• Post Reply Bookmark Topic Watch Topic
  • New Topic

spnego ticket too big ?  RSS feed

 
jos de jong
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi all,

We are working with a ibm jdk (7), oracle oam server and windows clients that enter the application through kerberos authentication.
Some users are working fine. These belong to several groups. The problem arises with users that are member of a large number of groups.
Yes, I know, there are limitations on the headers of apache/webtier. But this issue is not the cause. We have set the limits on apache wide enough to let the headers pass through. In fact, I can see the header with the negotiate key, entering the weblogic server (oam server).

At that point I can see the following error:

<Dec 8, 2015 2:07:27 PM CET> <Error> <oracle.oam.engine.authn> <BEA-000000> <org.ietf.jgss.GSSException, major code: 11, minor code: 0
major string: General failure, unspecified at GSSAPI level
minor string: Length of input stream read does not match size of the inner context token
org.ietf.jgss.GSSException, major code: 11, minor code: 0
major string: General failure, unspecified at GSSAPI level
minor string: Length of input stream read does not match size of the inner context token
at com.ibm.security.jgss.mech.spnego.SPNEGOContext.acceptSecContext(SPNEGOContext.java:1)
at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:268)
at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:178)
at oracle.security.am.engine.authn.internal.executor.SPNEGOLoginModule$1.run(SPNEGOLoginModule.java:158)

...


I have decompiled the com.ibm.security.jgss package from the ibm jdk, but cannot find the specific code the throws this error. That is, I can see the method that thows the error, but cannot find which line throws the error.
However, I do think that it has something to do with the length of the header (including the spnego ticket).

This is the method that throws the error:





Any ideas ?

Thanks and regards, Jos


 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!