search

spring-projects / spring-security-kerberos

Spring Security Kerberos
https://spring.io/projects/spring-security-kerberos
185 stars 226 forks source link

"Server not found in Kerberos database" with httpclient 4.3.3 #134

Open micheljung opened 5 years ago

micheljung commented 5 years ago

The current version 1.0.1.RELEASE uses org.apache.httpcomponents:httpclient:4.3.3. With it, calling restTemplate.getForObject() results in:

KrbException: Server not found in Kerberos database (7)
    at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:70)
    at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:251)
    at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:262)
    at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:308)
    at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:126)
    at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:458)
    at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:693)
    at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
    at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
    at sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(SpNegoContext.java:882)
    at sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java:317)
    at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
    at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
    at org.apache.http.impl.auth.GGSSchemeBase.generateGSSToken(GGSSchemeBase.java:104)
    at org.apache.http.impl.auth.SPNegoScheme.generateToken(SPNegoScheme.java:84)
    at org.apache.http.impl.auth.GGSSchemeBase.authenticate(GGSSchemeBase.java:161)
    at org.apache.http.impl.auth.SPNegoScheme.authenticate(SPNegoScheme.java:79)
    at org.apache.http.impl.auth.HttpAuthenticator.doAuth(HttpAuthenticator.java:239)
    at org.apache.http.impl.auth.HttpAuthenticator.generateAuthResponse(HttpAuthenticator.java:202)
    at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:245)
    at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:195)
    at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:86)
    at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:108)
    at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:186)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
    at org.springframework.http.client.HttpComponentsClientHttpRequest.executeInternal(HttpComponentsClientHttpRequest.java:91)
    at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:48)
    at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:53)
    at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:569)
    at org.springframework.security.kerberos.client.KerberosRestTemplate.doExecuteSubject(KerberosRestTemplate.java:202)
    at org.springframework.security.kerberos.client.KerberosRestTemplate.access$100(KerberosRestTemplate.java:67)
    at org.springframework.security.kerberos.client.KerberosRestTemplate$1.run(KerberosRestTemplate.java:191)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAs(Subject.java:360)
    at org.springframework.security.kerberos.client.KerberosRestTemplate.doExecute(KerberosRestTemplate.java:187)
    at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:530)
    at org.springframework.web.client.RestTemplate.getForObject(RestTemplate.java:237)
    at com.example.KerberosPrototype.main(KerberosPrototype.java:47)
Caused by: KrbException: Identifier doesn't match expected value (906)
    at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
    at sun.security.krb5.internal.TGSRep.init(TGSRep.java:65)
    at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60)
    at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:55)
    ... 37 more
Feb 27, 2019 2:03:07 PM org.apache.http.impl.auth.HttpAuthenticator generateAuthResponse
WARNUNG: NEGOTIATE authentication error: No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7)))

However, starting with org.apache.httpcomponents:httpclient:4.4 this error is no longer thrown. As far as I can tell, this is been fixed with https://issues.apache.org/jira/browse/HTTPCLIENT-1541

rajibhalder commented 5 years ago

I am facing same issue "KrbException: Server not found in Kerberos database (7) - Server not found in Kerberos database"

Though i am using org.apache.httpcomponents:httpclient:4.5.10. What could be the issue ?

JDK: 1.8 Spring Boot: 2.1.7.RELEASE

Regards, Rajib

rajibhalder commented 5 years ago

Hi,

I have fixed it. It was actually not a Spring issue. It was due to wrong server ticket name generated due to mismatch hostname (Canonical ) on aws platform. When i was calling it using external DNS name, it was working but when i deployed the client to aws instance where the server instance also running, it was creating ticket name using internal DNS name which different than the ticket creating using external DNS name. But the server ticket stored in KDC database was generated using external DNS name of the server. After stoping generating canonical hostname problem is resolved.

Thank you.

akshayin commented 5 years ago

@rajibhalder I am facing the same issue. Can u please elaborate how did you stop generating canonical hostname in the servers.

ImMnan commented 1 year ago

This is related to https://bugs.java.com/bugdatabase/view_bug?bug_id=8210821 If you can upgrade Java to version 12 or more, you should be fine.