Error 906 authenticating locked account in AD
I am authenticating users using JAAS/Kerberos against Active Directory.
(Java 6 on Windows XP professional).
It works fine for all scenarios accept when trying to authenticate
a locked account.
I purposly locked an account to get the error code returned
so that I can display a "your account is locked" message to the user.
But instead of a useful error code, I'm getting
"Identifier doesn't match expected value (906)"
I can see from the debug messages that AD is in fact returning the
error code I want (Clients credentials have been revoked (18)),
but it's getting lost in translation.
Debug istrue storeKeyfalse useTicketCachefalse useKeyTabfalse doNotPromptfalse ticketCache isnull isInitiatortrue KeyTab isnull refreshKrb5Config isfalse principal isnull tryFirstPass isfalse useFirstPass isfalse storePass isfalse clearPass isfalse
17:44:17,562 INFO [STDOUT] [Krb5LoginModule] user entered username: locked_user
17:44:17,562 INFO [STDOUT] Using builtindefault etypesfor default_tkt_enctypes
17:44:17,562 INFO [STDOUT]default etypesfor default_tkt_enctypes:
17:44:17,562 INFO [STDOUT] 3
17:44:17,562 INFO [STDOUT] 1
17:44:17,562 INFO [STDOUT] 23
17:44:17,562 INFO [STDOUT] 16
17:44:17,562 INFO [STDOUT] 17
17:44:17,562 INFO [STDOUT] .
17:44:17,671 INFO [STDOUT] Acquire TGT using AS Exchange
17:44:17,671 INFO [STDOUT] Using builtindefault etypesfor default_tkt_enctypes
17:44:17,671 INFO [STDOUT]default etypesfor default_tkt_enctypes:
17:44:17,671 INFO [STDOUT] 3
17:44:17,671 INFO [STDOUT] 1
17:44:17,671 INFO [STDOUT] 23
17:44:17,671 INFO [STDOUT] 16
17:44:17,671 INFO [STDOUT] 17
17:44:17,671 INFO [STDOUT] .
17:44:17,687 INFO [STDOUT] >>> KrbAsReq calling createMessage
17:44:17,687 INFO [STDOUT] >>> KrbAsReq in createMessage
17:44:17,687 INFO [STDOUT] >>> KrbKdcReq send: kdc=ad.mydomain.com UDP:88, timeout=30000, number of retries =3, #bytes=153
17:44:17,687 INFO [STDOUT] >>> KDCCommunication: kdc=ad.mydomain.com UDP:88, timeout=30000,Attempt =1, #bytes=153
17:44:17,687 INFO [STDOUT] >>> KrbKdcReq send: #bytes read=123
17:44:17,687 INFO [STDOUT] >>> KrbKdcReq send: #bytes read=123
17:44:17,687 INFO [STDOUT] >>> KDCRep: init() encoding tag is 126 req type is 11
17:44:17,687 INFO [STDOUT] >>>KRBError:
17:44:17,687 INFO [STDOUT] sTime is Thu Jul 12 17:45:36 EDT 2007 1184276736000
17:44:17,687 INFO [STDOUT] suSec is 912064
17:44:17,687 INFO [STDOUT] error code is 18
17:44:17,687 INFO [STDOUT] error Message is Clients credentials have been revoked
17:44:17,687 INFO [STDOUT] realm is MYDOMAIN.COM
17:44:17,687 INFO [STDOUT] sname is krbtgt/MYDOMAIN.COM
17:44:17,687 INFO [STDOUT] eData provided.
17:44:17,687 INFO [STDOUT] msgType is 30
17:44:17,687 INFO [STDOUT] [Krb5LoginModule] authentication failed
Identifier doesn't match expected value (906)
17:44:17,812 ERROR [JaasAuthenticationProvider] error logging in
javax.security.auth.login.LoginException: Identifier doesn't match expected value (906)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.PAData.<init>(PAData.java:80)
at sun.security.krb5.internal.KRBError.<init>(KRBError.java:192)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:53)
at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:449)
at sun.security.krb5.Credentials.sendASRequest(Credentials.java:406)
at sun.security.krb5.Credentials.acquireTGT(Credentials.java:355)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:662)
... 47 more
To debug the problem, I downloaded PAData.java and KRBError.java
from the OpenJDK project and added them to my bootclasspath.
What I found was that the code was trying to make a KRBError instance
for the correct error message (error 18), but there was "eData" in the
message returned from AD.
It passes this data (in a DerValue object) to the PAData class
constructor to parse.The PAData class calls DerValue.getTag()
and this returns a value of -95. But if the value is anthing but the
constant "DerValue.tag_Sequence" (48), than PAData throws a
new Kerberos Exception with "Identifier doesn't match expected
value (906)", which ends up trumping the original error.
I was able to work around this problem by patching PAData to ignore
the invalid tag error, but this is not a solution I would like to stick with
since it means patching a core class.
Has anyone run into this problem before? Is the problem on the
Java side or the AD side? Any Ideas how to work around without
resorting to patching the PAData class?
Thanks,
Christopher Pierce
