Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"The token supplied to the function is invalid" when validating SPNEGO response token with enctype AES #945

Open
FlyingSheepOnSailfish opened this issue May 25, 2020 · 1 comment
Open

"The token supplied to the function is invalid" when validating SPNEGO response token with enctype AES #945

FlyingSheepOnSailfish opened this issue May 25, 2020 · 1 comment

Comments

@FlyingSheepOnSailfish
Copy link

We have used Waffle to implement a Java SPENGO SSO Client using SSPI to login to a Java GSSAPI application server running on Windows Server.

Everything works fine if RC4 is used as the encryption type: The server authenticates the client, and the client successfully validates the SPNEGO response token from the server.

However as soon as we enable AES128 / 256 the GSSAPI app server successfully authenticates the client (OK), but the client cannot validate the SPNEGO response token from the server (NOT OK):

2020.05.25 15:04:57.167 ERR <n.a.> SwingWorker-1 [SSPITokenHelper.validateReponseToken] SSPI Exception! Response Token could not be validated. : com.sun.jna.platform.win32.Win32Exception: The token supplied to the function is invalid
at waffle.windows.auth.impl.WindowsSecurityContextImpl.initialize(WindowsSecurityContextImpl.java:134)
at ch.otms.comm.services.SSPITokenHelperFactory$SSPITokenHelper.validateReponseToken(SSPITokenHelperFactory.java:114)

The client code is as follows:

    private IWindowsSecurityContext getClientContext() {			
      return WindowsSecurityContextImpl.getCurrent( "Negotiate", servicePrincipalName.getName());
    }

    public Boolean validateReponseToken(String token) {
      boolean bValidated = false;
      try {
        byte responseData[] = Base64.getDecoder().decode(token);
        // SecBufferDesc continueToken = new SecBufferDesc(Sspi.SECBUFFER_TOKEN, responseData); // Waffle 1.9.1 / jna 4.5.1
        ManagedSecBufferDesc continueToken = new ManagedSecBufferDesc(Sspi.SECBUFFER_TOKEN, responseData); // Waffle 2.2.1 / jna 5.5.0
        clientContext.initialize(clientContext.getHandle(), continueToken, servicePrincipalName.getName());
        bValidated = !clientContext.isContinue();
      } catch (Exception e) {
        Log.log(Log.ERROR, "[SSPITokenHelper.validateReponseToken] SSPI Exception! Response Token could not be validated.", e);
        throw new otms.util.OTMSRuntimeException(" Response Token is not valid: " + e.getMessage());
      } finally {
        clientContext.dispose();
      }
      return bValidated;
    }

We have added debugging code to verify that the token received by the client is identical to that created by the server: nothing is lost or mangled.

We are using Waffle 2.2.1 / jna 5.5.0.

Googling with the error give hits for SqlServer and SSL/TLS, but I do not see how these are directly related to our problem.

Some time ago we opened this StackOverflow question:
https://stackoverflow.com/questions/60422387/the-token-supplied-to-the-function-is-invalid-error-when-validating-spnego-res
@ekkelenkamp
Copy link

@FlyingSheepOnSailfish, did you ever get this working? We have a similar use case where we have a Swing fat client that needs to authenticate against a kerberos protected API.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@FlyingSheepOnSailfish @ekkelenkamp