[Freeipa-users] Authentication Failure from Java - LoginException PREAUTH_FAILED

Simo Sorce simo at redhat.com
Thu May 31 14:17:10 UTC 2012 

On Thu, 2012-05-31 at 10:28 +0100, Darran Lofthouse wrote:
> My apologies if this has already been discussed somewhere, I have tried 
> a number of searches to see if this is either a known issue or common 
> error on the client side but so far only found references to Java issues 
> that should have been resolved a long time ago.
> 
> I have a Red Hat server running in Amazon EC2 with IPA 
> ipa-server-2.1.3-9.el6.x86_64 installed - I have an admin user and a 
> test_user defined.
> 
>  From my local machine using kinit works without error.
> 
> I have developed a test Java client to make use of the Krb5LoginModule, 
> I am currently debugging further but thought I would mail this in 
> parallel in case I am missing something obvious but I keep getting the 
> failure that is at the bottom of this message.
> 
> This failure is reported when using java-1.7.0-openjdk-1.7.0.3.x86_64 - 
> however I have also tried using various Oracle JDKs, both 6 and 7.
> 
> I know the password is correct as verified using kinit, also if I use 
> jdk1.6.0_30 AND set the system property for Kerberos debugging to true 
> on the client it works.
> 
> The only difference I currently see between the failure scenario and 
> success scenario is that for success rc4-hmac is selected for the 
> PA-ENC-TIMESTAMP for the failure scenario here aes256-cts-hmac-sha1-96 
> is selected instead.
> 
> For the work I am currently using IPA for I could just force the use of 
> rc4-hmac but would really like to get to the bottom of the cause of this.
> 
> Looking forward to any ideas.
> 
> Regards,
> Darran Lofthouse.
> 
> 
> Exception in thread "main" javax.security.auth.login.LoginException: 
> Integrity check on decrypted field failed (31) - PREAUTH_FAILED
> 	at 
> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:759)
> 	at 
> com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:580)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 	at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> 	at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> 	at java.lang.reflect.Method.invoke(Method.java:601)
> 	at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
> 	at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
> 	at javax.security.auth.login.LoginContext$5.run(LoginContext.java:721)
> 	at javax.security.auth.login.LoginContext$5.run(LoginContext.java:719)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at 
> javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:718)
> 	at javax.security.auth.login.LoginContext.login(LoginContext.java:590)
> 	at 
> com.darranl.as.sasl.gssapi.KerberosLoginUtil.login(KerberosLoginUtil.java:50)
> 	at 
> com.darranl.as.sasl.gssapi.KerberosLoginUtil.main(KerberosLoginUtil.java:136)
> Caused by: KrbException: Integrity check on decrypted field failed (31) 
> - PREAUTH_FAILED
> 	at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:82)
> 	at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
> 	at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
> 	at 
> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:721)
> 	... 14 more
> Caused by: KrbException: Identifier doesn't match expected value (906)
> 	at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143)
> 	at sun.security.krb5.internal.ASRep.init(ASRep.java:65)
> 	at sun.security.krb5.internal.ASRep.<init>(ASRep.java:60)
> 	at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
> 	... 17 more

Darran,
I think you may need to download "Java Cryptography Extension (JCE)
Unlimited Strength Jurisdiction Policy Files 7"
See here:
http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html

Apparently AES is not fully supported unless you have the JCE which is
not distributed by default due to restrictions on export as far as I can
understand.

If you prefer to restrict your self to rc4-hmac, see the ipa-getkeytab
man page on how to explicitly request a set of enctypes on a new keytab.
Please remember that running ipa-getkeytab will invalidate your previous
keys.


HTH.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list