Authentication via Kerberos5: Pre-authentication information wasinvalid (24)

Discussion in 'Active Directory' started by Jens Kutschke, Aug 30, 2004.

  1. Hallo,

    I'm trying to authenticate users from within a Java application against
    an Active Directory. Therefore I use JAAS from Sun and the contained
    Kerberos5-LoginModule.

    For some of the users this works fine, others are rejected with the
    following error:

    <stacktrace>

    javax.security.auth.login.LoginException: Pre-authentication information
    was invalid (24)
    at
    com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Un
    known Source)
    at com.sun.security.auth.module.Krb5LoginModule.login(Unknown
    Source)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at javax.security.auth.login.LoginContext.invoke(Unknown Source)
    at javax.security.auth.login.LoginContext.access$000(Unknown
    Source)
    at javax.security.auth.login.LoginContext$4.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokeModule(Unknown
    Source)
    at javax.security.auth.login.LoginContext.login(Unknown Source)
    at
    com.aidossoftware.security.auth.orion.UserManager$UserWrapper.authent
    icate(UserManager.java:232)
    at com.evermind._ax._ltc(.:417)
    at com.evermind._ax._uab(.:191)
    at com.evermind._bf.run(.:62)
    Caused by: KrbException: Pre-authentication information was invalid (24)
    at sun.security.krb5.KrbAsRep.<init>(Unknown Source)
    at sun.security.krb5.KrbAsReq.getReply(Unknown Source)
    at sun.security.krb5.Credentials.acquireTGT(Unknown Source)
    ... 16 more
    Caused by: KrbException: Identifier doesn't match expected value (906)
    at sun.security.krb5.internal.af.a(Unknown Source)
    at sun.security.krb5.internal.at.a(Unknown Source)
    at sun.security.krb5.internal.at.<init>(Unknown Source)
    ... 19 more

    javax.security.auth.login.LoginException: Pre-authentication information
    was invalid (24)
    at
    com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Un
    known Source)
    at com.sun.security.auth.module.Krb5LoginModule.login(Unknown
    Source)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at javax.security.auth.login.LoginContext.invoke(Unknown Source)
    at javax.security.auth.login.LoginContext.access$000(Unknown
    Source)
    at javax.security.auth.login.LoginContext$4.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokeModule(Unknown
    Source)
    at javax.security.auth.login.LoginContext.login(Unknown Source)
    at
    com.aidossoftware.security.auth.orion.UserManager$UserWrapper.authent
    icate(UserManager.java:232)
    at com.evermind.server.http.EvermindHttpServletRequest._wwd(.:3298)
    at com.evermind._ay._mae(.:5385)
    at com.evermind._ay._nlc(.:2164)
    at com.evermind._ay._kfe(.:4133)
    at com.evermind._eu._nlc(.:294)
    at com.evermind._ay.getRequestDispatcher(.:921)
    at
    com.evermind.server.http.EvermindHttpServletResponse.sendRedirect(.:1
    347)
    at com.evermind._ax._ltc(.:468)
    at com.evermind._ax._uab(.:191)
    at com.evermind._bf.run(.:62)
    Caused by: KrbException: Pre-authentication information was invalid (24)
    at sun.security.krb5.KrbAsRep.<init>(Unknown Source)
    at sun.security.krb5.KrbAsReq.getReply(Unknown Source)
    at sun.security.krb5.Credentials.acquireTGT(Unknown Source)
    ... 23 more
    Caused by: KrbException: Identifier doesn't match expected value (906)
    at sun.security.krb5.internal.af.a(Unknown Source)
    at sun.security.krb5.internal.at.a(Unknown Source)
    at sun.security.krb5.internal.at.<init>(Unknown Source)
    ... 26 more

    </stacktrace>

    I can not find any significant or systematic differences between the
    users that are authenticated and the ones that can not be authenticated.

    Can anybody explain this effect to me and give hints what I have to fix?
    A post in a java group did not bring answers...

    Thanks,
    Jens
     
    Jens Kutschke, Aug 30, 2004
    #1
    1. Advertisements

  2. Jens Kutschke

    Al Mulnick Guest

    Al Mulnick, Aug 30, 2004
    #2
    1. Advertisements

  3. Al,

    thank you for the link.

    I found out what the problem was in my case. Those users, who still had
    the password that was given when the user was created, could not
    authenticate.
    The users who have changed their password at least once, could be
    authenticated successfully.

    I can not explain this effect, but it's okay if I know how to handle.

    Jens
     
    Jens Kutschke, Aug 31, 2004
    #3
  4. Jens Kutschke

    Al Mulnick Guest

    That makes sense to some degree. Your application would have to handle the
    'change password on next logon' scenario for this and for users that are
    required to change their password at next logon for other reasons. That's a
    normal part of the lifecycle in most organizations.

    Interesting though.
     
    Al Mulnick, Sep 1, 2004
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.