Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Server not found in Kerberos database" with httpclient 4.3.3 #134

Open
micheljung opened this issue Feb 27, 2019 · 4 comments
Open

"Server not found in Kerberos database" with httpclient 4.3.3 #134

micheljung opened this issue Feb 27, 2019 · 4 comments

Comments

@micheljung
Copy link
Contributor

The current version 1.0.1.RELEASE uses org.apache.httpcomponents:httpclient:4.3.3. With it, calling restTemplate.getForObject() results in:

KrbException: Server not found in Kerberos database (7)
	at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:70)
	at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:251)
	at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:262)
	at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:308)
	at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:126)
	at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:458)
	at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:693)
	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
	at sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(SpNegoContext.java:882)
	at sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java:317)
	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
	at org.apache.http.impl.auth.GGSSchemeBase.generateGSSToken(GGSSchemeBase.java:104)
	at org.apache.http.impl.auth.SPNegoScheme.generateToken(SPNegoScheme.java:84)
	at org.apache.http.impl.auth.GGSSchemeBase.authenticate(GGSSchemeBase.java:161)
	at org.apache.http.impl.auth.SPNegoScheme.authenticate(SPNegoScheme.java:79)
	at org.apache.http.impl.auth.HttpAuthenticator.doAuth(HttpAuthenticator.java:239)
	at org.apache.http.impl.auth.HttpAuthenticator.generateAuthResponse(HttpAuthenticator.java:202)
	at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:245)
	at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:195)
	at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:86)
	at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:108)
	at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:186)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
	at org.springframework.http.client.HttpComponentsClientHttpRequest.executeInternal(HttpComponentsClientHttpRequest.java:91)
	at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:48)
	at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:53)
	at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:569)
	at org.springframework.security.kerberos.client.KerberosRestTemplate.doExecuteSubject(KerberosRestTemplate.java:202)
	at org.springframework.security.kerberos.client.KerberosRestTemplate.access$100(KerberosRestTemplate.java:67)
	at org.springframework.security.kerberos.client.KerberosRestTemplate$1.run(KerberosRestTemplate.java:191)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAs(Subject.java:360)
	at org.springframework.security.kerberos.client.KerberosRestTemplate.doExecute(KerberosRestTemplate.java:187)
	at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:530)
	at org.springframework.web.client.RestTemplate.getForObject(RestTemplate.java:237)
	at com.example.KerberosPrototype.main(KerberosPrototype.java:47)
Caused by: KrbException: Identifier doesn't match expected value (906)
	at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
	at sun.security.krb5.internal.TGSRep.init(TGSRep.java:65)
	at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60)
	at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:55)
	... 37 more
Feb 27, 2019 2:03:07 PM org.apache.http.impl.auth.HttpAuthenticator generateAuthResponse
WARNUNG: NEGOTIATE authentication error: No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7)))

However, starting with org.apache.httpcomponents:httpclient:4.4 this error is no longer thrown.
As far as I can tell, this is been fixed with https://issues.apache.org/jira/browse/HTTPCLIENT-1541
micheljung added a commit to micheljung/spring-security-kerberos that referenced this issue Feb 27, 2019
@micheljung
Update httpclient to 4.5.7
b62da04 
Fixes spring-projects#134
@micheljung micheljung mentioned this issue Feb 27, 2019
Closed
@rajibhalder
Copy link

I am facing same issue "KrbException: Server not found in Kerberos database (7) - Server not found in Kerberos database"

Though i am using org.apache.httpcomponents:httpclient:4.5.10.
What could be the issue ?

JDK: 1.8
Spring Boot: 2.1.7.RELEASE

Regards,
Rajib

@rajibhalder
Copy link

Hi,

I have fixed it. It was actually not a Spring issue. It was due to wrong server ticket name generated due to mismatch hostname (Canonical ) on aws platform. When i was calling it using external DNS name, it was working but when i deployed the client to aws instance where the server instance also running, it was creating ticket name using internal DNS name which different than the ticket creating using external DNS name. But the server ticket stored in KDC database was generated using external DNS name of the server. After stoping generating canonical hostname problem is resolved.

Thank you.

@akshayin
Copy link

akshayin commented Oct 13, 2019
edited
Loading

@rajibhalder I am facing the same issue. Can u please elaborate how did you stop generating canonical hostname in the servers.

@ImMnan
Copy link

ImMnan commented Apr 18, 2023

This is related to https://bugs.java.com/bugdatabase/view_bug?bug_id=8210821
If you can upgrade Java to version 12 or more, you should be fine.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update httpclient to 4.5.7 micheljung/spring-security-kerberos
4 participants
@micheljung @rajibhalder @akshayin @ImMnan