Skip to main content

Frequently Asked Questions

Does spnego run on JDK1.4 of JDK1.5?

No. It requires JDK 6 or higher. Spnego makes use of some JGSS improvements which are in Java 6.

Is spnego available for Application Servers other than Glassfish?

Any JEE application server which supports JMAC should work. At the moment the only one is Glassfish V2, which is the one tested and documented.

There are no Glassfish specific classes used in the implementation so it should work elsewhere.

I am having trouble configuring Kerberos. Is there a Kerberos FAQ?

Yes. See http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html which we found helpful.

I am seeing an Exception in the Glassfish log, and SPNEGO is not working. What do I do?

A list of the most common exceptions, there causes and solutions are provided in the JGSS Java documentation.

See here for the Java 5 version.

Some specific Exceptions possible in the logs and their cause are:

GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)

Unfortunately this exception can be caused by a number of problems:

  • the com.sun.security.jgss.accept entry in login.conf cannot find the keyTAb

    Solution: Add the following to it: keyTab="/etc/krb5.keytab"

  • the keytab does not contain an entry for the service principal. The com.sun.security.jgss.accept entry in login.conf entry specifies "principal="HTTP/developer249.office.lan". The format is name of service / name of host. By convention web servers use HTTP for the service.

    A corresponding service principal must exist in the KDC and in the keytab of the Glassfish server.

GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)

Restart. kdestroy to remove local tickets. Restart Glassfish.

GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Key)

storeKey=true should be set in the com.sun.security.jgss.accept LoginModule


 
 
Close
loading
Please Confirm
Close