Обсуждение: Trying to accomplish SSO from Windows
Hello,
I've been looking for some examples on how to connect to a linux postgresql database from a java client running on Windows. The Jaas seems to be getting the credentials from my windows logon, but then the jdbc driver is blowing up with some sun classes looking for a non-existent file.
Hopefully there is some way to resolve this issue!
Thanks - Bryan.
Java code:
try {
Class.forName("org.postgresql.Driver");
String url = "jdbc:postgresql://host.lab2k.net/nrgdb?loglevel=2&kerberosServerName=HTTP&jaasApplicationName=LoginJaas";
Connection con = DriverManager.getConnection(url);
} catch (Exception ex) {
Logger.getLogger(LoginJaas.class.getName()).log(Level.SEVERE, null, ex);
}
JAAS config:
LoginJaas {
com.sun.security.auth.module.Krb5LoginModule required debug=true useTicketCache=true;
};
Output:
16:13:56.374 (1) PostgreSQL 8.4 JDBC4 (build 701)
16:13:56.374 (1) Trying to establish a protocol version 3 connection to poe3b.lab2k.net:5432
16:13:56.405 (1) FE=> StartupPacket(user=montgomeryb, database=nrgdb, client_encoding=UNICODE, DateStyle=ISO, extra_float_digits=2)
16:13:56.405 (1) <=BE AuthenticationReqGSS
Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
Principal is Bryan@LAB2K.NET
Commit Succeeded
org.postgresql.util.PSQLException: GSS Authentication failed
at org.postgresql.gss.GssAction.run(MakeGSS.java:152)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:337)
at org.postgresql.gss.MakeGSS.authenticate(MakeGSS.java:48)
at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:378)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:108)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:66)
at org.postgresql.jdbc2.AbstractJdbc2Connection.<init>(AbstractJdbc2Connection.java:125)
at org.postgresql.jdbc3.AbstractJdbc3Connection.<init>(AbstractJdbc3Connection.java:30)
at org.postgresql.jdbc3g.AbstractJdbc3gConnection.<init>(AbstractJdbc3gConnection.java:22)
at org.postgresql.jdbc4.AbstractJdbc4Connection.<init>(AbstractJdbc4Connection.java:30)
at org.postgresql.jdbc4.Jdbc4Connection.<init>(Jdbc4Connection.java:24)
at org.postgresql.Driver.makeConnection(Driver.java:393)
at org.postgresql.Driver.connect(Driver.java:267)
at java.sql.DriverManager.getConnection(DriverManager.java:582)
at java.sql.DriverManager.getConnection(DriverManager.java:207)
at javaapplication1.LoginJaas.main(LoginJaas.java:62)
SQLException: SQLState(08006)
Jul 8, 2010 4:13:56 PM javaapplication1.LoginJaas main
SEVERE: null
org.postgresql.util.PSQLException: GSS Authentication failed
at org.postgresql.gss.GssAction.run(MakeGSS.java:152)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:337)
at org.postgresql.gss.MakeGSS.authenticate(MakeGSS.java:48)
at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:378)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:108)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:66)
at org.postgresql.jdbc2.AbstractJdbc2Connection.<init>(AbstractJdbc2Connection.java:125)
at org.postgresql.jdbc3.AbstractJdbc3Connection.<init>(AbstractJdbc3Connection.java:30)
at org.postgresql.jdbc3g.AbstractJdbc3gConnection.<init>(AbstractJdbc3gConnection.java:22)
at org.postgresql.jdbc4.AbstractJdbc4Connection.<init>(AbstractJdbc4Connection.java:30)
at org.postgresql.jdbc4.Jdbc4Connection.<init>(Jdbc4Connection.java:24)
at org.postgresql.Driver.makeConnection(Driver.java:393)
at org.postgresql.Driver.connect(Driver.java:267)
at java.sql.DriverManager.getConnection(DriverManager.java:582)
at java.sql.DriverManager.getConnection(DriverManager.java:207)
at javaapplication1.LoginJaas.main(LoginJaas.java:62)
Caused by: GSSException: Invalid name provided (Mechanism level: Could not load configuration file C:\WINDOWS\krb5.ini (The system cannot find the file specified))
at sun.security.jgss.krb5.Krb5NameElement.getInstance(Krb5NameElement.java:110)
at sun.security.jgss.krb5.Krb5MechFactory.getNameElement(Krb5MechFactory.java:80)
at sun.security.jgss.GSSManagerImpl.getNameElement(GSSManagerImpl.java:188)
at sun.security.jgss.GSSNameImpl.getElement(GSSNameImpl.java:428)
at sun.security.jgss.GSSNameImpl.init(GSSNameImpl.java:157)
at sun.security.jgss.GSSNameImpl.<init>(GSSNameImpl.java:127)
at sun.security.jgss.GSSNameImpl.<init>(GSSNameImpl.java:111)
at sun.security.jgss.GSSManagerImpl.createName(GSSManagerImpl.java:113)
at org.postgresql.gss.GssAction.run(MakeGSS.java:93)
... 16 more
getConnection failed: org.postgresql.util.PSQLException: GSS Authentication failed
I've been looking for some examples on how to connect to a linux postgresql database from a java client running on Windows. The Jaas seems to be getting the credentials from my windows logon, but then the jdbc driver is blowing up with some sun classes looking for a non-existent file.
Hopefully there is some way to resolve this issue!
Thanks - Bryan.
Java code:
try {
Class.forName("org.postgresql.Driver");
String url = "jdbc:postgresql://host.lab2k.net/nrgdb?loglevel=2&kerberosServerName=HTTP&jaasApplicationName=LoginJaas";
Connection con = DriverManager.getConnection(url);
} catch (Exception ex) {
Logger.getLogger(LoginJaas.class.getName()).log(Level.SEVERE, null, ex);
}
JAAS config:
LoginJaas {
com.sun.security.auth.module.Krb5LoginModule required debug=true useTicketCache=true;
};
Output:
16:13:56.374 (1) PostgreSQL 8.4 JDBC4 (build 701)
16:13:56.374 (1) Trying to establish a protocol version 3 connection to poe3b.lab2k.net:5432
16:13:56.405 (1) FE=> StartupPacket(user=montgomeryb, database=nrgdb, client_encoding=UNICODE, DateStyle=ISO, extra_float_digits=2)
16:13:56.405 (1) <=BE AuthenticationReqGSS
Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
Principal is Bryan@LAB2K.NET
Commit Succeeded
org.postgresql.util.PSQLException: GSS Authentication failed
at org.postgresql.gss.GssAction.run(MakeGSS.java:152)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:337)
at org.postgresql.gss.MakeGSS.authenticate(MakeGSS.java:48)
at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:378)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:108)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:66)
at org.postgresql.jdbc2.AbstractJdbc2Connection.<init>(AbstractJdbc2Connection.java:125)
at org.postgresql.jdbc3.AbstractJdbc3Connection.<init>(AbstractJdbc3Connection.java:30)
at org.postgresql.jdbc3g.AbstractJdbc3gConnection.<init>(AbstractJdbc3gConnection.java:22)
at org.postgresql.jdbc4.AbstractJdbc4Connection.<init>(AbstractJdbc4Connection.java:30)
at org.postgresql.jdbc4.Jdbc4Connection.<init>(Jdbc4Connection.java:24)
at org.postgresql.Driver.makeConnection(Driver.java:393)
at org.postgresql.Driver.connect(Driver.java:267)
at java.sql.DriverManager.getConnection(DriverManager.java:582)
at java.sql.DriverManager.getConnection(DriverManager.java:207)
at javaapplication1.LoginJaas.main(LoginJaas.java:62)
SQLException: SQLState(08006)
Jul 8, 2010 4:13:56 PM javaapplication1.LoginJaas main
SEVERE: null
org.postgresql.util.PSQLException: GSS Authentication failed
at org.postgresql.gss.GssAction.run(MakeGSS.java:152)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:337)
at org.postgresql.gss.MakeGSS.authenticate(MakeGSS.java:48)
at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:378)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:108)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:66)
at org.postgresql.jdbc2.AbstractJdbc2Connection.<init>(AbstractJdbc2Connection.java:125)
at org.postgresql.jdbc3.AbstractJdbc3Connection.<init>(AbstractJdbc3Connection.java:30)
at org.postgresql.jdbc3g.AbstractJdbc3gConnection.<init>(AbstractJdbc3gConnection.java:22)
at org.postgresql.jdbc4.AbstractJdbc4Connection.<init>(AbstractJdbc4Connection.java:30)
at org.postgresql.jdbc4.Jdbc4Connection.<init>(Jdbc4Connection.java:24)
at org.postgresql.Driver.makeConnection(Driver.java:393)
at org.postgresql.Driver.connect(Driver.java:267)
at java.sql.DriverManager.getConnection(DriverManager.java:582)
at java.sql.DriverManager.getConnection(DriverManager.java:207)
at javaapplication1.LoginJaas.main(LoginJaas.java:62)
Caused by: GSSException: Invalid name provided (Mechanism level: Could not load configuration file C:\WINDOWS\krb5.ini (The system cannot find the file specified))
at sun.security.jgss.krb5.Krb5NameElement.getInstance(Krb5NameElement.java:110)
at sun.security.jgss.krb5.Krb5MechFactory.getNameElement(Krb5MechFactory.java:80)
at sun.security.jgss.GSSManagerImpl.getNameElement(GSSManagerImpl.java:188)
at sun.security.jgss.GSSNameImpl.getElement(GSSNameImpl.java:428)
at sun.security.jgss.GSSNameImpl.init(GSSNameImpl.java:157)
at sun.security.jgss.GSSNameImpl.<init>(GSSNameImpl.java:127)
at sun.security.jgss.GSSNameImpl.<init>(GSSNameImpl.java:111)
at sun.security.jgss.GSSManagerImpl.createName(GSSManagerImpl.java:113)
at org.postgresql.gss.GssAction.run(MakeGSS.java:93)
... 16 more
getConnection failed: org.postgresql.util.PSQLException: GSS Authentication failed
On Thu, 8 Jul 2010, Bryan Montgomery wrote: > Hello, > I've been looking for some examples on how to connect to a linux postgresql > database from a java client running on Windows. The Jaas seems to be getting > the credentials from my windows logon, but then the jdbc driver is blowing > up with some sun classes looking for a non-existent file. > > Caused by: GSSException: Invalid name provided (Mechanism level: Could not > load configuration file C:\WINDOWS\krb5.ini (The system cannot find the file > specified)) > It appears you need to create that file or manually specify the realm and KDC as system properties. http://download.oracle.com/docs/cd/E17476_01/javase/1.5.0/docs/guide/security/jgss/tutorials/KerberosReq.html Kris Jurka
Thanks Kris,
That got me a step further - I have a new direction to look at next week. I added the system properties and ended up with:
Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:130)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:106)
However, earlier in the output, it has:
16:17:55.852 (1) <=BE AuthenticationReqGSS
Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
Principal is MontgomeryB@LAB2K.NET
Commit Succeeded
So it looks like it's getting credentials here .....
I did set the windows registry setting below that I found mentioned elsewhere.
Any other tips for Monday will be appreciated :)
Thanks - Bryan.
That got me a step further - I have a new direction to look at next week. I added the system properties and ended up with:
Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:130)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:106)
However, earlier in the output, it has:
16:17:55.852 (1) <=BE AuthenticationReqGSS
Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
Principal is MontgomeryB@LAB2K.NET
Commit Succeeded
So it looks like it's getting credentials here .....
I did set the windows registry setting below that I found mentioned elsewhere.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\
Value Name: allowtgtsessionkey
Value Type: REG_DWORD
Value: 0x01
Any other tips for Monday will be appreciated :)
Thanks - Bryan.
On Fri, Jul 9, 2010 at 3:19 PM, Kris Jurka <books@ejurka.com> wrote:
On Thu, 8 Jul 2010, Bryan Montgomery wrote:Hello,
I've been looking for some examples on how to connect to a linux postgresql
database from a java client running on Windows. The Jaas seems to be getting
the credentials from my windows logon, but then the jdbc driver is blowing
up with some sun classes looking for a non-existent file.Caused by: GSSException: Invalid name provided (Mechanism level: Could not
load configuration file C:\WINDOWS\krb5.ini (The system cannot find the file
specified))
It appears you need to create that file or manually specify the realm and KDC as system properties.
http://download.oracle.com/docs/cd/E17476_01/javase/1.5.0/docs/guide/security/jgss/tutorials/KerberosReq.html
Kris Jurka
On Fri, 9 Jul 2010, Bryan Montgomery wrote: > That got me a step further - I have a new direction to look at next week. I > added the system properties and ended up with: > > Caused by: GSSException: No valid credentials provided (Mechanism level: > Failed to find any Kerberos tgt) I don't know anything about that error message, but a quick look at Java's GSS troubleshooting guide has a potential solution for that exception. http://download.oracle.com/docs/cd/E17476_01/javase/1.5.0/docs/guide/security/jgss/tutorials/Troubleshooting.html Kris Jurka
On Fri, Jul 9, 2010 at 7:30 PM, Kris Jurka <books@ejurka.com> wrote:
I don't know anything about that error message, but a quick look at Java's GSS troubleshooting guide has a potential solution for that exception.
On Fri, 9 Jul 2010, Bryan Montgomery wrote:That got me a step further - I have a new direction to look at next week. I
added the system properties and ended up with:
Caused by: GSSException: No valid credentials provided (Mechanism level:
Failed to find any Kerberos tgt)
http://download.oracle.com/docs/cd/E17476_01/javase/1.5.0/docs/guide/security/jgss/tutorials/Troubleshooting.html
Kris Jurka
From some help here and on the sun forums, I've made some progress in my mission! I can log in to the database through psql if I have PGKRBSRVNAME=HTTP, however I'm stuck when using JDBC. I originally was just using montgomeryb as my user name but got an exception with that and by trying other code found that when I didn't supply a user id, it defaulted to the user@domain value.
Hopefully someone can help with this latest problem. I've copied the code I execute below and the response I get:
Properties p = new Properties();
p.put("user","MontgomeryB@LAB2K.NET");
p.put("kerberosServerName","HTTP");
Connection conn = DriverManager.getConnection("jdbc:postgresql://poe3b.lab2k.net/"
+ "nrgdb?loglevel=2&jaasApplicationName=LoginJaas", p);
>>>KRBError:
sTime is Thu Jul 22 08:38:18 EDT 2010 1279802298000
suSec is 112913
error code is 7
error Message is Server not found in Kerberos database
realm is LAB2K.NET
sname is HTTP/172.16.118.89
msgType is 30
org.postgresql.util.PSQLException: GSS Authentication failed
at org.postgresql.gss.GssAction.run(MakeGSS.java:152)
The one thing that seems strange to me is that the server name is being replaced by the ip address. I tried changing the host name to HTTP/poe3b.lab2k.net but then the error had
sname is HTTP/172.16.118.89/poe3b.lab2k.net
I did find another posting that talked about the setup in Active Directory with the user logon name and first name. I was given a screen shot that shows the user logon name as HTTP/poe3b.lab2k.net @lab2k.net and the User logonname(pre-windows 2000) as poe3b.
Thanks - Byan.