Java clients fail to authenticate against servers using `gokrb5`

[bendemott]

I'm triggering this line of code and getting gssapi.StatusContinueNeeded response, when attempting to authenticate from any Java Kerberos client.

        if m.Equal(gssapi.OID(gssapi.OIDKRB5)) || m.Equal(gssapi.OID(gssapi.OIDMSLegacyKRB5)) {
            if n.mechToken == nil && n.MechTokenBytes == nil {
                return false, gssapi.Status{Code: gssapi.StatusContinueNeeded}
            }

• It seems to think the mechanism token is null or empty?

Any help or suggestions of what to try are greatly appreciated

I believe the Java Spnego payload is VALID, but perhaps the gokrb5 library is reading the payload improperly causing the error above.

• Hashicorp Vault uses gokrb5, and it will not authenticate Java Spnego clients.
• I also tested my Spnego token against a simple standalone gokrb5 example and receive the same error.

Java Client

• I've tested with both kerb4j as well as my own custom client and I get the same result.

• kerb4j example code

      SpnegoClient spnegoClient = SpnegoClient.loginWithKeyTab("user@EXAMPLE.COM", "./user.keytab");
      SpnegoContext spnegoClient.createContextForSPN("service/host.example.com");
      String spnegoToken = context.createTokenAsAuthroizationHeader();
      System.out.println("Spnego Token is: " + spnegoToken);

• If Java is told to use the native GSS library (via -Dsun.security.jgss.native=true) authentication does work.

• The local authentication works perfectly, the ticket getting ticket authentication works.

• A valid Spnego token is generated - I've used pyspnego-parse cli available from PySpnego python project to parse a valid payload and an invalid payload.

Valid and Invalid Spnego Payloads

• if you notice the invalid payload sends "name-type": "NT-UNKNOWN (0)",
  I believe this is related to a decision in the JAVA Api to default to NT-UNKNOWN
  It seems all clients behave this way. And this may very well be the issue.
• There are very few other differences, the good payload sends "reqFlags": null,
  The bad sends additional values.

Valid Spnego Payload (Python Client / native GSS API)

{
    "MessageType": "SPNEGO InitialContextToken",
    "Data": {
        "thisMech": "SPNEGO (1.3.6.1.5.5.2)",
        "innerContextToken": {
            "MessageType": "SPNEGO NegTokenInit",
            "Data": {
                "mechTypes": [
                    "Kerberos (1.2.840.113554.1.2.2)"
                ],
                "reqFlags": null,

                "mechToken": {
                    "MessageType": "SPNEGO InitialContextToken",
                    "Data": {
                        "thisMech": "Kerberos (1.2.840.113554.1.2.2)",
                        "innerContextToken": {
                            "MessageType": "AP-REQ (14)",
                            "Data": {
                                "pvno": 5,
                                "msg-type": "AP-REQ (14)",
                                "ap-options": {
                                    "raw": 0,
                                    "flags": []
                                },
                                "ticket": {
                                    "tkt-vno": 5,
                                    "realm": "EXAMPLE.COM",
                                    "sname": {
                                        "name-type": "NT-SRV-HST (3)",
                                        "name-string": [
                                            "vaultsvc",
                                            "vault.example.com"
                                        ]
                                    },
                                    "enc-part": {
                                        "etype": "AES256_CTS_HMAC_SHA1_96 (18)",
                                        "kvno": 1,
                                        "cipher": "B1112B-----"
                                    }
                                },
                                "authenticator": {
                                    "etype": "AES256_CTS_HMAC_SHA1_96 (18)",
                                    "kvno": null,
                                    "cipher": "EC9B85----"
                                }
                            },
                            "RawData": "01006E82-----"
                        }
                    },
                    "RawData": "6082028B-----"
                },
                "mechListMIC": null
            },
            "RawData": "A08202AA----"
        }
    },
    "RawData": "608202----"
}

Invalid Spnego Payload (Java Client)

{
    "MessageType": "SPNEGO InitialContextToken",
    "Data": {
        "thisMech": "SPNEGO (1.3.6.1.5.5.2)",
        "innerContextToken": {
            "MessageType": "SPNEGO NegTokenInit",
            "Data": {
                "mechTypes": [
                    "Kerberos (1.2.840.113554.1.2.2)"
                ],
                "reqFlags": {
                    "raw": 0,
                    "flags": [
                        "delegFlag (0)"
                    ]
                },
                "mechToken": {
                    "MessageType": "SPNEGO InitialContextToken",
                    "Data": {
                        "thisMech": "Kerberos (1.2.840.113554.1.2.2)",
                        "innerContextToken": {
                            "MessageType": "AP-REQ (14)",
                            "Data": {
                                "pvno": 5,
                                "msg-type": "AP-REQ (14)",
                                "ap-options": {
                                    "raw": 0,
                                    "flags": []
                                },
                                "ticket": {
                                    "tkt-vno": 5,
                                    "realm": "EXAMPLE.COM",
                                    "sname": {
                                        "name-type": "NT-UNKNOWN (0)",
                                        "name-string": [
                                            "vaultsvc",
                                            "vault.example.com"
                                        ]
                                    },
                                    "enc-part": {
                                        "etype": "AES256_CTS_HMAC_SHA1_96 (18)",
                                        "kvno": 1,
                                        "cipher": "759DC530----"
                                    }
                                },
                                "authenticator": {
                                    "etype": "AES256_CTS_HMAC_SHA1_96 (18)",
                                    "kvno": null,
                                    "cipher": "DC58A7CC5F----""
                                }
                            },
                            "RawData": "01006E820----"
                        }
                    },
                    "RawData": "608202----"
                },
                "mechListMIC": null
            },
            "RawData": "A08202----"
        }
    },
    "RawData": "6082029----"
}

[qerub]

I think this is the same as https://github.com/jcmturner/gokrb5/issues/390 that was fixed with https://github.com/jcmturner/gokrb5/pull/406.

[bendemott]

Correct, this is fixed in 406