javax.naming.AuthenticationException in GSSAPI

Question

I'm trying to perform NTLM bind using JAVA GSSAPI.

I'm receiving this error:

javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Invalid option setting in ticket request. (101))]]

I think (not sure) it worked in the past. To solve other problem, I tried "kinit". From that point is stopped working. I even deleted the cache file (couldn't find kclear in windows) and, still, I have this issue.

How can I solve it?

Answer 1

Ok, solved it.

I had

proxiable = true

in my krb5 file.

Removed it and it works!

Answer 2

May it helps you from Troubleshooting:

Cause: Kerberos requires the time on the KDC and on the client to be loosely synchronized. (The default is within 5 minutes.) If that's not the case, you will get this error.

Solution: Synchronize the clocks (or have a system administrator do so).

Or

Cause: This may occur if no valid Kerberos credentials are obtained. In particular, this occurs if you want the underlying mechanism to obtain credentials but you forgot to indicate this by setting the javax.security.auth.useSubjectCredsOnly system property value to false (for example via -Djavax.security.auth.useSubjectCredsOnly=false in your execution command).

Solution: Be sure to set the javax.security.auth.useSubjectCredsOnly system property value to false if you want the underlying mechanism to obtain credentials, rather than your application or a wrapper program (such as the Login utility used by some of the tutorials) performing authentication using JAAS.

Answer 3

I had the same problem (exactly the same Java error stack) for Kerberos tickets that were not created as Forwardable.

A Kerbros ticket renewal/monitor process was written in Perl and used Authen::Krb5::Easy Perl module and that is ignoring /etc/krb5.conf "forwardable = true" setting.