Monday, January 29, 2018

LDap GSSContext null srcName with spring security

By Hường Hana 10:30 PM , , , , Leave a Comment

We try to make Windows authentication using spring security.

When we saw that we cannot authenticate our domain user with our keytab file created for our local pc, we checked our service user and see that it's password is valid. Then we checked whether we can reach from local to AD-domain. No request reached from our local as we controlled with network monitoring tool on AD-domain server machine. We also checked that outgoing traffic from our client with the command below;

netstat -oan 1 | find /I "[IP_ADDRESS_OF_AD_DOMAIN]"

We could reach to that IP from our local, tested with telnet.

Our application.properties is like below;

app.ad-domain= example.com app.ad-server= ldap://adds.example.com.tr/ app.service-principal= HTTP/local_pc.example.com.tr@EXAMPLE.COM.TR app.keytab-location= local_pc.keytab app.ldap-search-base= OU=All Users,DC=example,DC=com app.ldap-search-filter= "(| (userPrincipalName={0}) (sAMAccountName={0}))"

As a result we cannot get srcName of GSSContext. This gssName variable equals to null. Related SunJaasKerberosTicketValidator code block is as below;

@Override public KerberosTicketValidation run() throws Exception {     byte[] responseToken = new byte[0];     GSSName gssName = null;     GSSContext context = GSSManager.getInstance().createContext((GSSCredential) null);     boolean first = true;     while (!context.isEstablished()) {         if (first) {             kerberosTicket = tweakJdkRegression(kerberosTicket);         }         responseToken = context.acceptSecContext(kerberosTicket, 0, kerberosTicket.length);         gssName = context.getSrcName();         if (gssName == null) {             throw new BadCredentialsException("GSSContext name of the context initiator is null");         }         first = false;     }     if (!holdOnToGSSContext) {         context.dispose();     }     return new KerberosTicketValidation(gssName.toString(), servicePrincipal, responseToken, context); }

As we searched this GSSContext with null SrcName error, in general suggested solutions are related to keytab file . But in our problem, we cannot even reach AD server as we mentioned in the beginning.

related link: GSSContext with null SrcName

Is there any other suggestion?

Thanks...

0 Answers

If You Enjoyed This, Take 5 Seconds To Share It

0 comments:

Post a Comment