IBM Support

IV52151: 'CANNOT FIND KDC FOR REALM' ERROR AT THE SECOND LOGIN.

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Error Message: Customer tried to perform Kerberos login with
same credential.
The first login passed, but second login failed with "Cannot
find KDC" error.
java.security.krb5.kdc and java.security.krb5.realm are set
before the second login.
.
Stack Trace: org.ietf.jgss.GSSException, major code: 11, minor
code: 0
 major string: General failure, unspecified at GSSAPI level
 minor string: Error: java.lang.Exception: Error:
com.ibm.security.krb5.KrbException, status code: 60
 message: Cannot find KDC for realm MODELERSSO.COM
null
com.ibm.security.krb5.KrbException, status code: 60
 message: Cannot find KDC for realm MODELERSSO.COM
 at com.ibm.security.krb5.p.send(p.java:76)
 at com.ibm.security.krb5.KrbTgsReq.send(KrbTgsReq.java:124)
 at com.ibm.security.krb5.p.send(p.java:64)
 at com.ibm.security.krb5.KrbTgsReq.send(KrbTgsReq.java:120)
.
N/A

Local fix

  • 1, remove the code to set java.security.krb5.kdc and
java.security.krb5.realm before the second login.
or
2, do not specify the Kerberos config file and set
java.security.krb5.kdc and java.security.krb5.realm before the
first login.

Problem summary

  • The problem is caused by a improper KDC search.

Problem conclusion

  • This defect will be fixed in the followig Java Releases:
   7    SR6 FP1   (7.0.6.1)
   7 R1 SR1       (7.1.1.0)
   6 R1 SR7 FP1   (6.1.7.1)
   6    SR15 FP1  (6.0.15.1)
.
Fixed the search order for KDC.
The associated Hursley CMVC defect is 200563.
The associated Austin CMVC defect is 114747.
Platform affected: All platforms.
JVMs affected: 6.0, 6.26, and 7.0.
Jars affected: ibmjgssprovider.jar.
The fix will be available in 160_SR15_FP1, 626_SR7_FP1, and
170_SR6_FP1.
Build level is 20131113.

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IV52151
    • 

  • Reported component name
    SECURITY
    • 

  • Reported component ID
    620700125
    • 

  • Reported release
    260
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2013-11-15
    • 

  • Closed date
    2013-11-25
    • 

  • Last modified date
    2014-01-07
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    SECURITY
    • 

  • Fixed component ID
    620700125
    • 



Applicable component levels


    

  • R260  PSY
       UP
    • 

  • R600  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"260","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            07 January 2014
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback