IBM Support

IV52151: 'CANNOT FIND KDC FOR REALM' ERROR AT THE SECOND LOGIN.

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

APAR status

  • Closed as program error.

Error description

  • Error Message: Customer tried to perform Kerberos login with
    same credential.
    The first login passed, but second login failed with "Cannot
    find KDC" error.
    java.security.krb5.kdc and java.security.krb5.realm are set
    before the second login.
    .
    Stack Trace: org.ietf.jgss.GSSException, major code: 11, minor
    code: 0
     major string: General failure, unspecified at GSSAPI level
     minor string: Error: java.lang.Exception: Error:
    com.ibm.security.krb5.KrbException, status code: 60
     message: Cannot find KDC for realm MODELERSSO.COM
    null
    com.ibm.security.krb5.KrbException, status code: 60
     message: Cannot find KDC for realm MODELERSSO.COM
     at com.ibm.security.krb5.p.send(p.java:76)
     at com.ibm.security.krb5.KrbTgsReq.send(KrbTgsReq.java:124)
     at com.ibm.security.krb5.p.send(p.java:64)
     at com.ibm.security.krb5.KrbTgsReq.send(KrbTgsReq.java:120)
    .
    N/A
    

Local fix

  • 1, remove the code to set java.security.krb5.kdc and
    java.security.krb5.realm before the second login.
    or
    2, do not specify the Kerberos config file and set
    java.security.krb5.kdc and java.security.krb5.realm before the
    first login.
    

Problem summary

  • The problem is caused by a improper KDC search.
    

Problem conclusion

  • This defect will be fixed in the followig Java Releases:
       7    SR6 FP1   (7.0.6.1)
       7 R1 SR1       (7.1.1.0)
       6 R1 SR7 FP1   (6.1.7.1)
       6    SR15 FP1  (6.0.15.1)
    .
    Fixed the search order for KDC.
    The associated Hursley CMVC defect is 200563.
    The associated Austin CMVC defect is 114747.
    Platform affected: All platforms.
    JVMs affected: 6.0, 6.26, and 7.0.
    Jars affected: ibmjgssprovider.jar.
    The fix will be available in 160_SR15_FP1, 626_SR7_FP1, and
    170_SR6_FP1.
    Build level is 20131113.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IV52151

  • Reported component name

    SECURITY

  • Reported component ID

    620700125

  • Reported release

    260

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2013-11-15

  • Closed date

    2013-11-25

  • Last modified date

    2014-01-07

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    SECURITY

  • Fixed component ID

    620700125

Applicable component levels

  • R260 PSY

       UP

  • R600 PSY

       UP



Document information

More support for: Runtimes for Java Technology
Security

Software version: 260

Reference #: IV52151

Modified date: 07 January 2014