Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-6413153

KerberosTicket throws exception when authtime field in KrbCredInfo is null

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: P1
    • Resolution: Fixed
    • Affects Version/s: 5.0
    • Fix Version/s: 6
    • Component/s: security-libs
    • Labels:
    • Subcomponent:
    • Resolved In Build:
      b85
    • CPU:
      x86
    • OS:
      windows_2000

      Backports

        Description

        When a SSPI client talks to a Java GSS-API server, if the delegation is enabled, acceptSecContext will raise an exception "java.lang.IllegalArgumentException: Authentication time of ticket cannot be null".

        The cause of the problem is that the the authtime of the forwarded ticket generated from Windows KDC is null and Sun's Kerberos implementation doesn't allow this.

        According to RFC4120(http://www.ietf.org/rfc/rfc4120.txt?number=4120), for KRB_CRED message (which is the message used to foward credentials), the authtime is really optional:
           KrbCredInfo ::= SEQUENCE {
                   key [0] EncryptionKey,
                   prealm [1] Realm OPTIONAL,
                   pname [2] PrincipalName OPTIONAL,
                   flags [3] TicketFlags OPTIONAL,
                   authtime [4] KerberosTime OPTIONAL,
                   starttime [5] KerberosTime OPTIONAL,
                   endtime [6] KerberosTime OPTIONAL,
                   renew-till [7] KerberosTime OPTIONAL,
                   srealm [8] Realm OPTIONAL,
                   sname [9] PrincipalName OPTIONAL,
                   caddr [10] HostAddresses OPTIONAL
           }

        Other Kerberos implementations, such as MSFT, IBM, MIT, they all accept the null authtime in the forwarded ticket.

        Some other people on the web also encountered the same problem: http://archives.java.sun.com/cgi-bin/wa?A2=ind0210&L=java-security&P=R655&I=-3. Note that RFC1510 mentioned in the above link has been obsoleted by RFC4120.

          Attachments

            Issue Links

              Activity

                People

                Assignee:
                smalkanisunw Seema Malkani (Inactive)
                Reporter:
                duke J. Duke (Inactive)
                Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved:
                  Imported:
                  Indexed: