spring-security-kerberos icon indicating copy to clipboard operation
spring-security-kerberos copied to clipboard

Published 20 hours ago verified publisher icon spring-projects

"Server not found in Kerberos database" with httpclient 4.3.3

Open micheljung opened this issue 6 years ago • 4 comments

The current version 1.0.1.RELEASE uses org.apache.httpcomponents:httpclient:4.3.3. With it, calling restTemplate.getForObject() results in:

KrbException: Server not found in Kerberos database (7)
	at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:70)
	at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:251)
	at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:262)
	at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:308)
	at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:126)
	at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:458)
	at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:693)
	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
	at sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(SpNegoContext.java:882)
	at sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java:317)
	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
	at org.apache.http.impl.auth.GGSSchemeBase.generateGSSToken(GGSSchemeBase.java:104)
	at org.apache.http.impl.auth.SPNegoScheme.generateToken(SPNegoScheme.java:84)
	at org.apache.http.impl.auth.GGSSchemeBase.authenticate(GGSSchemeBase.java:161)
	at org.apache.http.impl.auth.SPNegoScheme.authenticate(SPNegoScheme.java:79)
	at org.apache.http.impl.auth.HttpAuthenticator.doAuth(HttpAuthenticator.java:239)
	at org.apache.http.impl.auth.HttpAuthenticator.generateAuthResponse(HttpAuthenticator.java:202)
	at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:245)
	at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:195)
	at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:86)
	at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:108)
	at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:186)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
	at org.springframework.http.client.HttpComponentsClientHttpRequest.executeInternal(HttpComponentsClientHttpRequest.java:91)
	at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:48)
	at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:53)
	at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:569)
	at org.springframework.security.kerberos.client.KerberosRestTemplate.doExecuteSubject(KerberosRestTemplate.java:202)
	at org.springframework.security.kerberos.client.KerberosRestTemplate.access$100(KerberosRestTemplate.java:67)
	at org.springframework.security.kerberos.client.KerberosRestTemplate$1.run(KerberosRestTemplate.java:191)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAs(Subject.java:360)
	at org.springframework.security.kerberos.client.KerberosRestTemplate.doExecute(KerberosRestTemplate.java:187)
	at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:530)
	at org.springframework.web.client.RestTemplate.getForObject(RestTemplate.java:237)
	at com.example.KerberosPrototype.main(KerberosPrototype.java:47)
Caused by: KrbException: Identifier doesn't match expected value (906)
	at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
	at sun.security.krb5.internal.TGSRep.init(TGSRep.java:65)
	at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60)
	at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:55)
	... 37 more
Feb 27, 2019 2:03:07 PM org.apache.http.impl.auth.HttpAuthenticator generateAuthResponse
WARNUNG: NEGOTIATE authentication error: No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7)))

However, starting with org.apache.httpcomponents:httpclient:4.4 this error is no longer thrown. As far as I can tell, this is been fixed with https://issues.apache.org/jira/browse/HTTPCLIENT-1541

micheljung avatar Feb 27 '19 13:02 micheljung

I am facing same issue "KrbException: Server not found in Kerberos database (7) - Server not found in Kerberos database"

Though i am using org.apache.httpcomponents:httpclient:4.5.10. What could be the issue ?

JDK: 1.8 Spring Boot: 2.1.7.RELEASE

Regards, Rajib

rajibhalder avatar Sep 20 '19 20:09 rajibhalder

Hi,

I have fixed it. It was actually not a Spring issue. It was due to wrong server ticket name generated due to mismatch hostname (Canonical ) on aws platform. When i was calling it using external DNS name, it was working but when i deployed the client to aws instance where the server instance also running, it was creating ticket name using internal DNS name which different than the ticket creating using external DNS name. But the server ticket stored in KDC database was generated using external DNS name of the server. After stoping generating canonical hostname problem is resolved.

Thank you.

rajibhalder avatar Sep 28 '19 18:09 rajibhalder

@rajibhalder I am facing the same issue. Can u please elaborate how did you stop generating canonical hostname in the servers.

akshayin avatar Oct 13 '19 12:10 akshayin

This is related to https://bugs.java.com/bugdatabase/view_bug?bug_id=8210821 If you can upgrade Java to version 12 or more, you should be fine.

ImMnan avatar Apr 18 '23 05:04 ImMnan