Cannot request a ticket until a user is authenticated

Question

Cannot request a ticket until a user is authenticated

hwjensen opened this issue a year ago · 4 comments

Is your feature request related to a problem? Please describe.
Kerberos fails with a message that is hard to understand.

Describe the solution you'd like
I would like to understand the error message.

Describe alternatives you've considered
Reading the code. This will be the next step if this fails.

Additional context
---> OracleInternal.Network.NetworkException (0x80004005): NA Kerberos5: Authentication handshake failure at stage: %s
---> System.InvalidOperationException: Cannot request a service ticket until a user is authenticated
at Kerberos.NET.Client.KerberosClient.CopyTicket(String spn) in D:\a\1\s\Kerberos.NET\Client\KerberosClient.cs:line 1092
at Kerberos.NET.Client.KerberosClient.GetServiceTicket(RequestServiceTicket rst, CancellationToken cancellation) in D:\a\1\s\Kerberos.NET\Client\KerberosClient.cs:line 591
at OracleInternal.Network.AnoKerberos.Authenticate(String KRB5Conf, String KRB5CCName, String SN, String Host, Byte[]& kkey)
at OracleInternal.Network.Ano.KerberosHandshake(AuthenticationService AS, String KRB5Conf, String KRB5CCName)
at OracleInternal.Network.OracleCommunication.DoConnect(String tnsDescriptor)
at OracleInternal.Network.OracleCommunication.Connect(String tnsDescriptor, Boolean doNAHandshake, String IName, ConnectionOption CO)
at OracleInternal.ServiceObjects.OracleConnectionImpl.Connect(ConnectionString cs, Boolean bOpenEndUserSession, OracleConnection connRefForCriteria, String instanceName)
at OracleInternal.ConnectionPool.PoolManager3.Get(ConnectionString csWithDiffOrNewPwd, Boolean bGetForApp, OracleConnection connRefForCriteria, String affinityInstanceName, Boolean bForceMatch) at OracleInternal.ConnectionPool.OraclePoolManager.Get(ConnectionString csWithNewPassword, Boolean bGetForApp, OracleConnection connRefForCriteria, String affinityInstanceName, Boolean bForceMatch) at OracleInternal.ConnectionPool.OracleConnectionDispenser3.Get(ConnectionString cs, PM conPM, ConnectionString pmCS, SecureString securedPassword, SecureString securedProxyPassword, OracleConnection connRefForCriteria)
2023-07-19 15:58:41.862121 TID:9 (PRI) (EXT) OracleConnectionDispenser.Get()
The user is authenticated so what is the problem?
KR
Henrik

Answer 1 · 2023-07-19T15:08:26.000Z

The error is accurate. You're at the stage of requesting a ticket and to request a ticket you need a TGT. There is no TGT in the cache available, and the only way you get a TGT is by authenticating. Therefore the user is not authenticated.

…

________________________________ From: hwjensen ***@***.***> Sent: Wednesday, July 19, 2023 7:17:04 AM To: dotnet/Kerberos.NET ***@***.***> Cc: Subscribed ***@***.***> Subject: [dotnet/Kerberos.NET] Cannot request a ticket until a user is authenticated (Issue #349) Is your feature request related to a problem? Please describe. Kerberos fails with a message that is hard to understand. Describe the solution you'd like I would like to understand the error message. Describe alternatives you've considered Reading the code. This will be the next step if this fails. Additional context ---> OracleInternal.Network.NetworkException (0x80004005): NA Kerberos5: Authentication handshake failure at stage: %s ---> System.InvalidOperationException: Cannot request a service ticket until a user is authenticated at Kerberos.NET.Client.KerberosClient.CopyTicket(String spn) in D:\a\1\s\Kerberos.NET\Client\KerberosClient.cs:line 1092 at Kerberos.NET.Client.KerberosClient.GetServiceTicket(RequestServiceTicket rst, CancellationToken cancellation) in D:\a\1\s\Kerberos.NET\Client\KerberosClient.cs:line 591 at OracleInternal.Network.AnoKerberos.Authenticate(String KRB5Conf, String KRB5CCName, String SN, String Host, Byte[]& kkey) at OracleInternal.Network.Ano.KerberosHandshake(AuthenticationService AS, String KRB5Conf, String KRB5CCName) at OracleInternal.Network.OracleCommunication.DoConnect(String tnsDescriptor) at OracleInternal.Network.OracleCommunication.Connect(String tnsDescriptor, Boolean doNAHandshake, String IName, ConnectionOption CO) at OracleInternal.ServiceObjects.OracleConnectionImpl.Connect(ConnectionString cs, Boolean bOpenEndUserSession, OracleConnection connRefForCriteria, String instanceName) at OracleInternal.ConnectionPool.PoolManager3.Get(ConnectionString csWithDiffOrNewPwd, Boolean bGetForApp, OracleConnection connRefForCriteria, String affinityInstanceName, Boolean bForceMatch) at OracleInternal.ConnectionPool.OraclePoolManager.Get(ConnectionString csWithNewPassword, Boolean bGetForApp, OracleConnection connRefForCriteria, String affinityInstanceName, Boolean bForceMatch) at OracleInternal.ConnectionPool.OracleConnectionDispenser3.Get(ConnectionString cs, PM conPM, ConnectionString pmCS, SecureString securedPassword, SecureString securedProxyPassword, OracleConnection connRefForCriteria) 2023-07-19 15:58:41.862121 TID:9 (PRI) (EXT) OracleConnectionDispenser.Get() The user is authenticated so what is the problem? KR Henrik — Reply to this email directly, view it on GitHub<#349> or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAJHTYLRR62DHCZXB5YBDUDXQ7T6FBFKMF2HI4TJMJ2XIZLTSSBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJLJONZXKZNENZQW2ZNLORUHEZLBMRPXI6LQMWBKK5TBNR2WLKJVGY2DENZSGM2TPJDOMFWWLKLIMFZV63DBMJSWZAVFOZQWY5LFUR2HE5LFURXGC3LFVZ3WC5DDNBPWCY3UNF3GS5DZVRZXKYTKMVRXIX3UPFYGLJKJONZXKZNGORXXA2LDOOJYFJDUPFYGLKTSMVYG643JORXXE6NFOZQWY5LFVA4DKNBYHEYTGOECUR2HS4DFUVUXG43VMWSXMYLMOVS2UMJYGEZDANJWGAZDTAVEOR4XAZNFNRQWEZLMUV3GC3DVMWUTKNRUGI3TEMZVG6TXI4TJM5TWK4VGMNZGKYLUMU>. You are receiving this email because you are subscribed to this thread. Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

Answer 2 · 2023-07-20T07:16:07.000Z

OK, Thanks, I am guessing that what is going on is that we are trying to use kerberos in a way that was not intended.
We are already using kerberos without problems in an earlier version of Oracle client. It appears that in this new implementation we shall have to implement code that retrieves the TGT from the DC and loads the cache with this before a logon can be attempted. Do you know of example code that can get us started? We would like to work with others on this
this code will probably be needed by a lot of people who wants to use Kerberos.Net in an AD context. I am not sure this is the right forum for this though, do you know of a better place?

TIA
Henrik

Answer 3 · 2023-07-20T14:15:00.000Z

In principle you should have to do nothing. It should be the Oracle client doing the work. I would start with reaching out to them.

…

________________________________ From: hwjensen ***@***.***> Sent: Thursday, July 20, 2023 12:16:17 AM To: dotnet/Kerberos.NET ***@***.***> Cc: Comment ***@***.***>; Subscribed ***@***.***> Subject: Re: [dotnet/Kerberos.NET] Cannot request a ticket until a user is authenticated (Issue #349) OK, Thanks, I am guessing that what is going on is that we are trying to use kerberos in a way that was not intended. We are already using kerberos without problems in an earlier version of Oracle client. It appears that in this new implementation we shall have to implement code that retrieves the TGT from the DC and loads the cache with this before a logon can be attempted. Do you know of example code that can get us started? We would like to work with others on this this code will probably be needed by a lot of people who wants to use Kerberos.Net in an AD context. I am not sure this is the right forum for this though, do you know of a better place? TIA Henrik — Reply to this email directly, view it on GitHub<#349 (comment)> or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAJHTYK63UKLZMS72HOKXP3XRDLMFBFKMF2HI4TJMJ2XIZLTSSBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLAVFOZQWY5LFVE2TMNBSG4ZDGNJXURXGC3LFVFUGC427NRQWEZLMVRZXKYTKMVRXIX3UPFYGLLCJONZXKZKDN5WW2ZLOOSTHI33QNFRXHE4CUR2HS4DFVJZGK4DPONUXI33SPGSXMYLMOVS2QOBVGQ4DSMJTHCBKI5DZOBS2K2LTON2WLJLWMFWHKZNKGE4DCMRQGU3DAMRZQKSHI6LQMWSWYYLCMVWKK5TBNR2WLKJVGY2DENZSGM2TPJ3UOJUWOZ3FOKTGG4TFMF2GK>. You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

Answer 4 · 2023-07-21T06:03:43.000Z

It turns out that if the cache is initialized before the authorization process the ticket exchange actually works. The Bruce/kinit failed for some reason, but an old okinit from 12c database we had, did initialize the cache and that did the trick. So now there is a new problem, but this is probably with the 19c database.

Thank you for your help!
KR
Henrik