Uploaded image for project: 'JBoss Enterprise Application Platform 4 and 5'
  1. JBoss Enterprise Application Platform 4 and 5
  2. JBPAPP-10974

Intermittent KrbException: Request is a replay (34) failures in NegotiationTestCase

    Details

      Description

      We are seeing intermittent Request is a replay (34) failures in NegotiationTestCase.

      The failures happend while sending second TGS-REQ ticket from client to kerberos KDC server.

      The cause seems to be a limitation of ApacheDS kerberos server used in the test case. The ApacheDS employs simple replay detection mechanism based on in-memory ticket cache service. The cache stores client and server credentials and ticket timestamp. Specificaly, the cache do not store ticket content.

      During GSS SecContext establishment, there are 2 TGS-REQ tickets sent from the client (sun.security.jgss.krb5.GSSContextSpi). First to acquire service credentials ticket and second to get SecContext ticket. The second ticket is being send immediatelly after the fisrt one. If the second (valid) ticket is sent with the same timestamp as the first one, the ApacheDS treats the second one as a false positive and throw Request is a replay kerberos exception.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  dpospisil Dominik Pospisil
                  Reporter:
                  dpospisil Dominik Pospisil
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: