[Freeipa-users] Authentication Failure from Java - LoginException PREAUTH_FAILED
Darran Lofthouse
darran.lofthouse at jboss.com
Fri Jun 1 14:56:54 UTC 2012
On 06/01/2012 03:49 PM, Rob Crittenden wrote:
> Darran Lofthouse wrote:
>> On 05/31/2012 03:17 PM, Simo Sorce wrote:
>>> Darran,
>>> I think you may need to download "Java Cryptography Extension (JCE)
>>> Unlimited Strength Jurisdiction Policy Files 7"
>>> See here:
>>> http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
>>>
>>>
>>>
>>> Apparently AES is not fully supported unless you have the JCE which is
>>> not distributed by default due to restrictions on export as far as I can
>>> understand.
>>
>> Thank you for your reply Simo, I have actually been testing this both
>> with and without the unlimited strength policy - the error message is
>> the same in both cases, the only difference is that without the policy
>> in place aes128 is selected instead of aes256.
>>
>>> If you prefer to restrict your self to rc4-hmac, see the ipa-getkeytab
>>> man page on how to explicitly request a set of enctypes on a new keytab.
>>> Please remember that running ipa-getkeytab will invalidate your previous
>>> keys.
>>
>> Also to clarify at this stage I am supplying a username and password in
>> the client - I wanted to get that working first before switching it to a
>> keytab.
>
> You might want to check the KDC logs to see if it has any more details
> on the failure.
Unfortunately no more detail than in the exception, I think I am at the
point where I am going to manually try and re-create that field myself -
there have been other reports of incorrect salt selection but that was
always against older versions of Java so I think I need to start looking
more closely at how the field is actually generated.
> rob
More information about the Freeipa-users
mailing list