Topic
No replies
SystemAdmin
SystemAdmin
2262 Posts
ACCEPTED ANSWER

Pinned topic ASN1 Exceptions in SASL LDAP Bind

‏2012-11-07T15:50:39Z |
As part of some authentication code we're developing we want to retrieve some user AD attributes once we have authenticated using Kerberos. Once we have successfully called LoginContext::login() we then attempt to run an LDAP bind and query as a privileged action using Subject::doAs() but the bind is failing with two exceptions:

com.ibm.security.krb5.Asn1Exception, status code: 906
message: Unexpected ASN1 identifier

and

javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: Final handshake failed [Caused by org.ietf.jgss.GSSException, major code: 11, minor code: 0
major string: General failure, unspecified at GSSAPI level
minor string: Error while decoding token: java.lang.ArrayIndexOutOfBoundsException: Array index out of range: -3024]]

Does anyone have any clue as to what is causing the SASL libraries to fail decoding the authentication token?
I've read that the ASN1 exception may be corrected in IBM Java 1.7, however I'm restricted to using 1.6
The code we're using is below, followed by a full stack trace.

Thanks in advance.




class MyKerberos 
{   

public 

static 

void main (String[] argv) 
{   MyKerberos krb = 

new MyKerberos(); krb.doLogin(argv[0], argv[1]); 
}   

public MyKerberos() 
{ System.setProperty(
"java.security.auth.login.config", 
"/tmp/jaas.conf"); System.setProperty(
"java.security.krb5.conf", 
"/tmp/krb5.conf");   
}   

public 

boolean doLogin(String user, String pass) 
{   LoginContext login = 

null; 

try 
{ Logger.getAnonymousLogger().log(Level.INFO, 
"Creating Login Context"); login = 

new LoginContext(
"MyKrb", 

new MyCallbackHandler(user, pass)); 
} 

catch (LoginException lex) 
{ Logger.getAnonymousLogger().log(Level.INFO, 
"Caught login exception\n " + lex.toString()); 

return 

false; 
}   

try 
{ login.login(); login.getSubject().doAs(login.getSubject(), 

new MySaslAction()); 
} 

catch (LoginException lex) 
{ Logger.getAnonymousLogger().log(Level.INFO, 
"Caught login exception loggin in\n" + lex.toString()); 

return 

false; 
}   Logger.getAnonymousLogger().log(Level.INFO, 
"Login Suceeded!"); 

return 

true; 
} 
}   ---------------------------------------------------   

public 

class MySaslAction 

implements java.security.PrivilegedAction 
{   @Override 

public Object run() 
{ Hashtable env = 

new Hashtable();   env.put(Context.INITIAL_CONTEXT_FACTORY, 
"com.sun.jndi.ldap.LdapCtxFactory"); env.put(Context.PROVIDER_URL, 
"ldap://adsrv1.foo.bar.local"); env.put(Context.SECURITY_AUTHENTICATION, 
"GSSAPI"); env.put(Context.REFERRAL, 
"follow"); env.put(
"javax.security.sasl.server.authentication", 
"false");   System.out.println(env.toString());   

try 
{ DirContext ldapCtx = 

new InitialDirContext(env); Logger.getAnonymousLogger().log(Level.INFO, ldapCtx.toString()); 
} 

catch (NamingException ne) 
{ Logger.getAnonymousLogger().log(Level.INFO, 
"NamingException\n" + ne.toString()); 
} 

return 

null; 
} 
}   ---------------------------------------------------


Our JAAS config is a sfollows

CrisKrb 
{ com.ibm.security.auth.module.Krb5LoginModule required debug=

true forwardable=

true tryFirstPass=

true userFirstPass=

true; 
};


And the krb5 is

[libdefaults]   default_realm = FOO.BAR.LOCAL forwardable=

true dns_lookup_kdc = 

true dns_lookup_realm = 

true default_tkt_enctypes = aes256-cts-hmac-sha1-96 default_tgs_enctypes = aes256-cts-hmac-sha1-96 permitted_enctypes   = aes256-cts-hmac-sha1-96     [realms] FOO.BAR.LOCAL = 
{ default_domain = FOO.BAR.LOCAL kdc = ADSRV1.FOO.BAR.LOCAL 
}   BAR.OTHER.LOCAL = 
{ default_domain = BAR.OTHER.LOCAL kdc = ADSRV2.FOO.BAR.LOCAL 
}

And the stack trace
07-Nov-2012 14:25:32 krb.CrisKerberos doLogin
INFO: Creating LDAP Context...
{java.naming.provider.url=ldap://adsrv1.foo.bar.local, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.security.authentication=GSSAPI, java.naming.referral=follow}
com.ibm.security.krb5.Asn1Exception, status code: 906
message: Unexpected ASN1 identifier
at com.ibm.security.krb5.internal.KDCRep.a(KDCRep.java:6)
at com.ibm.security.krb5.internal.TGSRep.a(TGSRep.java:1)
at com.ibm.security.krb5.internal.TGSRep.<init>(TGSRep.java:5)
at com.ibm.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:66)
at com.ibm.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:134)
at com.ibm.security.krb5.internal.n.e(n.java:238)
at com.ibm.security.krb5.internal.n.d(n.java:263)
at com.ibm.security.krb5.Credentials.acquireSvcCreds(Credentials.java:483)
at com.ibm.security.jgss.mech.krb5.n.a(n.java:973)
at com.ibm.security.jgss.mech.krb5.n.initSecContext(n.java:450)
at com.ibm.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:481)
at com.ibm.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:280)
at com.ibm.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:174)
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:117)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:224)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2732)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:308)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:187)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:205)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:148)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:78)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:239)
at javax.naming.InitialContext.initializeDefaultInitCtx(InitialContext.java:318)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:348)
at javax.naming.InitialContext.internalInit(InitialContext.java:286)
at javax.naming.InitialContext.<init>(InitialContext.java:211)
at krb.MySaslAction.run(CrisSaslAction.java:31)
at java.security.AccessController.doPrivileged(AccessController.java:224)
at javax.security.auth.Subject.doAs(Subject.java:495)
at krb.MyKerberos.doLogin(MyKerberos.java:68)
at krb.MyKerberos.main(MyKerberos.java:27)
07-Nov-2012 14:25:32 krb.MySaslAction run
INFO: NamingException
javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: Final handshake failed [Caused by org.ietf.jgss.GSSException, major code: 11, minor code: 0
major string: General failure, unspecified at GSSAPI level
minor string: Error while decoding token: java.lang.ArrayIndexOutOfBoundsException: Array index out of range: -3024]]