"Server not found in Kerberos database" with httpclient 4.3.3

Question

"Server not found in Kerberos database" with httpclient 4.3.3

micheljung opened this issue 6 years ago · comments

The current version 1.0.1.RELEASE uses org.apache.httpcomponents:httpclient:4.3.3. With it, calling restTemplate.getForObject() results in:

KrbException: Server not found in Kerberos database (7)
	at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:70)
	at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:251)
	at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:262)
	at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:308)
	at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:126)
	at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:458)
	at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:693)
	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
	at sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(SpNegoContext.java:882)
	at sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java:317)
	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
	at org.apache.http.impl.auth.GGSSchemeBase.generateGSSToken(GGSSchemeBase.java:104)
	at org.apache.http.impl.auth.SPNegoScheme.generateToken(SPNegoScheme.java:84)
	at org.apache.http.impl.auth.GGSSchemeBase.authenticate(GGSSchemeBase.java:161)
	at org.apache.http.impl.auth.SPNegoScheme.authenticate(SPNegoScheme.java:79)
	at org.apache.http.impl.auth.HttpAuthenticator.doAuth(HttpAuthenticator.java:239)
	at org.apache.http.impl.auth.HttpAuthenticator.generateAuthResponse(HttpAuthenticator.java:202)
	at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:245)
	at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:195)
	at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:86)
	at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:108)
	at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:186)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
	at org.springframework.http.client.HttpComponentsClientHttpRequest.executeInternal(HttpComponentsClientHttpRequest.java:91)
	at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:48)
	at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:53)
	at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:569)
	at org.springframework.security.kerberos.client.KerberosRestTemplate.doExecuteSubject(KerberosRestTemplate.java:202)
	at org.springframework.security.kerberos.client.KerberosRestTemplate.access$100(KerberosRestTemplate.java:67)
	at org.springframework.security.kerberos.client.KerberosRestTemplate$1.run(KerberosRestTemplate.java:191)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAs(Subject.java:360)
	at org.springframework.security.kerberos.client.KerberosRestTemplate.doExecute(KerberosRestTemplate.java:187)
	at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:530)
	at org.springframework.web.client.RestTemplate.getForObject(RestTemplate.java:237)
	at com.example.KerberosPrototype.main(KerberosPrototype.java:47)
Caused by: KrbException: Identifier doesn't match expected value (906)
	at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
	at sun.security.krb5.internal.TGSRep.init(TGSRep.java:65)
	at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60)
	at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:55)
	... 37 more
Feb 27, 2019 2:03:07 PM org.apache.http.impl.auth.HttpAuthenticator generateAuthResponse
WARNUNG: NEGOTIATE authentication error: No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7)))

However, starting with org.apache.httpcomponents:httpclient:4.4 this error is no longer thrown.
As far as I can tell, this is been fixed with https://issues.apache.org/jira/browse/HTTPCLIENT-1541

Rajib Halder · Answer 1 · Sat Sep 21 2019 04:07:07 GMT+0800 (China Standard Time)

I am facing same issue "KrbException: Server not found in Kerberos database (7) - Server not found in Kerberos database"

Though i am using org.apache.httpcomponents:httpclient:4.5.10.
What could be the issue ?

JDK: 1.8
Spring Boot: 2.1.7.RELEASE

Regards,
Rajib

Rajib Halder · Answer 2 · Sun Sep 29 2019 02:23:39 GMT+0800 (China Standard Time)

Hi,

I have fixed it. It was actually not a Spring issue. It was due to wrong server ticket name generated due to mismatch hostname (Canonical ) on aws platform. When i was calling it using external DNS name, it was working but when i deployed the client to aws instance where the server instance also running, it was creating ticket name using internal DNS name which different than the ticket creating using external DNS name. But the server ticket stored in KDC database was generated using external DNS name of the server. After stoping generating canonical hostname problem is resolved.

Thank you.

akshayin · Answer 3 · Sun Oct 13 2019 20:58:55 GMT+0800 (China Standard Time)

@rajibhalder I am facing the same issue. Can u please elaborate how did you stop generating canonical hostname in the servers.

Manan patel · Answer 4 · Tue Apr 18 2023 13:44:18 GMT+0800 (China Standard Time)

This is related to https://bugs.java.com/bugdatabase/view_bug?bug_id=8210821
If you can upgrade Java to version 12 or more, you should be fine.