Home.... | log in.... | Pub my question! | Sign-up....
Java-index >> Security >> Kerberos & Java GSS (JGSS)

GSS-Kerberos authentication failure:Identifier doesn't match expected value

Hi,

Am trying to use Java GSS Api(JDK 1.5) to perform kerberos authentication on a Windows 2003 server. Am following the steps specified in JDK docs.

Am receiving following error while calling login on LoginContext

Debug istrue storeKeytrue useTicketCachefalse useKeyTabfalse doNotPromptfalse ticketCache isnull KeyTab isnull refreshKrb5Config isfalse principal isnull tryFirstPass isfalse useFirstPass isfalse storePass isfalse clearPass isfalse

[Krb5LoginModule] user entered username: kagupta

principal is kagupta@COMPANY.COM

Acquire TGT using AS Exchange

EncryptionKey: keyType=3 keyBytes (hex dump)=0000: 89 5E 32 E5 B3 07 40 01

EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 89 5E 32 E5 B3 07 40 01

EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 6C 7C 29 0C 7E E7 2D 6C93 19 EE 6A AB 53 42 7F l.)...-l...j.SB.

EncryptionKey: keyType=16 keyBytes (hex dump)=0000: BA 5D 5D 4F C1 8A E9 A2C4 51 1C 6B BC 7A 23 8A .]]O.....Q.k.z#.

0010: 6B 54 49 75 E3 08 1A F8

EncryptionKey: keyType=17 keyBytes (hex dump)=0000: 94 B1 EA E7 4F 28 B8 2526 A2 B6 6A 79 93 00 29 ....O(.%&..jy..)

[Krb5LoginModule] authentication failed

Pre-authentication information was invalid (24)

>>> GSSServer... Secure Context not established..

javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)

at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)

at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

at java.lang.reflect.Method.invoke(Unknown Source)

at javax.security.auth.login.LoginContext.invoke(Unknown Source)

at javax.security.auth.login.LoginContext.access$000(Unknown Source)

at javax.security.auth.login.LoginContext$4.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)

at javax.security.auth.login.LoginContext.login(Unknown Source)

at GSSServer.startServer(GSSServer.java:92)

at GSSServer.main(GSSServer.java:66)

Caused by: KrbException: Pre-authentication information was invalid (24)

at sun.security.krb5.KrbAsRep.<init>(Unknown Source)

at sun.security.krb5.KrbAsReq.getReply(Unknown Source)

at sun.security.krb5.Credentials.acquireTGT(Unknown Source)

... 14 more

Caused by: KrbException: Identifier doesn't match expected value (906)

at sun.security.krb5.internal.KDCRep.init(Unknown Source)

at sun.security.krb5.internal.ASRep.init(Unknown Source)

at sun.security.krb5.internal.ASRep.<init>(Unknown Source)

... 17 more

Please help me.

Thanks,

Kapil

[3488 byte] By [kapilgupta77a] at [2007-10-3 1:24:25]
«« JTable wrap text
»» Difference Between HashMap, HashTree and HashTable in Java
# 1

This issue has been resolved. I was entering domain name is lower case.

Now am receiving another error while establishing connection with the server program

Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)

at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:730)

at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:300)

at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246)

at GSSServer.run(GSSServer.java:135)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.Subject.doAs(Subject.java:337)

at GSSServer.startServer(GSSServer.java:94)

at GSSServer.main(GSSServer.java:67)

Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC

at sun.security.krb5.KrbApReq.a(DashoA12275:261)

at sun.security.krb5.KrbApReq.<init>(DashoA12275:134)

at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)

at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:715)

... 7 more

What could be cause of this error?

kapilgupta77a at 2007-7-14 18:21:44 > top of Java-index,Security,Kerberos & Java GSS (JGSS)...
# 2

Your Active Directory acccount is configured to use the default encryption type on Windows (RC4-HMAC). You can either switch to use DES, by selecting "use DES encryption" in the AD account settings, or upgrade JDK used in order to use RC4-HMAC encrypion type. If you switch to DES, make sure you reset the password used.

Java GSS/Kerberos provides support for RC4-HMAC encryption type starting from Java SE 6, and J2SE 5.0 Update 7.

Seema

Seema-1a at 2007-7-14 18:21:44 > top of Java-index,Security,Kerberos & Java GSS (JGSS)...
# 3
Hi Seema,Thanks for your reply. Am still receiving the same error even after using the DES encryption and updating the password.Will try second option on upgrading to JDK 5 update 7.Thanks,Kapil
kapilgupta77a at 2007-7-14 18:21:44 > top of Java-index,Security,Kerberos & Java GSS (JGSS)...
# 4

After updating to JDK 5 update 7, am receiving following exception

Checksum failed !

GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)

at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)

at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)

at GSSServer.run(GSSServer.java:135)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.Subject.doAs(Unknown Source)

at GSSServer.startServer(GSSServer.java:94)

at GSSServer.main(GSSServer.java:67)

Caused by: KrbException: Checksum failed

at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(Unknown Source)

at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(Unknown Source)

at sun.security.krb5.EncryptedData.decrypt(Unknown Source)

at sun.security.krb5.KrbApReq.authenticate(Unknown Source)

at sun.security.krb5.KrbApReq.<init>(Unknown Source)

at sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)

... 8 more

Caused by: java.security.GeneralSecurityException: Checksum failed

at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(Unknown Source)

at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(Unknown Source)

... 14 more

kapilgupta77a at 2007-7-14 18:21:44 > top of Java-index,Security,Kerberos & Java GSS (JGSS)...
# 5

In order to use RC4-HMAC, you'll need to update the Kerberos configuration file to specify the encryption type. In addition update your Java application to specify the

Kerberos configuration file via system property -Djava.security.krb5.conf

[libdefaults]

default_tkt_enctypes = rc4-hmac

default_tgs_enctypes = rc4-hmac

If you are using keytabs, you'll need to update the keys in the keytab.

Here are the details on Java GSS features:

http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/jgss-features.html

Seema

Seema-1a at 2007-7-14 18:21:44 > top of Java-index,Security,Kerberos & Java GSS (JGSS)...
# 6
Have you resolved this problem? I'm having the same trouble. David
kc7bfia at 2007-7-14 18:21:44 > top of Java-index,Security,Kerberos & Java GSS (JGSS)...
Security
Kerberos & Java GSS (JGSS)

Security New Topic

Security Hot Topic

Security

All Classified