GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
Million thanks to all who have responded and take a look to my question.
After adding some System Properties and a new conf file, Finally I am able to get connected with MongoDB server. Herewith the updated code -
try { System.setProperty("java.security.krb5.conf","C:/mongodb/UnixKeytab/krb5.conf"); System.setProperty("java.security.krb5.realm","EXAMPLE.COM"); System.setProperty("java.security.krb5.kdc","example.com"); System.setProperty("javax.security.auth.useSubjectCredsOnly","false"); System.setProperty("java.security.auth.login.config","C:/mongodb/UnixKeytab/gss-jaas.conf"); List<ServerAddress> serverAddresses = new ArrayList<ServerAddress>(); ServerAddress address = new ServerAddress(host, port); serverAddresses.add(address); List<MongoCredential> credentials = new ArrayList<MongoCredential>(); MongoCredential credential = MongoCredential.createGSSAPICredential(username); credentials.add(credential); MongoClient mongoClient1 = new MongoClient(serverAddresses, credentials); DB db = mongoClient1.getDB(database); } catch (UnknownHostException e) { e.printStackTrace(); }
My krb5.conf file look like below -
[libdefaults] default_realm = EXAMPLE.COM default_tkt_enctypes = des-cbc-md5 rc4-hmac default_tgs_enctypes = des-cbc-md5 rc4-hmac default_keytab_name = <keytab file path>[realms]EXAMPLE.COM = { kdc = example.com master_kdc = example.com default_domain = EXAMPLE.COM}INTRANET = { kdc = example.com master_kdc = example.com default_domain = example.com}
My gss-jaas.conf look like below -
com.sun.security.jgss.initiate {com.sun.security.auth.module.Krb5LoginModule requireduseKeyTab=trueuseTicketCache=falseprincipal="my-account@MY_REALM"doNotPrompt=truekeyTab="path-to-my-keytab-file"debug=true;};
Code I have posted is working for me. Hope this will work for others.
Adding some information to this post as its extremely useful already.
If the Sasl/createSaslClient
is not run within the Subject:doAs
methodthat is retrieved from the LoginContext
, the credentials will not be picked up from the krb5.conf
file. I.e the GSS
code looks at the current thread's security manager for the Subject which is registered via the Subject:doAs
method, and then uses the credentials from this subject. This Subject
should've been obtained via jaas
which in turn would read the correct jaas
and krb5.conf
credentials, but if you do not run the sasl
and saslclient
methods inside the Subject:doAs
method all this doesn't matter.
You can get around it by setting javax.security.auth.useSubjectCredsOnly=false
which means if no credentials can be found, some default names in the jaas file will be searched for see LoginConfigImpl.java#92, one is com.sun.security.jgss.initiate
.
e.g
com.sun.security.jgss.initiate{ com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true useTicketCache=true useKeyTab=true keyTab="mykeytab" principal="service/host@REALM"; };
I faced the same error "Mechanism level: Failed to find any Kerberos tgt". My problem looks different from yours, but it could be useful to other ones with the same error.
In my case it was caused by an error in writing the principal name in one of my configuration files.
I suggest to check the Jaas LoginManager configuration file (provided with java.security.auth.login.config) and policy files for principals. Typical error is the domain name in lowercase: gino@authdemo.it instead of gino@AUTHDEMO.IT
In the case you set/refer to the principal programmatically, you can also check the principal name correctness in your code.Regards