[cas-user] Kerberos works from command line but not from CAS server?

1,050 views
Skip to first unread message

Dave

unread,
Oct 10, 2011, 11:33:40 AM10/10/11
to cas-...@lists.jasig.org
I'll warn up front, this e-mail is going to be long. I'm having a heck of a time trying to get Kerberos authentication working in our environment. Our CAS server is running on a linux server (SUSE Linux Enterprise Server 10 (x86_64)) and we're authenticating against a Windows 2008 R2 AD domain. Below is my configuration in deployerConfigContext.xml

<bean name="jcifsConfig" class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig">
<property name="jcifsServicePrincipal" value="HTTP/intranettest.e...@OATEST.COMPANY.ORG" />
<property name="jcifsServicePassword" value="${spnego.password}" />
<property name="kerberosDebug" value="true" />
<property name="kerberosConf" value="/etc/krb5.conf" />
<property name="loginConf" value="/ead/cas-internal/webapps/login/WEB-INF/login.conf" />
</bean>

login.conf is just normal:

jcifs.spnego.initiate {
com.sun.security.auth.module.Krb5LoginModule required storeKey=true;
};
jcifs.spnego.accept {
com.sun.security.auth.module.Krb5LoginModule required storeKey=true;
};

Here is my krb5.conf file

[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON

[libdefaults]
ticket_lifetime = 24000
default_realm = OATEST.COMPANY.ORG
default_keytab_name = /ead/cqadmin.keytab
dns_lookup_realm = false
dns_lookup_kdc = false
udp_preference_limit = 1
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

[realms]
OATEST.COMPANY.ORG = {
kdc = oatdc01twdu.OATEST.COMPANY.ORG:88
}

[domain_realm]
.oatest.company.org = OATEST.COMPANY.ORG
oatest.company.org = OATEST.COMPANY.ORG

(we want to force TCP so that's why we set udp_preference_limit = 1)

So here's where things start to get frustrating. I can get a ticket to be granted when I run kinit from the command line using this:

> kinit -J-Dsun.security.krb5.debug=true -k HTTP/intranettest.ent.company.org

Config name: /etc/krb5.conf
>>>KinitOptions cache name is /tmp/krb5cc_13999
Principal is HTTP/intranettest.e...@OATEST.COMPANY.ORG
>>> Kinit using keytab
>>> KeyTabInputStream, readName(): OATEST.COMPANY.ORG
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): intranettest.ent.company.org
>>> KeyTab: load() entry length: 73; type: 1
>>> KeyTabInputStream, readName(): OATEST.COMPANY.ORG
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): intranettest.ent.company.org
>>> KeyTab: load() entry length: 73; type: 3
>>> KeyTabInputStream, readName(): OATEST.COMPANY.ORG
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): intranettest.ent.company.org
>>> KeyTab: load() entry length: 81; type: 23
>>> KeyTabInputStream, readName(): OATEST.COMPANY.ORG
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): intranettest.ent.company.org
>>> KeyTab: load() entry length: 97; type: 18
>>> KeyTabInputStream, readName(): OATEST.COMPANY.ORG
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): intranettest.ent.company.org
>>> KeyTab: load() entry length: 81; type: 17
Added key: 17version: 5
Found unsupported keytype (18) for HTTP/intranettest.e...@OATEST.COMPANY.ORG
Added key: 23version: 5
Added key: 3version: 5
Added key: 1version: 5
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 1 3.
0: EncryptionKey: keyType=23 kvno=5 keyValue (hex dump)=
0000: E7 6D C3 F5 BC C1 73 C5 98 EE BC 83 3B F3 29 CB .m....s.....;.).


1: EncryptionKey: keyType=1 kvno=5 keyValue (hex dump)=
0000: 1A 62 1F B5 3D AD C1 9B

2: EncryptionKey: keyType=3 kvno=5 keyValue (hex dump)=
0000: 1A 62 1F B5 3D AD C1 9B

>>> Kinit realm name is OATEST.COMPANY.ORG
>>> Creating KrbAsReq
>>> KrbKdcReq local addresses for casap01txdu.dev.company.org are:

casap01txdu.dev.company.org/132.174.110.14
IPv4 address
default etypes for default_tkt_enctypes: 23 1 3.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> Kinit: sending as_req to realm OATEST.COMPANY.ORG
>>> KrbKdcReq send: kdc=oatdc01twdu.OATEST.COMPANY.ORG TCP:88, timeout=30000, number of retries =3, #bytes=193
>>>DEBUG: TCPClient reading 302 bytes
>>> KrbKdcReq send: #bytes read=302
>>> KrbKdcReq send: #bytes read=302
>>> reading response from kdc
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Mon Oct 10 10:48:34 EDT 2011 1318258114000
suSec is 438494
error code is 25
error Message is Additional pre-authentication required
realm is OATEST.COMPANY.ORG
sname is krbtgt/OATEST.COMPANY.ORG
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
Kinit: PREAUTH FAILED/REQ, re-send AS-REQ
>>>KrbAsReq salt is OATEST.COMPANY.ORGHTTPintranettest.ent.company.org
Pre-Authenticaton: find key for etype = 23
AS-REQ: Add PA_ENC_TIMESTAMP now
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> Kinit: sending as_req to realm OATEST.COMPANY.ORG
>>> KrbKdcReq send: kdc=oatdc01twdu.OATEST.COMPANY.ORG TCP:88, timeout=30000, number of retries =3, #bytes=272
>>>DEBUG: TCPClient reading 1523 bytes
>>> KrbKdcReq send: #bytes read=1523
>>> KrbKdcReq send: #bytes read=1523
>>> reading response from kdc
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/intranettest.ent.company.org
New ticket is stored in cache file /tmp/krb5cc_13999

But when I try to get it from the CAS application it fails every time with this:
2011-10-10 10:58:42,554 DEBUG [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - <jcifsServicePrincipal is set to HTTP/intranettest.e...@OATEST.COMPANY.ORG>
2011-10-10 10:58:42,554 DEBUG [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - <jcifsServicePassword is set to *****>
2011-10-10 10:58:42,555 DEBUG [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - <kerberosDebug is set to : true>
2011-10-10 10:58:42,555 DEBUG [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - <kerberosConf is set to :/etc/krb5.conf>
2011-10-10 10:58:42,567 DEBUG [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - <configured login configuration path : /ead/cas-internal/webapps/login/WEB-INF/login.conf>

<snip>
2011-10-10 10:58:55,124 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <SPNEGO Authorization header found with 2084 bytes>
2011-10-10 10:58:55,128 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <Obtained token: <lots of garbage cut out>
default etypes for default_tkt_enctypes: 23 1 3.
default etypes for default_tkt_enctypes: 23 1 3.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=oatdc01twdu.OATEST.COMPANY.ORG TCP:88, timeout=30000, number of retries =3, #bytes=174
>>>DEBUG: TCPClient reading 302 bytes
>>> KrbKdcReq send: #bytes read=302
>>> KrbKdcReq send: #bytes read=302
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Mon Oct 10 10:58:55 EDT 2011 1318258735000
suSec is 717767
error code is 25
error Message is Additional pre-authentication required
realm is OATEST.COMPANY.ORG
sname is krbtgt/OATEST.COMPANY.ORG
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 1 3.
Pre-Authentication: Set preferred etype = 23
>>>KrbAsReq salt is OATEST.COMPANY.ORGHTTPintranettest.ent.company.org
Pre-Authenticaton: find key for etype = 23
AS-REQ: Add PA_ENC_TIMESTAMP now
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=oatdc01twdu.OATEST.COMPANY.ORG TCP:88, timeout=30000, number of retries =3, #bytes=246
>>>DEBUG: TCPClient reading 154 bytes
>>> KrbKdcReq send: #bytes read=154
>>> KrbKdcReq send: #bytes read=154
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Mon Oct 10 10:58:55 EDT 2011 1318258735000
suSec is 733392
error code is 24
error Message is Pre-authentication information was invalid
realm is OATEST.COMPANY.ORG
sname is krbtgt/OATEST.COMPANY.ORG
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23
jcifs.spnego.AuthenticationException: Error performing Kerberos authentication: java.lang.reflect.InvocationTargetException
at jcifs.spnego.Authentication.processKerberos(Authentication.java:447)
at jcifs.spnego.Authentication.processSpnego(Authentication.java:346)
at jcifs.spnego.Authentication.process(Authentication.java:235)
at org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler.doAuthentication(JCIFSSpnegoAuthenticationHandler.java:57)
at org.jasig.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler.authenticate_aroundBody2(AbstractPreAndPostProcessingAuthenticationHandler.java:72)
at org.jasig.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler.authenticate_aroundBody3$advice(AbstractPreAndPostProcessingAuthenticationHandler.java:44)
at org.jasig.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler.authenticate(AbstractPreAndPostProcessingAuthenticationHandler.java:1)
at org.jasig.cas.authentication.AuthenticationManagerImpl.authenticateAndObtainPrincipal(AuthenticationManagerImpl.java:78)
at org.jasig.cas.authentication.AbstractAuthenticationManager.authenticate_aroundBody0(AbstractAuthenticationManager.java:41)
at org.jasig.cas.authentication.AbstractAuthenticationManager.authenticate_aroundBody1$advice(AbstractAuthenticationManager.java:44)
at org.jasig.cas.authentication.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:1)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:309)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:80)
at com.github.inspektr.audit.AuditTrailManagementAspect.handleAuditTrail(AuditTrailManagementAspect.java:126)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:621)
at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:610)
at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:65)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161)
at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at $Proxy31.authenticate(Unknown Source)
at org.jasig.cas.CentralAuthenticationServiceImpl.createTicketGrantingTicket_aroundBody10(CentralAuthenticationServiceImpl.java:413)
at org.jasig.cas.CentralAuthenticationServiceImpl.createTicketGrantingTicket_aroundBody11$advice(CentralAuthenticationServiceImpl.java:44)
at org.jasig.cas.CentralAuthenticationServiceImpl.createTicketGrantingTicket(CentralAuthenticationServiceImpl.java:1)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:309)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:80)
at org.perf4j.aop.AbstractTimingAspect$1.proceed(AbstractTimingAspect.java:47)
at org.perf4j.aop.AgnosticTimingAspect.runProfiledMethod(AgnosticTimingAspect.java:53)
at org.perf4j.aop.AbstractTimingAspect.doPerfLogging(AbstractTimingAspect.java:45)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:621)
at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:610)
at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:65)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161)
at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:80)
at com.github.inspektr.audit.AuditTrailManagementAspect.handleAuditTrail(AuditTrailManagementAspect.java:126)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethodWithGivenArgs(AbstractAspectJAdvice.java:621)
at org.springframework.aop.aspectj.AbstractAspectJAdvice.invokeAdviceMethod(AbstractAspectJAdvice.java:610)
at org.springframework.aop.aspectj.AspectJAroundAdvice.invoke(AspectJAroundAdvice.java:65)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:161)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:110)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at $Proxy33.createTicketGrantingTicket(Unknown Source)
at org.jasig.cas.web.flow.AbstractNonInteractiveCredentialsAction.doExecute(AbstractNonInteractiveCredentialsAction.java:84)
at org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)
at org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77)
at org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
at org.springframework.webflow.execution.AnnotatedAction.execute(AnnotatedAction.java:145)
at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)
at org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:101)
at org.springframework.webflow.engine.State.enter(State.java:194)
at org.springframework.webflow.engine.Transition.execute(Transition.java:227)
at org.springframework.webflow.engine.impl.FlowExecutionImpl.execute(FlowExecutionImpl.java:391)
at org.springframework.webflow.engine.impl.RequestControlContextImpl.execute(RequestControlContextImpl.java:214)
at org.springframework.webflow.engine.TransitionableState.handleEvent(TransitionableState.java:119)
at org.springframework.webflow.engine.Flow.handleEvent(Flow.java:555)
at org.springframework.webflow.engine.impl.FlowExecutionImpl.handleEvent(FlowExecutionImpl.java:386)
at org.springframework.webflow.engine.impl.RequestControlContextImpl.handleEvent(RequestControlContextImpl.java:210)
at org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:105)
at org.springframework.webflow.engine.State.enter(State.java:194)
at org.springframework.webflow.engine.Transition.execute(Transition.java:227)
at org.springframework.webflow.engine.DecisionState.doEnter(DecisionState.java:51)
at org.springframework.webflow.engine.State.enter(State.java:194)
at org.springframework.webflow.engine.Transition.execute(Transition.java:227)
at org.springframework.webflow.engine.DecisionState.doEnter(DecisionState.java:51)
at org.springframework.webflow.engine.State.enter(State.java:194)
at org.springframework.webflow.engine.Flow.start(Flow.java:535)
at org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:364)
at org.springframework.webflow.engine.impl.FlowExecutionImpl.start(FlowExecutionImpl.java:222)
at org.springframework.webflow.executor.FlowExecutorImpl.launchExecution(FlowExecutorImpl.java:140)
at org.springframework.webflow.mvc.servlet.FlowHandlerAdapter.handle(FlowHandlerAdapter.java:193)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:790)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:719)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:644)
at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:549)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.jasig.cas.web.init.SafeDispatcherServlet.service_aroundBody2(SafeDispatcherServlet.java:115)
at org.jasig.cas.web.init.SafeDispatcherServlet.service_aroundBody3$advice(SafeDispatcherServlet.java:44)
at org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServlet.java:1)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.github.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:63)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:224)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:462)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:164)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:851)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:405)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:278)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:515)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:302)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:885)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:907)
at java.lang.Thread.run(Thread.java:619)
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at jcifs.spnego.Authentication.processKerberos(Authentication.java:426)
... 132 more
Caused by: javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
... 137 more
Caused by: KrbException: Pre-authentication information was invalid (24)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:66)
at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:449)
at sun.security.krb5.Credentials.sendASRequest(Credentials.java:406)
at sun.security.krb5.Credentials.acquireTGT(Credentials.java:378)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:662)
... 148 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
at sun.security.krb5.internal.ASRep.init(ASRep.java:58)
at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50)
... 152 more


I notice that from the command line the second attempt has:
TCPClient reading 1523 bytes

but from the application the second attempt has:
TCPClient reading 154 bytes

Any ideas?
--
You are currently subscribed to cas-...@lists.jasig.org as: jasig-cas-user...@googlegroups.com
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

Dave

unread,
Oct 14, 2011, 7:45:03 AM10/14/11
to cas-...@lists.jasig.org
A follow up on this. I've found that it was working from the command line because I was running the test through the kinit tool in the JDK 1.5u12 and the application uses JDK 1.6u26. I got our system admins to install the krb5-client package and now when I run the kinit tool it's hitting the correct JDK. And as such I'm getting an error trying to run it.


ead@casap01txdu:/usr/java> kinit
Password for HTTP/intranettest.e...@OATEST.COMPANY.ORG:
kinit(v5): Preauthentication failed while getting initial credentials

So doing a little googling I see this:

http://www.ncsa.illinois.edu/UserInfo/Resources/Software/kerberos/troubleshooting.html#kinit_2
This happens when a user's principal has the "requires_preauth" flag and either one of three things occurs:

- They enter their password incorrectly
- They only have an AFS salted key in the KDC database. This will cause a "file not found" error in the KDC logs.
- The clock skew on the system they are on is too large. This will be indicated in the KDC logs.


I don't think it's a password thing because I can get it to work with JDK 1.5. I also don't think it's a clock skew problem because we have the default 5 minute skew and we're well within those parameters. That leaves an AFS slated key?

Has anyone run into this before?

Reply all
Reply to author
Forward
0 new messages