Defective token detected (Mechanism level: Defective token detected (Mechanism level: Invalid SPNEGO NegTokenTarg token : Short read of DER length))

Question

Defective Token detected while trying to authenticate via Negotiate and also I found that the token generated in curl command starts with "TIR" whereas the token generated by the java code starts with "YII".

The Curl command works fine curl -v -i --negotiate -u : " http://server/path "

System.setProperty("sun.security.krb5.debug", "true");
System.setProperty("sun.security.jgss.debug", "true");

SpnegoClient spnegoClient = SpnegoClient.loginWithUsernamePassword("<user>", "<pwd>");

URL url = new URL("http://<server>/<path>");
SpnegoContext context =  spnegoClient.createContext(url);

HttpURLConnection conn = (HttpURLConnection) url.openConnection();
System.out.println("createToken: "+context.createTokenAsAuthroizationHeader());

conn.setRequestProperty("Authorization", context.createTokenAsAuthroizationHeader());
conn.connect();
System.out.println("ResponseCode: "+conn.getResponseCode());

Output Message:

createToken: Negotiate YIICKAYGKwYBBQUCoIICHDCCAhigDTALBgkqhkiG9xIBAgKhBAMCAXaiggH/BIIB+2CCAfcGCSqGSIb3EgECAgEAboIB5jCCAeKgAwIBBaEDAgEOogcDBQAgAAAAo4IBEmGCAQ4wggEKoAMCAQWhEhsQTFVDSURURUNIU09MLkNPTaIhMB+gAwIBAKEYMBYbBEhUVFAbDjE5Mi4xNjguMTY4LjMyo4HLMIHIoAMCAQOhAwIBCaKBuwSBuCjSsDSOucrIdDiuFNWft/MFjHqRDHHnY5s7FmGJQEOD18sABBL+gZ4ENArT65ddjmmtGLhJ8glMN8Cv8y+JDX54sUZ/IoSqot8h+VuPJsCBeEYWN+556iscViQTyiiGFao+VcVPoGUdNEUg80P4A/VZr6hs5o7qVWH88I3iv7Afn6zhxPiG1bQKBafXCluPfiMr1EN4KY2YglmV+TWQLSrBM+O+uTCTrCcMgzBcKChV14cP2KgpeWekgbYwgbOgAwIBAaKBqwSBqMREjYc0vDQ2/BqGEEqnhbBI0NQOL57e17t1uSU5cr9U5S16WLlj01f7QUNF5cZji5/K9Y+WhrwguKZqQ0ifni7pTjWwabjJVDcNLjpXzJHcNDIjSrh8KdpJu1IHYsJ8NH4SejNUbRfIAyHCl9jNAK1IhIqJ8HfrzQreyV1nG2RjA8mwZ8d/Gh+peFHSYJpi/hVXFFlngUI8AYk61k+vhiHqh/er/AoJrg==
Exception in thread "main" java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: Defective token detected (Mechanism level: Invalid SPNEGO NegTokenTarg token : Short read of DER length))
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAs(Subject.java:422)
    at com.kerb4j.client.SpnegoContext.createToken(SpnegoContext.java:31)
    at com.kerb4j.client.SpnegoContext.createTokenAsAuthroizationHeader(SpnegoContext.java:41)
    at com.lucid.negotiate.App.main(App.java:60)
Caused by: GSSException: Defective token detected (Mechanism level: Defective token detected (Mechanism level: Invalid SPNEGO NegTokenTarg token : Short read of DER length))
    at sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java:454)
    at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
    at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
    at com.kerb4j.client.SpnegoContext$1.run(SpnegoContext.java:34)
    at com.kerb4j.client.SpnegoContext$1.run(SpnegoContext.java:31)
    ... 5 more
Caused by: GSSException: Defective token detected (Mechanism level: Invalid SPNEGO NegTokenTarg token : Short read of DER length)
    at sun.security.jgss.spnego.NegTokenTarg.parseToken(NegTokenTarg.java:192)
    at sun.security.jgss.spnego.NegTokenTarg.<init>(NegTokenTarg.java:75)
    at sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java:350)
    ... 9 more

Answer 1

GSS data (encoded as Base64) starting with:

• "YII" is using Kerberos as the SPNEGO sub-mechanism.
• "TIR" is using NTLM as the SPNEGO sub-mechanism.

ie CURL is suggesting NTLM as the preferred mechanism, while your Java client is trying to use Kerberos.