APAR status
Closed as program error.
Error description
Error Message: Java 8 failed to perform SSO with Microsoft SASL server. . Stack Trace: Exception in thread "main" javax.naming.ServiceUnavailableException: <OSB>LDAP: error code 52 - 80090300: LdapErr: DSID-0C0904D3, comment: AcceptSecurityContext error, data 5aa, v1db1?@<CSB> at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3212) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3093) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2895) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2809) at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:331) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java :204) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.jav a:222) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFacto ry.java:165) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactor y.java:95) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.j ava:695) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.jav a:324) at javax.naming.InitialContext.init(InitialContext.java:255) at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.j ava:165) at LDAPConnectTest.createContext(LDAPConnectTest.java:54) at LDAPConnectTest.main(LDAPConnectTest.java:28) . Java 7 works fine. Replacing ibmsaslprovider.jar in Java 8 with Java 7's, the problem is resolved.
Local fix
Problem summary
In Java 8, SASL requests delegation by default when possible. The exception happens when the client authenticates to the server with delegation credentials. r-address in EncKrbCredPart was set to the server's address, which is rejected by Microsoft's SASL server.
Problem conclusion
Set r-address in EncKrbCredPart as null. The corresponding Austin defect is 117213. The corresponding RTC Problem Report is 110795. Platform affected: All platforms. JVMs affected: 6.0, 6.26, 7.0, 7.27, and 8.0. Jars affected: ibmjgssprovider.jar. The fix will be available in 160_SR16FP30, 626_SR8FP30, 170_SR9FP50, 727_SR3FP50, and 180_SR3FP10. Build level is 20160412. . This APAR will be fixed in the following Java Releases: 8 SR3 FP10 (8.0.3.10) 6 R1 SR8 FP30 (6.1.8.30) 7 SR9 FP50 (7.0.9.50) 7 R1 SR3 FP50 (7.1.3.50) 6 SR16 FP30 (6.0.16.30) . Contact your IBM Product's Service Team for these Service Refreshes and Fix Packs. For those running stand-alone, information about the available Service Refreshes and Fix Packs can be found at: https://www.ibm.com/developerworks/java/jdk/
Temporary fix
Comments
APAR Information
APAR number
IV83715
Reported component name
SECURITY
Reported component ID
620700125
Reported release
270
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-04-13
Closed date
2016-04-25
Last modified date
2016-04-25
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fixed component name
SECURITY
Fixed component ID
620700125
Applicable component levels
R270 PSY
UP
R260 PSY
UP
R600 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"270","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
Document Information
Modified date:
07 December 2020