Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Kerberos 5 Loginmodule: Pre-authentication information was invalid (24)

12 views
Skip to first unread message

Thomas Konrath

unread,
Feb 19, 2003, 10:47:59 AM2/19/03
to
Hi !!!

We are doing a project for our university and we have a problem
concerning the Kerberos 5 Loginmodul from sun.

We are using the class com.sun.security.auth.module.Krb5LoginModule in
our Java project. We have configured the krb5.ini file as it is
described under http://www.lns.cornell.edu/public/COMP/krb5/admin/admin_3.html#SEC16.

Actually, it runs well in our testdomain but not in the real domain in
our university (both are Windows 2000 Domains with Windows 2000 and
Windows XP workstations).


When we are try to log on, we get to following exception:
16:21:35,680 INFO [STDOUT] Debug is true storeKey false
useTicketCache false useKeyTab false doNot
Prompt false ticketCache is null KeyTab is null principal is null
tryFirstPass is false useFirstPass
is false storePass is false clearPass is false
16:21:35,680 INFO [STDOUT] [Krb5LoginModule] user entered
username: konrat
16:21:35,690 INFO [STDOUT] principal is kon...@SAFE.LOCAL
16:21:35,740 INFO [STDOUT] [Krb5LoginModule]
authentication failed
Pre-authentication information was invalid (24)
16:21:35,750 ERROR [STDERR] javax.security.auth.login.LoginException:
Pre-authentication information
was invalid (24)
16:21:35,750 ERROR [STDERR] at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthenticatio
n(Krb5LoginModule.java:568)
16:21:35,750 ERROR [STDERR] at
com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModul
e.java:458)
16:21:35,750 ERROR [STDERR] at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
16:21:35,750 ERROR [STDERR] at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorI
mpl.java:39)
16:21:35,750 ERROR [STDERR] at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodA
ccessorImpl.java:25)
16:21:35,750 ERROR [STDERR] at
java.lang.reflect.Method.invoke(Method.java:324)
16:21:35,750 ERROR [STDERR] at
javax.security.auth.login.LoginContext.invoke(LoginContext.java:6
75)
16:21:35,750 ERROR [STDERR] at
javax.security.auth.login.LoginContext.access$000(LoginContext.ja
va:129)
16:21:35,760 ERROR [STDERR] at
javax.security.auth.login.LoginContext$4.run(LoginContext.java:61
0)
16:21:35,760 ERROR [STDERR] at
java.security.AccessController.doPrivileged(Native Method)
16:21:35,760 ERROR [STDERR] at
javax.security.auth.login.LoginContext.invokeModule(LoginContext.
java:607)
16:21:35,760 ERROR [STDERR] at
javax.security.auth.login.LoginContext.login(LoginContext.java:53
4)
16:21:35,760 ERROR [STDERR] at
edu.ima.safe.security.auth.spi.Krb5LdapLoginModule.login(Krb5Ldap
LoginModule.java:336)
16:21:35,760 ERROR [STDERR] at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
16:21:35,760 ERROR [STDERR] at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorI
mpl.java:39)
16:21:35,760 ERROR [STDERR] at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodA
ccessorImpl.java:25)
16:21:35,760 ERROR [STDERR] at
java.lang.reflect.Method.invoke(Method.java:324)
16:21:35,760 ERROR [STDERR] at
javax.security.auth.login.LoginContext.invoke(LoginContext.java:6
75)
16:21:35,760 ERROR [STDERR] at
javax.security.auth.login.LoginContext.access$000(LoginContext.ja
va:129)
16:21:35,770 ERROR [STDERR] at
javax.security.auth.login.LoginContext$4.run(LoginContext.java:61
0)
16:21:35,770 ERROR [STDERR] at
java.security.AccessController.doPrivileged(Native Method)
16:21:35,770 ERROR [STDERR] at
javax.security.auth.login.LoginContext.invokeModule(LoginContext.
java:607)
16:21:35,770 ERROR [STDERR] at
javax.security.auth.login.LoginContext.login(LoginContext.java:53
4)
16:21:35,770 ERROR [STDERR] at
org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasS
ecurityManager.java:462)
16:21:35,770 ERROR [STDERR] at
org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasS
ecurityManager.java:417)
16:21:35,770 ERROR [STDERR] at
org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecuri
tyManager.java:244)
16:21:35,770 ERROR [STDERR] at
org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecuri
tyManager.java:219)
16:21:35,770 ERROR [STDERR] at
org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociatio
n(SecurityInterceptor.java:169)
16:21:35,770 ERROR [STDERR] at
org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInte
rceptor.java:94)
16:21:35,780 ERROR [STDERR] at
org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.ja
va:129)
16:21:35,780 ERROR [STDERR] at
org.jboss.ejb.StatelessSessionContainer.invokeHome(StatelessSessi
onContainer.java:300)
16:21:35,780 ERROR [STDERR] at
org.jboss.ejb.plugins.local.BaseLocalContainerInvoker.invokeHome(
BaseLocalContainerInvoker.java:230)
16:21:35,780 ERROR [STDERR] at
org.jboss.ejb.plugins.local.LocalHomeProxy.invoke(LocalHomeProxy.
java:110)
16:21:35,780 ERROR [STDERR] at $Proxy23.create(Unknown Source)
16:21:35,780 ERROR [STDERR] at
org.apache.jsp.ejbsecurepage$jsp._jspService(ejbsecurepage$jsp.ja
va:65)
16:21:35,780 ERROR [STDERR] at
org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:10
7)
16:21:35,780 ERROR [STDERR] at
javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
16:21:35,780 ERROR [STDERR] at
org.apache.jasper.servlet.JspServlet$JspServletWrapper.service(Js
pServlet.java:201)
16:21:35,780 ERROR [STDERR] at
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.ja
va:381)
16:21:35,780 ERROR [STDERR] at
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:473)

16:21:35,790 ERROR [STDERR] at
javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
16:21:35,790 ERROR [STDERR] at
org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java
:360)
16:21:35,790 ERROR [STDERR] at
org.mortbay.jetty.servlet.WebApplicationHandler.dispatch(WebAppli
cationHandler.java:280)
16:21:35,790 ERROR [STDERR] at
org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.ja
va:553)
16:21:35,790 ERROR [STDERR] at
org.mortbay.http.HttpContext.handle(HttpContext.java:1717)
16:21:35,790 ERROR [STDERR] at
org.mortbay.jetty.servlet.WebApplicationContext.handle(WebApplica
tionContext.java:549)
16:21:35,790 ERROR [STDERR] at
org.mortbay.http.HttpContext.handle(HttpContext.java:1667)
16:21:35,790 ERROR [STDERR] at
org.mortbay.http.HttpServer.service(HttpServer.java:862)
16:21:35,790 ERROR [STDERR] at
org.jboss.jetty.Jetty.service(Jetty.java:497)
16:21:35,790 ERROR [STDERR] at
org.mortbay.http.HttpConnection.service(HttpConnection.java:759)
16:21:35,790 ERROR [STDERR] at
org.mortbay.http.HttpConnection.handleNext(HttpConnection.java:92
3)
16:21:35,800 ERROR [STDERR] at
org.mortbay.http.HttpConnection.handle(HttpConnection.java:776)
16:21:35,800 ERROR [STDERR] at
org.mortbay.http.SocketListener.handleConnection(SocketListener.j
ava:202)
16:21:35,800 ERROR [STDERR] at
org.mortbay.util.ThreadedServer.handle(ThreadedServer.java:289)
16:21:35,800 ERROR [STDERR] at
org.mortbay.util.ThreadPool$PoolThread.run(ThreadPool.java:455)
16:21:35,800 ERROR [STDERR] Caused by: KrbException:
Pre-authentication information was invalid (24)

16:21:35,800 ERROR [STDERR] at
sun.security.krb5.KrbAsRep.<init>(DashoA6275:62)
16:21:35,800 ERROR [STDERR] at
sun.security.krb5.KrbAsReq.getReply(DashoA6275:308)
16:21:35,800 ERROR [STDERR] at
sun.security.krb5.Credentials.acquireTGT(DashoA6275:333)
16:21:35,800 ERROR [STDERR] at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthenticatio
n(Krb5LoginModule.java:559)
16:21:35,810 ERROR [STDERR] ... 54 more
16:21:35,810 ERROR [STDERR] Caused by: KrbException: Identifier
doesn't match expected value (906)
16:21:35,810 ERROR [STDERR] at
sun.security.krb5.internal.af.a(DashoA6275:129)
16:21:35,810 ERROR [STDERR] at
sun.security.krb5.internal.au.a(DashoA6275:58)
16:21:35,810 ERROR [STDERR] at
sun.security.krb5.internal.au.<init>(DashoA6275:53)
16:21:35,810 ERROR [STDERR] at
sun.security.krb5.KrbAsRep.<init>(DashoA6275:48)
16:21:35,810 ERROR [STDERR] ... 57 more


--> PLEASE HELP !!!!!!!!!!!!!!!!!!!!!!!!!!!!

Thanx,

Tom

dire...@wedgetail.com

unread,
Mar 10, 2003, 1:41:58 AM3/10/03
to
Thomas Konrath <thomas....@fh-joanneum.at> wrote:
> Hi !!!
>
> We are doing a project for our university and we have a problem
> concerning the Kerberos 5 Loginmodul from sun.
>
> We are using the class com.sun.security.auth.module.Krb5LoginModule in
> our Java project. We have configured the krb5.ini file as it is
> described under http://www.lns.cornell.edu/public/COMP/krb5/admin/admin_3.html#SEC16.
>
> Actually, it runs well in our testdomain but not in the real domain in
> our university (both are Windows 2000 Domains with Windows 2000 and
> Windows XP workstations).
>

This type of problem can be caused by several things, but I suspect
it is from either:

1. If the principals you are authenticating against are migrated from
an NT domain, there is only hmac_rc4 key material in the KDC. Sun, and
most others only supports DES. If you change the password for the
principal you will get DES key material, and all should be good.

or

2. The principal is member of many groups. Microsoft adds group and
other information to the ticket. If the ticket is larger than a UDP
packet the KDC goes into TCP mode, which Sun does not support. You can
not do much about this, except use an implementation which does
support TCP failover, or turn off pre-authentication.

Derek

0 new messages