GSSException: message flow change (41)

I work with LDAP in forest architecture (all servers and my server are windows). I bind to AD using NTLM authentication.

I have a JAVA code that performs operations with an LDAP server.

The code is wrapped like a tomcat servlet.

When you directly run the JAVA code (just executing the LDAP authentication code as an application), the binding works both with the local domain (local domain = I logged in to Windows and started this process with the user of this domain) and foreign domains.

When running JAVA code as a servlet, binding works and authenticates users from one domain, but does not work, if I try to authenticate users from another domain, this will not work (it will only work if you restart tomcat).

I get an exception:

GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Message stream modified (41))]] 

I mentioned that this is the same code with the same configurations and the same krb5 file.

Edit: Additional Information:

This is my code:

 public void func(String realm, String kdc) { try { URL configURL = getClass().getResource("jaas_ntlm_configuration.txt"); System.setProperty("java.security.auth.login.config", configURL.toString()); System.setProperty("java.security.krb5.realm", realm); System.setProperty("java.security.krb5.kdc",kdc); // If the application is run on NT rather than Unix, use this name String loginAppName = "MyConfig"; // Create login context LoginContext lc = new LoginContext(loginAppName, new SampleCallbackHandler()); // Retrieve the information on the logged-in user lc.login(); // Get the authenticated subject Subject subject = lc.getSubject(); System.out.println(subject.toString()); Subject.doAs(subject, new JndiAction(new String[] { "" })); } catch (LoginException e) { e.printStackTrace(); } } class JndiAction implements java.security.PrivilegedAction { private String[] args; public JndiAction(String[] origArgs) { this.args = (String[])origArgs.clone(); } public Object run() { performJndiOperation(args); return null; } private static void performJndiOperation(String[] args) { // Set up environment for creating initial context Hashtable env = new Hashtable(11); env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); // Must use fully qualified hostname env.put(Context.PROVIDER_URL, "ldap://server:389"); // Request the use of the "GSSAPI" SASL mechanism // Authenticate by using already established Kerberos credentials env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI"); try { // Create the initial context DirContext ctx = new InitialLdapContext(env, null); // Close the context when we're done ctx.close(); } catch (NamingException e) { e.printStackTrace(); } } } 

And the jaas_ntlm_configuration.txt file contains:

 MyConfig { com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true doNotPrompt=false; }; 

My krb5.conf file:

 # # All rights reserved. # #pragma ident @(#)krb5.conf 1.1 00/12/08 [libdefaults] default_tkt_enctypes = des3-cbc-sha1 des-cbc-md5 des-cbc-crc default_tgs_enctypes = des3-cbc-sha1 des-cbc-md5 des-cbc-crc forwardable = true renewable = true noaddresses = true clockskew = 300 [realms] SUB1.DOMAIN.COM = { kdc = DDC.SUB1.DOMAIN.COM default_domain=DOMAIN.COM } SUB2.DOMAIN.COM = { kdc = DDC.SUB.DOMAIN.COM default_domain=DOMAIN.COM } SUB3.DOMAIN.COM = { kdc = DDC.SUB3.DOMAIN.COM default_domain=DOMAIN.COM } [domain_realm] .DOMAIN.COM = SUB1.DOMAIN.COM .DOMAIN.COM = SUB2.DOMAIN.COM .DOMAIN.COM = SUB3.DOMAIN.COM [logging] default = FILE:/var/krb5/kdc.log kdc = FILE:/var/krb5/kdc.log kdc_rotate = { # How often to rotate kdc.log. Logs will get rotated no more # often than the period, and less often if the KDC is not used # frequently. period = 1d # how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...) versions = 10 } [appdefaults] kinit = { renewable = true forwardable= true } rlogin = { forwardable= true } rsh = { forwardable= true } telnet = { autologin = true forwardable= true } 

I added the following java options:

 -Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.krb5.conf="krb5.conf" -Dsun.security.krb5.debug=true 

If I call func ("SUB * .DOMAIN.COM", "DDC.SUB * .DOMAIN.COM") always with the same subdomain, it will work, but if I call with one subdomain and then with another, the second one will not will succeed.

Additional Information:

Here is the result with krb5.debug = true:

 java -Xmx100m -cp gssapi_test.jar -Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.krb5.conf="krb5.conf" -Dsun.security.krb5.debug=true gssapitest.myTest my_config.txt 2 users provided. Performing authentication #1 Reading configuration file my_config.txt kdc: DDC.SUB1.DOMAIN.COM, realm: SUB1.DOMAIN.COM >>>KinitOptions cache name is C:\Users\user1\krb5cc_user1 >> Acquire default native Credentials >>> Obtained TGT from LSA: Credentials: client=user1@SUB1.DOMAIN.COM server=krbtgt/ SUB1.DOMAIN.COM@SUB1.DOMAIN.COM authTime=20130422075139Z startTime=20130422075139Z endTime=20130422175139Z renewTill=20130429075139Z flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT EType (int): 23 Subject: Principal: user1@SUB1.DOMAIN.COM Private Credential: Ticket (hex) = ..... Client Principal = user1@SUB1.DOMAIN.COM Server Principal = krbtgt/ SUB1.DOMAIN.COM@SUB1.DOMAIN.COM Session Key = EncryptionKey: keyType=23 keyBytes (hex dump)= 0000: 2B 8C 97 3C 8E 83 66 F1 6D 58 6C 37 20 0E 1F 53 +..<..f.mXl7 ..S Forwardable Ticket true Forwarded Ticket false Proxiable Ticket false Proxy Ticket false Postdated Ticket false Renewable Ticket true Initial Ticket true Auth Time = Mon Apr 22 15:51:39 2013 Start Time = Mon Apr 22 15:51:39 2013 End Time = Tue Apr 23 01:51:39 2013 Renew Till = Mon Apr 29 15:51:39 2013 Client Addresses Null Connecting to LDAP Config name: krb5.conf Found ticket for user1@SUB1.DOMAIN.COM to go to krbtgt/ SUB1.DOMAIN.COM@SUB1.DOMAIN.COM expiring on Tue Apr 23 01:51:39 2013 Entered Krb5Context.initSecContext with state=STATE_NEW Service ticket not found in the subject >>> Credentials acquireServiceCreds: same realm default etypes for default_tgs_enctypes: 16 3 1. >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>> KdcAccessibility: reset >>> KrbKdcReq send: kdc=DDC.SUB1.DOMAIN.COM UDP:88, timeout=30000, number of retries =3, #bytes=1554 >>> KDCCommunication: kdc=DDC.SUB1.DOMAIN.COM UDP:88, timeout=30000,Attempt =1, #bytes=1554 >>> KrbKdcReq send: #bytes read=107 >>> KrbKdcReq send: kdc=DDC.SUB1.DOMAIN.COM TCP:88, timeout=30000, number of retries =3, #bytes=1554 >>> KDCCommunication: kdc=DDC.SUB1.DOMAIN.COM TCP:88, timeout=30000,Attempt =1, #bytes=1554 >>>DEBUG: TCPClient reading 1497 bytes >>> KrbKdcReq send: #bytes read=1497 >>> KdcAccessibility: remove DDC.SUB1.DOMAIN.COM >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>> KrbApReq: APOptions are 00000000 00000000 00000000 00000000 >>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType Krb5Context setting mySeqNumber to: 1005735013 Krb5Context setting peerSeqNumber to: 0 Created InitSecContextToken: ..... Krb5Context.unwrap: token=[60 33 06 09 2a 86 48 86 f7 12 01 02 02 02 01 00 00 ff ff ff ff 94 52 14 5b f6 02 28 1c a4 3c c5 8f 03 9c a2 d6 e5 f6 f1 18 ed 6f 16 ab 07 a0 00 00 04 04 04 04 ] Krb5Context.unwrap: data=[07 a0 00 00 ] Krb5Context.wrap: data=[01 01 00 00 ] Krb5Context.wrap: token=[60 33 06 09 2a 86 48 86 f7 12 01 02 02 02 01 00 00 ff ff ff ff 2d b6 92 0d d9 51 da aa ef 41 67 33 5c de b3 e6 ce 9a 46 31 a0 a8 0e 27 01 01 00 00 04 04 04 04 ] Connected Disconnected #1: Done Performing authentication #2 Reading configuration file my_config.txt kdc: DDC.SUB2.DOMAIN.COM, realm: SUB2.DOMAIN.COM >>>KinitOptions cache name is C:\Users\user1\krb5cc_user1 >> Acquire default native Credentials >>> Obtained TGT from LSA: Credentials: client=user1@SUB1.DOMAIN.COM server=krbtgt/ SUB1.DOMAIN.COM@SUB1.DOMAIN.COM authTime=20130422075139Z startTime=20130422075139Z endTime=20130422175139Z renewTill=20130429075139Z flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT EType (int): 23 Subject: Principal: user1@SUB1.DOMAIN.COM Private Credential: Ticket (hex) = ..... Client Principal = user1@SUB1.DOMAIN.COM Server Principal = krbtgt/ SUB1.DOMAIN.COM@SUB1.DOMAIN.COM Session Key = EncryptionKey: keyType=23 keyBytes (hex dump)= 0000: 2B 8C 97 3C 8E 83 66 F1 6D 58 6C 37 20 0E 1F 53 +..<..f.mXl7 ..S Forwardable Ticket true Forwarded Ticket false Proxiable Ticket false Proxy Ticket false Postdated Ticket false Renewable Ticket true Initial Ticket true Auth Time = Mon Apr 22 15:51:39 2013 Start Time = Mon Apr 22 15:51:39 2013 End Time = Tue Apr 23 01:51:39 2013 Renew Till = Mon Apr 29 15:51:39 2013 Client Addresses Null Connecting to LDAP Found ticket for user1@SUB1.DOMAIN.COM to go to krbtgt/ SUB1.DOMAIN.COM@SUB1.DOMAIN.COM expiring on Tue Apr 23 01:51:39 2013 Entered Krb5Context.initSecContext with state=STATE_NEW Service ticket not found in the subject >>> Credentials acquireServiceCreds: same realm default etypes for default_tgs_enctypes: 16 3 1. >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType >>> KrbKdcReq send: kdc=DDC.SUB1.DOMAIN.COM UDP:88, timeout=30000, number of retries =3, #bytes=1554 >>> KDCCommunication: kdc=DDC.SUB1.DOMAIN.COM UDP:88, timeout=30000,Attempt =1, #bytes=1554 >>> KrbKdcReq send: #bytes read=107 >>> KrbKdcReq send: kdc=DDC.SUB1.DOMAIN.COM TCP:88, timeout=30000, number of retries =3, #bytes=1554 >>> KDCCommunication: kdc=DDC.SUB1.DOMAIN.COM TCP:88, timeout=30000,Attempt =1, #bytes=1554 >>>DEBUG: TCPClient reading 1482 bytes >>> KrbKdcReq send: #bytes read=1482 >>> KdcAccessibility: remove DDC.SUB1.DOMAIN.COM >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType KrbException: Message stream modified (41) at sun.security.krb5.KrbKdcRep.check(Unknown Source) at sun.security.krb5.KrbTgsRep.<init>(Unknown Source) at sun.security.krb5.KrbTgsReq.getReply(Unknown Source) at sun.security.krb5.KrbTgsReq.sendAndGetCreds(Unknown Source) at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source) at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source) at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source) at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source) at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source) at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source) at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source) at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source) at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source) at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source) at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source) at javax.naming.spi.NamingManager.getInitialContext(Unknown Source) at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source) at javax.naming.InitialContext.init(Unknown Source) at javax.naming.ldap.InitialLdapContext.<init>(Unknown Source) at gssapitest.JndiAction.performJndiOperation(myTest.java:603) at gssapitest.JndiAction.run(myTest.java:577) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Unknown Source) at gssapitest.myTest.Do(myTest.java:59) at gssapitest.myTest.main(myTest.java:513) javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Message stream modified (41))]] at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source) at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source) at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source) at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source) at javax.naming.spi.NamingManager.getInitialContext(Unknown Source) at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source) at javax.naming.InitialContext.init(Unknown Source) at javax.naming.ldap.InitialLdapContext.<init>(Unknown Source) at gssapitest.JndiAction.performJndiOperation(myTest.java:603) at gssapitest.JndiAction.run(myTest.java:577) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Unknown Source) at gssapitest.myTest.Do(myTest.java:59) at gssapitest.myTest.main(myTest.java:513) Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Message stream modified (41))] at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source) ... 18 more Caused by: GSSException: No valid credentials provided (Mechanism level: Message stream modified (41)) at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source) at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source) at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source) ... 19 more Caused by: KrbException: Message stream modified (41) at sun.security.krb5.KrbKdcRep.check(Unknown Source) at sun.security.krb5.KrbTgsRep.<init>(Unknown Source) at sun.security.krb5.KrbTgsReq.getReply(Unknown Source) at sun.security.krb5.KrbTgsReq.sendAndGetCreds(Unknown Source) at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source) at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source) at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source) ... 22 more FAILED 

What can I do? Am I something wrong?

Thanks.