Authentication via Kerberos5: Pre-authentication information wasinvalid (24)

Hallo,

I'm trying to authenticate users from within a Java application against
an Active Directory. Therefore I use JAAS from Sun and the contained
Kerberos5-LoginModule.

For some of the users this works fine, others are rejected with the
following error:

<stacktrace>

javax.security.auth.login.LoginException: Pre-authentication information
was invalid (24)
at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Un
known Source)
at com.sun.security.auth.module.Krb5LoginModule.login(Unknown
Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.access$000(Unknown
Source)
at javax.security.auth.login.LoginContext$4.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(Unknown
Source)
at javax.security.auth.login.LoginContext.login(Unknown Source)
at
com.aidossoftware.security.auth.orion.UserManager$UserWrapper.authent
icate(UserManager.java:232)
at com.evermind._ax._ltc(.:417)
at com.evermind._ax._uab(.:191)
at com.evermind._bf.run(.:62)
Caused by: KrbException: Pre-authentication information was invalid (24)
at sun.security.krb5.KrbAsRep.<init>(Unknown Source)
at sun.security.krb5.KrbAsReq.getReply(Unknown Source)
at sun.security.krb5.Credentials.acquireTGT(Unknown Source)
... 16 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.af.a(Unknown Source)
at sun.security.krb5.internal.at.a(Unknown Source)
at sun.security.krb5.internal.at.<init>(Unknown Source)
... 19 more

javax.security.auth.login.LoginException: Pre-authentication information
was invalid (24)
at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Un
known Source)
at com.sun.security.auth.module.Krb5LoginModule.login(Unknown
Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.access$000(Unknown
Source)
at javax.security.auth.login.LoginContext$4.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(Unknown
Source)
at javax.security.auth.login.LoginContext.login(Unknown Source)
at
com.aidossoftware.security.auth.orion.UserManager$UserWrapper.authent
icate(UserManager.java:232)
at com.evermind.server.http.EvermindHttpServletRequest._wwd(.:3298)
at com.evermind._ay._mae(.:5385)
at com.evermind._ay._nlc(.:2164)
at com.evermind._ay._kfe(.:4133)
at com.evermind._eu._nlc(.:294)
at com.evermind._ay.getRequestDispatcher(.:921)
at
com.evermind.server.http.EvermindHttpServletResponse.sendRedirect(.:1
347)
at com.evermind._ax._ltc(.:468)
at com.evermind._ax._uab(.:191)
at com.evermind._bf.run(.:62)
Caused by: KrbException: Pre-authentication information was invalid (24)
at sun.security.krb5.KrbAsRep.<init>(Unknown Source)
at sun.security.krb5.KrbAsReq.getReply(Unknown Source)
at sun.security.krb5.Credentials.acquireTGT(Unknown Source)
... 23 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.af.a(Unknown Source)
at sun.security.krb5.internal.at.a(Unknown Source)
at sun.security.krb5.internal.at.<init>(Unknown Source)
... 26 more

</stacktrace>

I can not find any significant or systematic differences between the
users that are authenticated and the ones that can not be authenticated.

Can anybody explain this effect to me and give hints what I have to fix?
A post in a java group did not bring answers...

Thanks,
Jens

 

Interesting.

I'd guess that this page holds the answer:
http://www.wedgetail.com/jcsi/examples/JCSI-Kerberos-JAAS-Example.html

Note that the JAAS module is case-sensitive when it comes to the realm.

Al

 

Al,

thank you for the link.

I found out what the problem was in my case. Those users, who still had
the password that was given when the user was created, could not
authenticate.
The users who have changed their password at least once, could be
authenticated successfully.

I can not explain this effect, but it's okay if I know how to handle.

Jens

 

That makes sense to some degree. Your application would have to handle the
'change password on next logon' scenario for this and for users that are
required to change their password at next logon for other reasons. That's a
normal part of the lifecycle in most organizations.

Interesting though.