GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)

Million thanks to all who have responded and take a look to my question.

After adding some System Properties and a new conf file, Finally I am able to get connected with MongoDB server. Herewith the updated code -

try {        System.setProperty("java.security.krb5.conf","C:/mongodb/UnixKeytab/krb5.conf");        System.setProperty("java.security.krb5.realm","EXAMPLE.COM");        System.setProperty("java.security.krb5.kdc","example.com");        System.setProperty("javax.security.auth.useSubjectCredsOnly","false");        System.setProperty("java.security.auth.login.config","C:/mongodb/UnixKeytab/gss-jaas.conf");        List<ServerAddress> serverAddresses = new ArrayList<ServerAddress>();        ServerAddress address = new ServerAddress(host, port);        serverAddresses.add(address);        List<MongoCredential> credentials = new ArrayList<MongoCredential>();        MongoCredential credential = MongoCredential.createGSSAPICredential(username);        credentials.add(credential);        MongoClient mongoClient1 = new MongoClient(serverAddresses, credentials);        DB db = mongoClient1.getDB(database);    } catch (UnknownHostException e) {        e.printStackTrace();    }

My krb5.conf file look like below -

[libdefaults]     default_realm = EXAMPLE.COM     default_tkt_enctypes = des-cbc-md5 rc4-hmac     default_tgs_enctypes = des-cbc-md5 rc4-hmac     default_keytab_name = <keytab file path>[realms]EXAMPLE.COM = {    kdc = example.com    master_kdc = example.com    default_domain = EXAMPLE.COM}INTRANET = {    kdc = example.com    master_kdc = example.com    default_domain = example.com}

My gss-jaas.conf look like below -

com.sun.security.jgss.initiate {com.sun.security.auth.module.Krb5LoginModule requireduseKeyTab=trueuseTicketCache=falseprincipal="my-account@MY_REALM"doNotPrompt=truekeyTab="path-to-my-keytab-file"debug=true;};

Code I have posted is working for me. Hope this will work for others.

Adding some information to this post as its extremely useful already.

If the Sasl/createSaslClient is not run within the Subject:doAs methodthat is retrieved from the LoginContext, the credentials will not be picked up from the krb5.conf file. I.e the GSS code looks at the current thread's security manager for the Subject which is registered via the Subject:doAs method, and then uses the credentials from this subject. This Subject should've been obtained via jaas which in turn would read the correct jaas and krb5.conf credentials, but if you do not run the sasl and saslclient methods inside the Subject:doAs method all this doesn't matter.

You can get around it by setting javax.security.auth.useSubjectCredsOnly=false which means if no credentials can be found, some default names in the jaas file will be searched for see LoginConfigImpl.java#92, one is com.sun.security.jgss.initiate.

e.g

com.sun.security.jgss.initiate{   com.sun.security.auth.module.Krb5LoginModule required   doNotPrompt=true   useTicketCache=true   useKeyTab=true   keyTab="mykeytab"   principal="service/host@REALM"; };

I faced the same error "Mechanism level: Failed to find any Kerberos tgt". My problem looks different from yours, but it could be useful to other ones with the same error.

In my case it was caused by an error in writing the principal name in one of my configuration files.

I suggest to check the Jaas LoginManager configuration file (provided with java.security.auth.login.config) and policy files for principals. Typical error is the domain name in lowercase: gino@authdemo.it instead of gino@AUTHDEMO.IT

In the case you set/refer to the principal programmatically, you can also check the principal name correctness in your code.Regards