Getting exception with kerberos authentication on Multiple AD Domain servers

[kmrkishorejava]

We are using winrm4j for kerberos authentication to connect and run powershell command on remote windows machine. And getting the below exception. Please help.

java.lang.RuntimeException: No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Message stream modified (41))) at org.apache.cxf.transport.http.auth.AbstractSpnegoAuthSupplier.getAuthorization(AbstractSpnegoAuthSupplier.java:86) at org.apache.cxf.transport.http.auth.SpnegoAuthSupplier.getAuthorization(SpnegoAuthSupplier.java:37) at org.apache.cxf.transport.http.HTTPConduit.setHeadersByAuthorizationPolicy(HTTPConduit.java:792) at org.apache.cxf.transport.http.HTTPConduit.prepare(HTTPConduit.java:558) at org.apache.cxf.interceptor.MessageSenderInterceptor.handleMessage(MessageSenderInterceptor.java:46) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:514) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:423) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:324) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:277) at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96) at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:139) at com.sun.proxy.$Proxy220.create(Unknown Source) at io.cloudsoft.winrm4j.client.WinRmClient$3.call(WinRmClient.java:805) at io.cloudsoft.winrm4j.client.WinRmClient$3.call(WinRmClient.java:800) at io.cloudsoft.winrm4j.client.WinRmClient.winrmCallRetryConnFailure(WinRmClient.java:897) at io.cloudsoft.winrm4j.client.WinRmClient.doCreateService_3_InitializeClientAndService(WinRmClient.java:800) at io.cloudsoft.winrm4j.client.WinRmClient.doCreateServiceWithReflectivelySetDelegate(WinRmClient.java:607) at io.cloudsoft.winrm4j.client.WinRmClient.createService(WinRmClient.java:536) at io.cloudsoft.winrm4j.client.WinRmClient.getService(WinRmClient.java:504) at io.cloudsoft.winrm4j.client.WinRmClient.command(WinRmClient.java:318) at io.cloudsoft.winrm4j.winrm.WinRmTool.executeCommand(WinRmTool.java:243) at io.cloudsoft.winrm4j.winrm.WinRmTool.executePs(WinRmTool.java:258) at **.commandexecutor.impl.WinRM4JPowershellCommandExecutor.executeCommand(WinRM4JPowershellCommandExecutor.java:61) at **.scheduler.task.async.ExecuteCommandActionTask.checkExecuteOnVm(ExecuteCommandActionTask.java:168) at **.scheduler.task.async.ExecuteCommandActionTask.executeCommand(ExecuteCommandActionTask.java:96) at **.scheduler.task.async.ExecuteCommandActionTask.execute(ExecuteCommandActionTask.java:53) at **.quartz.jobs.AsyncTaskExecuterJob.executeJob(AsyncTaskExecuterJob.java:100) at **.quartz.jobs.AsyncTaskExecuterJob.execute(AsyncTaskExecuterJob.java:58) at org.quartz.core.JobRunShell.run(JobRunShell.java:202) at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573) Caused by: GSSException: No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Message stream modified (41))) at sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java:454) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179) at org.apache.cxf.transport.http.auth.AbstractSpnegoAuthSupplier$CreateServiceTicketAction.run(AbstractSpnegoAuthSupplier.java:209) at org.apache.cxf.transport.http.auth.AbstractSpnegoAuthSupplier$CreateServiceTicketAction.run(AbstractSpnegoAuthSupplier.java:199) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:422) at org.apache.cxf.transport.http.auth.AbstractSpnegoAuthSupplier.getToken(AbstractSpnegoAuthSupplier.java:143) at org.apache.cxf.transport.http.auth.AbstractSpnegoAuthSupplier.getAuthorization(AbstractSpnegoAuthSupplier.java:81) ... 30 more Caused by: GSSException: No valid credentials provided (Mechanism level: Message stream modified (41)) at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:770) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179) at sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(SpNegoContext.java:882) at sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java:317) ... 38 more Caused by: KrbException: Message stream modified (41) at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:50) at sun.security.krb5.KrbTgsRep.(KrbTgsRep.java:87) at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:251) at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:262) at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:308) at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:126) at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:458) at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:693) ... 42 more

Sample Krb configuration file: default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log

[libdefaults] default_realm = CEHTST.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true

[realms] UP.COM = { kdc = ABCDEF123.UP.COM admin_server = ABCDEF123.UP.COM } DOWN.COM = { kdc = ABCDEF234.DOWN.COM admin_server = ABCDEF234.DOWN.COM }

[domain_realm] .up.com = .UP.COM up.com = UP.COM

.down.com = .DOWN.COM down.com = DOWN.COM

[capaths] UP.COM = { DOWN.COM = . } DOWN.COM = { UP.COM = . }

Kinit result: [UP\cross_domain@ABCDEF123 etc]$ klist Ticket cache: FILE:/tmp/krb5cc_16777276 Default principal: cross_domain@DOWN.COM

Valid starting Expires Service principal 03/10/2020 16:30:50 03/11/2020 02:30:50 krbtgt/DOWN.COM@DOWN.COM renew until 03/17/2020 16:30:45

[aledsage]

Can you share the winrm4j code you're using as well please @kmrkishorejava ?