17:44:17,687 INFO  [STDOUT] 	 realm is MYDOMAIN.COM
17:44:17,687 INFO  [STDOUT] 	 sname is krbtgt/MYDOMAIN.COM
17:44:17,687 INFO  [STDOUT] 	 eData provided.
17:44:17,687 INFO  [STDOUT] 	 msgType is 30
17:44:17,687 INFO  [STDOUT] 		[Krb5LoginModule] authentication failed
Identifier doesn't match expected value (906)
17:44:17,812 ERROR [JaasAuthenticationProvider] error logging in
javax.security.auth.login.LoginException: Identifier doesn't match expected value (906)
	at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696)
	at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
Caused by: KrbException: Identifier doesn't match expected value (906)
	at sun.security.krb5.internal.PAData.<init>(PAData.java:80)
	at sun.security.krb5.internal.KRBError.<init>(KRBError.java:192)
	at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:53)
	at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:449)
	at sun.security.krb5.Credentials.sendASRequest(Credentials.java:406)
	at sun.security.krb5.Credentials.acquireTGT(Credentials.java:355)
	at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:662)
	... 47 more

This bug can be reproduced always.

EVALUATION The error is only seen when using Active Directory. For all Pre-authentication failures (24 or 25), the KRB-ERROR includes PA-DATA as part of the e-data. For all other error codes, typically the e-data is null. However, Windows does include an e-data. As per the Kerberos specification, the e-data field is OPTIONAL. It includes the PA-DATA only when KDC returns pre-authentication errors For all other error codes, the format and contents of the e-data field are implementation-defined. Hence, for all other error-codes e-data should not be parsed. The same issue has been reported in bug 6570062, hence closing this bug. Seema