Kerberos RC4-HMAC Checksum Failed using Java 6 and Windows 2003/XP

I am trying to get my IE6 client (running on XP) to authenticate to my JBoss server (on 2003) using the Active Directory on a 2003 box. I am using Java 6 Beta 2. My krb5.ini file is:

[libdefaults]

default_realm = DEVEL.OPENROADSCONSULTING.COM

default_tgs_enctypes = RC4-HMAC

default_tkt_enctypes = RC4-HMAC

[kadmin]

default_keys = v5 arcfour-hmac-md5

[realms]

DEVEL.OPENROADSCONSULTING.COM ={

kdc = interchange

kdc = 192.168.100.101

admin_server = interchange

default_domain = devel.openroadsconsulting.com

}

[domain_realm]

.devel.openroadsconsulting.com = DEVEL.OPENROADSCONSULTING.COM

[appdefaults]

autologin =true

forward =true

forwardable =true

encrypt =true

My JBoss authenticates itself with the AD and my IE6 does the same. However, when I try to have the IE client authenticate with JBoss, I get the following error:

2006-08-14 11:48:44,920 INFO [STDOUT] Entered Krb5Context.acceptSecContext with state=STATE_NEW

2006-08-14 11:48:44,920 INFO [STDOUT] >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType

2006-08-14 11:48:44,920 ERROR [STDERR] Checksum failed !

2006-08-14 11:48:44,920 ERROR [STDERR] jcifs.spnego.AuthenticationException: Error performing Kerberos authentication: java.lang.reflect.InvocationTargetException

2006-08-14 11:48:44,920 ERROR [STDERR] at jcifs.spnego.Authentication.processKerberos(Authentication.java:447)

2006-08-14 11:48:44,920 ERROR [STDERR] at jcifs.spnego.Authentication.processSpnego(Authentication.java:346)

2006-08-14 11:48:44,920 ERROR [STDERR] at jcifs.spnego.Authentication.process(Authentication.java:235)

2006-08-14 11:48:44,920 ERROR [STDERR] at org.jboss.web.tomcat.security.NegotiateUtil.extractUserId(NegotiateUtil.java:161)

2006-08-14 11:48:44,920 ERROR [STDERR] at org.jboss.web.tomcat.security.HttpServletRequestResponseValve.authenticate(HttpServletRequestResponseValve.java:98)

2006-08-14 11:48:44,920 ERROR [STDERR] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)

2006-08-14 11:48:44,920 ERROR [STDERR] at org.jboss.web.tomcat.security.HttpServletRequestResponseValve.invoke(HttpServletRequestResponseValve.java:70)

2006-08-14 11:48:44,920 ERROR [STDERR] at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)

2006-08-14 11:48:44,920 ERROR [STDERR] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)

2006-08-14 11:48:44,920 ERROR [STDERR] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)

2006-08-14 11:48:44,998 ERROR [STDERR] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)

2006-08-14 11:48:44,998 ERROR [STDERR] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)

2006-08-14 11:48:44,998 ERROR [STDERR] at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)

2006-08-14 11:48:44,998 ERROR [STDERR] at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)

2006-08-14 11:48:44,998 ERROR [STDERR] at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)

2006-08-14 11:48:44,998 ERROR [STDERR] at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)

2006-08-14 11:48:44,998 ERROR [STDERR] at java.lang.Thread.run(Unknown Source)

2006-08-14 11:48:44,998 ERROR [STDERR] Caused by: java.lang.reflect.InvocationTargetException

2006-08-14 11:48:44,998 ERROR [STDERR] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

2006-08-14 11:48:44,998 ERROR [STDERR] at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

2006-08-14 11:48:44,998 ERROR [STDERR] at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

2006-08-14 11:48:44,998 ERROR [STDERR] at java.lang.reflect.Method.invoke(Unknown Source)

2006-08-14 11:48:44,998 ERROR [STDERR] at jcifs.spnego.Authentication.processKerberos(Authentication.java:430)

2006-08-14 11:48:44,998 ERROR [STDERR] ... 16 more

2006-08-14 11:48:44,998 ERROR [STDERR] Caused by: java.security.PrivilegedActionException: java.lang.reflect.InvocationTargetException

2006-08-14 11:48:44,998 ERROR [STDERR] at java.security.AccessController.doPrivileged(Native Method)

2006-08-14 11:48:44,998 ERROR [STDERR] at javax.security.auth.Subject.doAsPrivileged(Unknown Source)

2006-08-14 11:48:44,998 ERROR [STDERR] ... 21 more

2006-08-14 11:48:44,998 ERROR [STDERR] Caused by: java.lang.reflect.InvocationTargetException

2006-08-14 11:48:44,998 ERROR [STDERR] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

2006-08-14 11:48:44,998 ERROR [STDERR] at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

2006-08-14 11:48:44,998 ERROR [STDERR] at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

2006-08-14 11:48:44,998 ERROR [STDERR] at java.lang.reflect.Method.invoke(Unknown Source)

2006-08-14 11:48:44,998 ERROR [STDERR] at jcifs.spnego.Authentication$ServerAction.run(Authentication.java:517)

2006-08-14 11:48:44,998 ERROR [STDERR] ... 23 more

2006-08-14 11:48:44,998 ERROR [STDERR] Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)

2006-08-14 11:48:44,998 ERROR [STDERR] at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)

2006-08-14 11:48:44,998 ERROR [STDERR] at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)

2006-08-14 11:48:44,998 ERROR [STDERR] ... 28 more

2006-08-14 11:48:44,998 ERROR [STDERR] Caused by: KrbException: Checksum failed

2006-08-14 11:48:44,998 ERROR [STDERR] at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(Unknown Source)

2006-08-14 11:48:44,998 ERROR [STDERR] at sun.security.krb5.EncryptedData.decrypt(Unknown Source)

2006-08-14 11:48:44,998 ERROR [STDERR] at sun.security.krb5.KrbApReq.authenticate(Unknown Source)

2006-08-14 11:48:44,998 ERROR [STDERR] at sun.security.krb5.KrbApReq.<init>(Unknown Source)

2006-08-14 11:48:44,998 ERROR [STDERR] at sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)

2006-08-14 11:48:44,998 ERROR [STDERR] ... 31 more

2006-08-14 11:48:44,998 ERROR [STDERR] Caused by: java.security.GeneralSecurityException: Checksum failed

2006-08-14 11:48:44,998 ERROR [STDERR] at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(Unknown Source)

2006-08-14 11:48:44,998 ERROR [STDERR] at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(Unknown Source)

2006-08-14 11:48:44,998 ERROR [STDERR] ... 37 more

I loaded Ethereal and got the following authentication packet via HTTP:

No.TimeSourceDestinationProtocol Info

4310 4.782602192.168.100.125192.168.100.127HTTPGET /VicadsAdmin/GetFrontPage.event HTTP/1.1

Frame 4310 (686 bytes on wire, 686 bytes captured)

Ethernet II, Src: Dell_a6:00:f2 (00:13:72:a6:00:f2), Dst: Dell_63:73:e5 (00:13:72:63:73:e5)

Internet Protocol, Src: 192.168.100.125 (192.168.100.125), Dst: 192.168.100.127 (192.168.100.127)

Transmission Control Protocol, Src Port: 1081 (1081), Dst Port: 8080 (8080), Seq: 1461, Ack: 1, Len: 632

Reassembled TCP Segments (2092 bytes): #4309(1460), #4310(632)

Hypertext Transfer Protocol

GET /VicadsAdmin/GetFrontPage.event HTTP/1.1\r\n

Request Method: GET

Request URI: /VicadsAdmin/GetFrontPage.event

Request Version: HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n

Accept-Language: en-us\r\n

Accept-Encoding: gzip, deflate\r\n

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)\r\n

Host: vicads0:8080\r\n

Connection: Keep-Alive\r\n

Authorization: Negotiate YIIFDgYGKwYBBQUCoIIFAjCCBP6gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBNQEggTQYIIEzAYJKoZIhvcSAQICAQBuggS7MIIEt6ADAgEFoQMCAQ6iBwMFACAAAACjggPUYYID0DCCA8ygAwIBBaEfGx1ERVZFTC5PUEVOUk9BRFNDT05TVUxUSU5HLkNPTa

GSS-API Generic Security Service Application Program Interface

OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)

SPNEGO

negTokenInit

mechTypes: 3 items

Item: 1.2.840.48018.1.2.2 (MS KRB5 - Microsoft Kerberos 5)

Item: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)

Item: 1.3.6.1.4.1.311.2.2.10 (NTLMSSP - Microsoft NTLM Security Support Provider)

mechToken: 608204CC06092A864886F71201020201006E8204BB308204...

krb5_blob: 608204CC06092A864886F71201020201006E8204BB308204...

KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)

krb5_tok_id: KRB5_AP_REQ (0x0001)

Kerberos AP-REQ

Pvno: 5

MSG Type: AP-REQ (14)

Padding: 0

APOptions: 20000000 (Mutual required)

.0.. .... .... .... .... .... .... .... = Use Session Key: Do NOT use the session key to encrypt the ticket

..1. .... .... .... .... .... .... .... = Mutual required: MUTUAL authentication is REQUIRED

Ticket

Tkt-vno: 5

Realm: DEVEL.OPENROADSCONSULTING.COM

Server Name (Service and Instance): HTTP/vicads0.devel.openroadsconsulting.com

Name-type: Service and Instance (2)

Name: HTTP

Name: vicads0.devel.openroadsconsulting.com

enc-part rc4-hmac

Encryption type: rc4-hmac (23)

Kvno: 2

enc-part: 05709AD578CD120E1292C1123131A078DEA84E68D6DE4AE8...

Authenticator rc4-hmac

Encryption type: rc4-hmac (23)

Authenticator data: 2AA7237E8F20DBA7090E3630FCF01EB7D29780CAEF6E8053...

\r\n

I am suspicious of the APOptions not to use the session key but I cannot find how to change this (I have tried setting AllowTgtSessionKey to 1 but this does not change anything).

I've been beeting my head against the wall for a solid 3 days, can anyone please help me?

Thanks, David

[10697 byte] By [kc7bfia] at [2007-10-3 2:43:34]

Java programming resources: FAQs, tutorials, compiler and browser download sites, documentation, books lists, IDEs, etc.

Kerberos RC4-HMAC Checksum Failed using Java 6 and Windows 2003/XP

Security New Topic

Security Hot Topic

Security

All Classified