[Freeipa-users] "ASN.1 structure is missing a required field" - what is missing?
Marc Boorshtein
marc.boorshtein at tremolosecurity.com
Wed Nov 18 02:36:41 UTC 2015
I'm putting together a java kerberos client and am having an issue
getting a SGT form IPA. I get a TGT without issue, but when I submit
the TGS-REQ I get the following errors in the ipa log:
Nov 17 20:53:15 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (1
etypes {17}) 192.168.2.129: ISSUE: authtime 1447811595, etypes {rep=17
tkt=18 ses=17}, HTTP/s4u.rhelent.lan at RHELENT.LAN for
krbtgt/RHELENT.LAN at RHELENT.LAN
Nov 17 20:53:15 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (1
etypes {17}) 192.168.2.129: PROCESS_TGS: authtime 0, <unknown client>
for HTTP/ipa.rhelent.lan at RHELENT.LAN, ASN.1 structure is missing a
required field
Here's the TGS request:
Kerberos
tgs-req
pvno: 5
msg-type: krb-tgs-req (12)
padata: 1 item
PA-DATA PA-TGS-REQ
padata-type: kRB5-PADATA-TGS-REQ (1)
padata-value:
6e8201f8308201f4a003020105a10302010ea20703050000...
ap-req
pvno: 5
msg-type: krb-ap-req (14)
Padding: 0
ap-options: 00000000
0... .... = reserved: False
.0.. .... = use-session-key: False
..0. .... = mutual-required: False
ticket
tkt-vno: 5
realm: RHELENT.LAN
sname
name-type: kRB5-NT-PRINCIPAL (1)
name-string: 2 items
KerberosString: krbtgt
KerberosString: RHELENT.LAN
enc-part
etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
kvno: 1
cipher:
0efd7452dafeb94323bcf7f6adc373aab78ce179f42c4c11...
authenticator
etype: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
kvno: 255
cipher:
f40e91b920c6ae6bdc30a69d5f348bf106355a92da74ba74...
req-body
Padding: 0
kdc-options: 00000000
0... .... = reserved: False
.0.. .... = forwardable: False
..0. .... = forwarded: False
...0 .... = proxiable: False
.... 0... = proxy: False
.... .0.. = allow-postdate: False
.... ..0. = postdated: False
.... ...0 = unused7: False
0... .... = renewable: False
.0.. .... = unused9: False
..0. .... = unused10: False
...0 .... = opt-hardware-auth: False
.... ..0. = request-anonymous: False
.... ...0 = canonicalize: False
0... .... = constrained-delegation: False
..0. .... = disable-transited-check: False
...0 .... = renewable-ok: False
.... 0... = enc-tkt-in-skey: False
.... ..0. = renew: False
.... ...0 = validate: False
cname
name-type: kRB5-NT-PRINCIPAL (1)
name-string: 2 items
KerberosString: HTTP
KerberosString: s4u.rhelent.lan
realm: RHELENT.LAN
sname
name-type: kRB5-NT-PRINCIPAL (1)
name-string: 2 items
KerberosString: HTTP
KerberosString: ipa.rhelent.lan
from: 2015-11-18 02:17:44 (UTC)
till: 2015-11-18 10:17:44 (UTC)
nonce: 604310537
etype: 1 item
ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
Is there a field missing?
Thanks
Marc Boorshtein
CTO Tremolo Security
marc.boorshtein at tremolosecurity.com
More information about the Freeipa-users
mailing list