samizdat / Tickets / #3 Server receives a Service Ticket it cant decrypt

#3 Server receives a Service Ticket it cant decrypt - due to crypt mismatch

Milestone: 1.0.0

Status: open

Owner: nobody

Labels: kerberos (1)

Updated: 2012-11-09

Created: 2012-11-08

Creator: Jim Doyle

Private: No

The client was configured to send ktester3@WINKLESSNESS.... as a service ticket. That Principal, in the KDC, was setup to use all EncTypes.
The server was configured to run as appserver/string-reversal@WINKLESSNESS....

When the server got a service ticket, albeit for the wrong identity, it barfed on decrypt, likely due to crypto mismatch. Using JDK 7 on Windows Vista and MIT Krb 1.10. Here's the
ambiguous stack track:

RPC Server ready for remote authenticated requests....
[qtp1007764900-15] ERROR net.sf.samizdat.messaging.receiver.Krb5GssReceiver - Ex
ception during GSS Message Processing; gss major code11, gss minor code -1, reas
onFailure unspecified at GSS-API level
GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum fa
iled)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at net.sf.samizdat.messaging.receiver.Krb5GssReceiver.run(Krb5GssReceive
r.java:82)
at net.sf.samizdat.messaging.receiver.Krb5GssReceiver.run(Krb5GssReceive
r.java:53)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at net.sf.samizdat.messaging.receiver.AbstractKerberizedReceiver.generic
Transform(AbstractKerberizedReceiver.java:65)
at net.sf.samizdat.messaging.receiver.MapMessageReceiver.transform(MapMe
ssageReceiver.java:43)
at net.sf.samizdat.messaging.service.Krb5GenericMessageService.unpackKer
berizedMapMessage(Krb5GenericMessageService.java:68)
at net.sf.samizdat.messaging.service.Krb5GenericMessageService.decodeSer
viceTicket(Krb5GenericMessageService.java:94)
at net.sf.samizdat.rpc.impl.http.SamizdatRPCServlet.doGet(SamizdatRPCSer
vlet.java:240)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:546
)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java
:479)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandl
er.java:225)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandl
er.java:1031)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:
406)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandle
r.java:186)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandle
r.java:965)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.j
ava:117)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper
.java:111)
at org.eclipse.jetty.server.Server.handle(Server.java:349)
at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(Abstrac
tHttpConnection.java:449)
at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.header
Complete(AbstractHttpConnection.java:910)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:647)
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:233)

    at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnecti

on.java:76)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEn
dPoint.java:615)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEnd
Point.java:45)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPoo
l.java:599)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool
.java:534)
at java.lang.Thread.run(Unknown Source)
Caused by: KrbException: Checksum failed
at sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType.decrypt(Unkn
own Source)
at sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType.decrypt(Unkn
own Source)
at sun.security.krb5.EncryptedData.decrypt(Unknown Source)
at sun.security.krb5.KrbApReq.authenticate(Unknown Source)
at sun.security.krb5.KrbApReq.<init>(Unknown Source)
at sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
... 34 more
Caused by: java.security.GeneralSecurityException: Checksum failed
at sun.security.krb5.internal.crypto.dk.DkCrypto.decrypt(Unknown Source)

    at sun.security.krb5.internal.crypto.Des3.decrypt(Unknown Source)
    ... 40 more

[qtp1007764900-15] WARN org.eclipse.jetty.servlet.ServletHandler - /samizdat/rpc

net.sf.samizdat.messaging.service.Krb5InvalidTicketException: Recv fault during
Ticket operation ticketDecryptOK? false , gss major code:-1, reasonText=Failure
unspecified at GSS-API level
at net.sf.samizdat.messaging.receiver.Krb5GssReceiver.run(Krb5GssReceive
r.java:129)
at net.sf.samizdat.messaging.receiver.Krb5GssReceiver.run(Krb5GssReceive
r.java:53)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at net.sf.samizdat.messaging.receiver.AbstractKerberizedReceiver.generic
Transform(AbstractKerberizedReceiver.java:65)
at net.sf.samizdat.messaging.receiver.MapMessageReceiver.transform(MapMe
ssageReceiver.java:43)
at net.sf.samizdat.messaging.service.Krb5GenericMessageService.unpackKer
berizedMapMessage(Krb5GenericMessageService.java:68)
at net.sf.samizdat.messaging.service.Krb5GenericMessageService.decodeSer
viceTicket(Krb5GenericMessageService.java:94)
at net.sf.samizdat.rpc.impl.http.SamizdatRPCServlet.doGet(SamizdatRPCSer
vlet.java:240)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:546
)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java
:479)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandl
er.java:225)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandl
er.java:1031)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:
406)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandle
r.java:186)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandle
r.java:965)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.j
ava:117)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper
.java:111)
at org.eclipse.jetty.server.Server.handle(Server.java:349)
at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(Abstrac
tHttpConnection.java:449)
at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.header
Complete(AbstractHttpConnection.java:910)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:647)
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:233)

    at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnecti

Discussion

summary: Server receives a Service Ticket it cant decrypt - do to crypt mismatch --> Server receives a Service Ticket it cant decrypt - due to crypt mismatch
Description has changed:

Diff:

--- old
+++ new
@@ -2,7 +2,7 @@
 The server was configured to run as appserver/string-reversal@WINKLESSNESS....

 When the server got a service ticket, albeit for the wrong identity, it barfed on decrypt, likely due to crypto mismatch.   Using JDK 7 on Windows Vista and MIT Krb 1.10.  Here's the
-ambigious stack track:
+ambiguous stack track:

 RPC Server ready for remote authenticated requests....
 [qtp1007764900-15] ERROR net.sf.samizdat.messaging.receiver.Krb5GssReceiver - Ex

Server receives a Service Ticket it cant decrypt - due to crypt mismatch

Kerberized Messaging Toolkit for Java

Milestone

Searches

Help

#3 Server receives a Service Ticket it cant decrypt - due to crypt mismatch

Discussion