Kerberos 5 Loginmodule: Pre-authentication information was invalid
Pálfi Miklós
palfi.miklos at alerant.hu
Thu Jul 7 02:45:58 EDT 2005
Hi!
We are doing a project in which we need to authenticate windows users to WebLogic
with SPNEGO. There is an Authentication provider in WebLogic (on linux) which
handles all necessary negotiate things (with the standard GSS interface from Sun), a
configured Active Directory, and a properly configured Internet Explorer 6.
We have enabled all possible logs to gather as much information as we can. The
result is below. (Please give a moment for that!)
What I found out of this log is the following:
- Explorer and WebLogic know that SPNEGO authentication is needed (server receives
SPNEGO token)
- principal name was found and matched in the keytab, and its key was obtained from
there
- AD server was found, and communication was proper
- Authenticaton failed. (I am a bit curious about why sname is krbtgt/MY.HOST.COM.)
I think we are really close to the solution, please post every idea what you have!
Many thanks in advance!
<06-Jul-2005 16:34:50 o'clock CEST> <Debug> <SecurityDebug> <000000>
<PrincipalAuthenticator.assertIdentity - Token Type: Authorization>
<06-Jul-2005 16:34:50 o'clock CEST> <Debug> <SecurityDebug> <000000>
<SPNEGONegotiateToken.getLengthDER: b is 130>
<06-Jul-2005 16:34:50 o'clock CEST> <Debug> <SecurityDebug> <000000>
<SPNEGONegotiateToken.getLengthDER: num octets is 2>
<06-Jul-2005 16:34:50 o'clock CEST> <Debug> <SecurityDebug> <000000>
<SPNEGONegotiateToken.getLengthDER: len is 1219>
<06-Jul-2005 16:34:50 o'clock CEST> <Debug> <SecurityDebug> <000000>
<SPNEGONegotiateToken.discriminate: SPNEGO static oid 0: 0606 2b06 0105 0502
..+.....
>
<06-Jul-2005 16:34:50 o'clock CEST> <Debug> <SecurityDebug> <000000>
<SPNEGONegotiateToken.discriminate: SPNEGO in oid 0: 0606 2b06 0105 0502 ..+.....
>
<06-Jul-2005 16:34:50 o'clock CEST> <Debug> <SecurityDebug> <000000>
<SPNEGONegotiateToken.discriminate: Neg token found>
<06-Jul-2005 16:34:50 o'clock CEST> <Debug> <SecurityDebug> <000000>
<SPNEGONegotiateToken.getLengthDER: b is 130>
<06-Jul-2005 16:34:50 o'clock CEST> <Debug> <SecurityDebug> <000000>
<SPNEGONegotiateToken.getLengthDER: num octets is 2>
<06-Jul-2005 16:34:50 o'clock CEST> <Debug> <SecurityDebug> <000000>
<SPNEGONegotiateToken.getLengthDER: len is 1207>
<06-Jul-2005 16:34:50 o'clock CEST> <Debug> <SecurityDebug> <000000>
<SPNEGONegotiateToken.discriminate: len of neg token 1207>
<06-Jul-2005 16:34:50 o'clock CEST> <Debug> <SecurityDebug> <000000>
<SPNEGONegotiateToken.discriminate: sequence found>
<06-Jul-2005 16:34:50 o'clock CEST> <Debug> <SecurityDebug> <000000>
<SPNEGONegotiateToken.getLengthDER: b is 130>
<06-Jul-2005 16:34:50 o'clock CEST> <Debug> <SecurityDebug> <000000>
<SPNEGONegotiateToken.getLengthDER: num octets is 2>
<06-Jul-2005 16:34:50 o'clock CEST> <Debug> <SecurityDebug> <000000>
<SPNEGONegotiateToken.getLengthDER: len is 1203>
<06-Jul-2005 16:34:50 o'clock CEST> <Debug> <SecurityDebug> <000000>
<SPNEGONegotiateToken.discriminate: len of sequence token 1203>
<06-Jul-2005 16:34:50 o'clock CEST> <Debug> <SecurityDebug> <000000>
<SPNEGONegotiateToken.discriminate: choice is 160>
<06-Jul-2005 16:34:50 o'clock CEST> <Debug> <SecurityDebug> <000000>
<SPNEGONegotiateToken.getLengthDER: b is 36>
<06-Jul-2005 16:34:50 o'clock CEST> <Debug> <SecurityDebug> <000000>
<SPNEGONegotiateToken.getLengthDER: len is 36>
<06-Jul-2005 16:34:50 o'clock CEST> <Debug> <SecurityDebug> <000000>
<SPNEGONegotiateToken.discriminate: len of mech type 36>
<06-Jul-2005 16:34:50 o'clock CEST> <Debug> <SecurityDebug> <000000>
<SPNEGONegotiateToken.getLengthDER: b is 34>
<06-Jul-2005 16:34:50 o'clock CEST> <Debug> <SecurityDebug> <000000>
<SPNEGONegotiateToken.getLengthDER: len is 34>
<06-Jul-2005 16:34:50 o'clock CEST> <Debug> <SecurityDebug> <000000>
<SPNEGONegotiateToken.discriminate: len of mech type seq 34>
<06-Jul-2005 16:34:50 o'clock CEST> <Debug> <SecurityDebug> <000000>
<SPNEGONegotiateToken.discriminate: mech type offset 24>
<06-Jul-2005 16:34:50 o'clock CEST> <Debug> <SecurityDebug> <000000> <mech type
token 16: 0609 2a86 4882 f712 ..*.H...
32: 0102 0206 092a 8648 86f7 1201 0202 060a .....*.H........
48: 2b06 0104 0182 3702 020a +.....7...
>
<06-Jul-2005 16:34:50 o'clock CEST> <Debug> <SecurityDebug> <000000>
<SPNEGONegotiateToken.discriminate: Mech list oid 1.2.840.48018.1.2.2>
<06-Jul-2005 16:34:50 o'clock CEST> <Debug> <SecurityDebug> <000000>
<SPNEGONegotiateToken.discriminate: Mech list oid 1.2.840.113554.1.2.2>
<06-Jul-2005 16:34:50 o'clock CEST> <Debug> <SecurityDebug> <000000>
<SPNEGONegotiateToken.discriminate: Mech list oid 1.3.6.1.4.1.311.2.2.10>
<06-Jul-2005 16:34:50 o'clock CEST> <Debug> <SecurityDebug> <000000>
<SPNEGONegotiateToken.getLengthDER: b is 130>
<06-Jul-2005 16:34:50 o'clock CEST> <Debug> <SecurityDebug> <000000>
<SPNEGONegotiateToken.getLengthDER: num octets is 2>
<06-Jul-2005 16:34:50 o'clock CEST> <Debug> <SecurityDebug> <000000>
<SPNEGONegotiateToken.getLengthDER: len is 1161>
<06-Jul-2005 16:34:50 o'clock CEST> <Debug> <SecurityDebug> <000000>
<SPNEGONegotiateToken.discriminate: Mech token len 1161>
<06-Jul-2005 16:34:50 o'clock CEST> <Debug> <SecurityDebug> <000000>
<SPNEGONegotiateToken.getLengthDER: b is 130>
<06-Jul-2005 16:34:50 o'clock CEST> <Debug> <SecurityDebug> <000000>
<SPNEGONegotiateToken.getLengthDER: num octets is 2>
<06-Jul-2005 16:34:50 o'clock CEST> <Debug> <SecurityDebug> <000000>
<SPNEGONegotiateToken.getLengthDER: len is 1157>
<06-Jul-2005 16:34:50 o'clock CEST> <Debug> <SecurityDebug> <000000>
<SPNEGONegotiateToken.discriminate: Mech token
0: 6082 0481 0609 2a86 4886 f712 0102 0201 `.....*.H.......
16: 006e 8204 7030 8204 6ca0 0302 0105 a103 .n..p0..l.......
32: 0201 0ea2 0703 0500 2000 0000 a382 039c ........ .......
48: 6182 0398 3082 0394 a003 0201 05a1 111b a...0...........
64: 0f45 4c4f 5445 542e 4552 5354 452e 4855 .ELOTET.ERSTE.HU
80: a228 3026 a003 0201 02a1 1f30 1d1b 0448 .(0&.......0...H
96: 5454 501b 1561 6c65 7261 6e74 322e 706f TTP..alerant2.po
112: 7374 6162 616e 6b2e 6875 a382 034e 3082 stabank.hu...N0.
128: 034a a003 0201 03a1 0302 0106 a282 033c .J.............><
144: 0482 0338 f53b 57d0 2613 e30e a7ac d41c ...8.;W.&.......
160: 5d8a 3b0f f9e8 4fe1 cfce ef6f c227 5c24 ].;...O....o.'\$
176: 3945 d27e ef3a 8555 7e4e 505d 75fb ced3 9E.~.:.U~NP]u...
192: 0db3 741e db23 c57d e252 88ff b738 08b8 ..t..#.}.R...8..
208: 3a6e f250 0426 59c4 c181 0393 4259 7ab1 :n.P.&Y.....BYz.
224: de88 f6b0 e64d af6c 3146 1207 2873 7dae .....M.l1F..(s}.
240: 29e5 5c1b f816 7407 5615 693e 0cba 2368 ).\...t.V.i>..#h
256: 017e 4a33 9add 92a6 3862 89a4 4f7e e320 .~J3....8b..O~.
272: dd39 d09e f7fd ff3b 78f2 bf58 c2a6 9c4c .9.....;x..X...L
288: 594c 2123 d649 20f3 e8bb 9b38 2ec5 3d93 YL!#.I ....8..=.
304: 6b15 9839 0d37 b862 1293 a1e3 294c 89be k..9.7.b....)L..
320: 7c77 2786 58bf 4674 029e cf8e 05cb 5527 |w'.X.Ft......U'
336: 6938 fbb9 fe72 2196 1eea 4eac eb85 072c i8...r!...N....,
352: 0659 8ecd 6a18 8429 1b16 9a0e 32cf 7fca .Y..j..)....2...
368: cc5e cab3 9ee3 0e47 97dd 04cb 1efe 5404 .^.....G......T.
384: 40a1 013e 01d8 9a98 8ad1 901d 9cac ad95 @..>............
400: adf3 fbec 171f 303c 8d5f 1bbc f83b 0d54 ......0<._...;.T
416: fc36 09fd 43cd d530 8038 766c 6352 791a .6..C..0.8vlcRy.
432: a30e 1a71 0099 d59a 3763 0d49 1a25 7466 ...q....7c.I.%tf
448: 1f37 dbf8 171d d19c 36cb 8eb5 a43a c67a .7......6....:.z
464: bb99 a572 da4c 7e4d e39d d6d5 7302 2b91 ...r.L~M....s.+.
480: ca0a c62d ba5a 99f8 336f e180 a30f 2890 ...-.Z..3o....(.
496: 3af7 af2e 5216 e6bb bab2 9ef7 5d52 03d0 :...R.......]R..
512: b1f6 8ddf a471 9f7f fadd ba04 da4c 84a4 .....q.......L..
528: 60a2 cc9b eec8 b010 7e6d a278 e297 d35c `.......~m.x...\
544: 0d6d a8c7 511d e3fb 9bf0 ce2a 0695 7964 .m..Q......*..yd
560: 3486 60f1 0b98 b403 15c6 116a 4733 69e6 4.`........jG3i.
576: 62b6 6b9b 37c4 9163 e69f 8196 a464 90af b.k.7..c.....d..
592: 6013 1790 2ff7 117c db0b 945b aad3 4792 `.../..|...[..G.
608: 48aa a416 5852 6d0c 337c 78be aee6 a719 H...XRm.3|x.....
624: f6f9 0e84 a3f7 b6e4 1db9 b43e 03a4 2e79 ...........>...y
640: c660 3c6a 186d 61be 2b1b d33e 4d9d 1559 .`<j.ma.+..>M..Y
656: bce4 505e c480 0364 4dc9 bc8e f8d5 d6e7 ..P^...dM.......
672: 1bf0 b1b0 b285 e663 d370 bb82 f33a 003d .......c.p...:.=
688: 78ae 2d0c 5ab2 872c f342 8a7e 9784 baf5 x.-.Z..,.B.~....
704: 4496 ffd5 503f 1bac fc9d 7f1e 465c a103 D...P?......F\..
720: b469 2b68 7856 21b0 c3ff 31ca f567 249c .i+hxV!...1..g$.
736: a7a8 c5f6 2f81 682b fd3e ce06 8540 dc05 ..../.h+.>... at ..
752: 08fb fe63 31e1 c914 5172 746d 4f08 7db3 ...c1...QrtmO.}.
768: 99ea 6d19 0030 b36e fac8 cbd1 d6bb 7c0e ..m..0.n......|.
784: e23b 84d3 66d3 4bdc 1aaa 6731 b75d b3e2 .;..f.K...g1.]..
800: 3ada 31d5 ed20 fc3c 6912 f07d eab6 67b2 :.1.. .<i..}..g.
816: 58cd 0618 c135 d0a6 2029 5fc5 7909 b93e X....5.. )_.y..>
832: 286f 5cd0 968f fe3a 36fd 3b02 4c6c 8dce (o\....:6.;.Ll..
848: 7a46 c2a3 32c8 ec76 911e ee44 f880 5bc1 zF..2..v...D..[.
864: e6df 6700 c2c5 936b 0eb4 7da1 fe1e 4e23 ..g....k..}...N#
880: 0c7b cd74 d5f8 4861 5f55 d42d 6de5 1ddf .{.t..Ha_U.-m...
896: 81f3 0719 125e 3110 160b 9445 9088 cd33 .....^1....E...3
912: 1bac 18a5 b097 a922 9df1 1878 3105 132c ......."...x1..,
928: c26f 25f9 9c6e 4240 02e2 765e 0aaf 56b0 .o%..nB at ..v^..V.
944: 4605 7235 e6ff e68e 192b 8525 bbff 2624 F.r5.....+.%..&$
960: 7943 6ba2 8791 f6af 5a78 3978 a481 b630 yCk.....Zx9x...0
976: 81b3 a003 0201 03a2 81ab 0481 a8dc c5bd ................
992: 58f9 03fc d634 409b 9192 bf9e 052f d5bd X....4 at ....../..
1008: f6fc b190 fbd2 0140 9544 929a 73c5 2a0c ....... at .D..s.*.
1024: 36d7 2dd4 a5b1 9d27 e7bc f24f ab06 c70b 6.-....'...O....
1040: 7a7c fd74 0ed3 227c ee01 8f8d dd47 11cb z|.t.."|.....G..
1056: 27f7 36a8 270b e46f abb8 11e2 0f07 5833 '.6.'..o......X3
1072: 8553 4bb7 707e 3362 fc1b c5f1 4119 8a99 .SK.p~3b....A...
1088: 211a 6c47 b38d a28d c210 071c 94d0 584e !.lG..........XN
1104: 9c63 28af 7421 313e 60f9 e606 c4b2 d74d .c(.t!1>`......M
1120: 46fa 8e02 cfdc 0976 c463 84b9 c9e0 5d34 F......v.c....]4
1136: 342e d31c 18bd b6e2 b2d6 cf49 c6ce 1d30 4..........I...0
1152: 8929 e7c7 45 .)..E
>
<06-Jul-2005 16:34:50 o'clock CEST> <Debug> <SecurityDebug> <000000> <Found
Negotiate with SPNEGO token>
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false
ticketCache is null KeyTab is mykeytab refreshKrb5Config is false principal is
hostname at MY.HOST.COM tryFirstPass is false useFirstPass is false storePass is false
clearPass is false
>>> KeyTab: load() entry length: 50
>>> KeyTabInputStream, readName(): MY.HOST.COM
>>> KeyTabInputStream, readName(): hostname
>>> KeyTab: load() entry length: 56
>>> KeyTabInputStream, readName(): MY.HOST.COM
>>> KeyTabInputStream, readName(): host
>>> KeyTabInputStream, readName(): hostname
>>> KeyTab: load() entry length: 56
>>> KeyTabInputStream, readName(): MY.HOST.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): hostname
principal's key obtained from the keytab
principal is hostname at MY.HOST.HU
>>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbAsReq etypes are: 3 1
>>> KrbKdcReq send: kdc=ADSERVER.MYHOST.COM UDP:88, timeout=30000, number of retries
=3, #bytes=234
>>> KDCCommunication: kdc=ADSERVER.MYHOST.COM UDP:88, timeout=30000,Attempt =1,
#bytes=234
>>> KrbKdcReq send: #bytes read=199
>>> KrbKdcReq send: #bytes read=199
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Wed Jul 06 16:35:40 CEST 2005 1120660540000
suSec is 309124
error code is 24
error Message is Pre-authentication information was invalid
realm is MY.HOST.COM
sname is krbtgt/MY.HOST.COM
eData provided.
[Krb5LoginModule] authentication failed
Pre-authentication information was invalid (24)
<06-Jul-2005 16:34:50 o'clock CEST> <Debug> <SecurityDebug> <000000> <GSS exception
GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new
ACCEPT credentials failed!)
GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new
ACCEPT credentials failed!)
at
sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Lsun.security.jgss.krb5.Krb5NameElement;)Ljavax.security.auth.kerberos.KerberosKey;(Krb5AcceptCredential.java:189)
at
sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Lsun.security.jgss.krb5.Krb5NameElement;)Lsun.security.jgss.krb5.Krb5AcceptCredential;(Krb5AcceptCredential.java:80)
at
sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Lsun.security.jgss.spi.GSSNameSpi;III)Lsun.security.jgss.spi.GSSCredentialSpi;(Krb5MechFactory.java:75)
at
sun.security.jgss.GSSManagerImpl.getCredentialElement(Lsun.security.jgss.spi.GSSNameSpi;IILorg.ietf.jgss.Oid;I)Lsun.security.jgss.spi.GSSCredentialSpi;(GSSManagerImpl.java:149)
at
sun.security.jgss.GSSCredentialImpl.add(Lorg.ietf.jgss.GSSName;IILorg.ietf.jgss.Oid;I)V(GSSCredentialImpl.java:334)
at
sun.security.jgss.GSSCredentialImpl.><init>(Lsun.security.jgss.GSSManagerImpl;Lorg.ietf.jgss.GSSName;ILorg.ietf.jgss.Oid;I)V(GSSCredentialImpl.java:44)
at
sun.security.jgss.GSSManagerImpl.createCredential(Lorg.ietf.jgss.GSSName;ILorg.ietf.jgss.Oid;I)Lorg.ietf.jgss.GSSCredential;(GSSManagerImpl.java:102)
at
sun.security.jgss.GSSContextImpl.acceptSecContext(Ljava.io.InputStream;Ljava.io.OutputStream;)V(GSSContextImpl.java:277)
at sun.security.jgss.GSSContextImpl.acceptSecContext([BII)[B(GSSContextImpl.java:246)
at
weblogic.security.providers.utils.SPNEGONegotiateToken.getUsername()Ljava.lang.String;(SPNEGONegotiateToken.java:371)
at
weblogic.security.providers.authentication.SinglePassNegotiateIdentityAsserterProviderImpl.assertIdentity(Ljava.lang.String;Ljava.lang.Object;)Ljavax.security.auth.callback.CallbackHandler;(SinglePassNegotiateIdentityAsserterProviderImpl.java:201)
at
weblogic.security.service.PrincipalAuthenticator.assertIdentity(Ljava.lang.String;Ljava.lang.Object;)Lweblogic.security.acl.internal.AuthenticatedSubject;(PrincipalAuthenticator.java:553)
at
weblogic.servlet.security.internal.CertSecurityModule.checkUserPerm(Ljavax.servlet.http.HttpServletRequest;Ljavax.servlet.http.HttpServletResponse;Lweblogic.security.acl.internal.AuthenticatedSubject;)Z(CertSecurityModule.java:104)
at
weblogic.servlet.security.internal.SecurityModule.beginCheck(Ljavax.servlet.http.HttpServletRequest;Ljavax.servlet.http.HttpServletResponse;)Z(SecurityModule.java:199)
at
weblogic.servlet.security.internal.CertSecurityModule.checkA(Ljavax.servlet.http.HttpServletRequest;Ljavax.servlet.http.HttpServletResponse;)Z(CertSecurityModule.java:86)
at
weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(Lweblogic.servlet.internal.ServletRequestImpl;Lweblogic.servlet.internal.ServletResponseImpl;)Z(ServletSecurityManager.java:145)
at
weblogic.servlet.internal.WebAppServletContext.invokeServlet(Lweblogic.servlet.internal.ServletRequestImpl;Lweblogic.servlet.internal.ServletResponseImpl;)V(WebAppServletContext.java:3685)
at
weblogic.servlet.internal.ServletRequestImpl.execute(Lweblogic.kernel.ExecuteThread;)V(ServletRequestImpl.java:2644)
at
weblogic.kernel.ExecuteThread.execute(Lweblogic.kernel.ExecuteRequest;)V(ExecuteThread.java:219)
at weblogic.kernel.ExecuteThread.run()V(ExecuteThread.java:178)
at java.lang.Thread.startThreadFromVM(Ljava.lang.Thread;)V(Unknown Source)
Caused by: javax.security.auth.login.LoginException: Pre-authentication information
was invalid (24)
at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Z)V(Krb5LoginModule.java:585)
at com.sun.security.auth.module.Krb5LoginModule.login()Z(Krb5LoginModule.java:475)
at
jrockit.reflect.NativeMethodInvoker.invoke0(Ljava.lang.Object;ILjava.lang.Object;[Ljava.lang.Object;)Ljava.lang.Object;(Unknown
Source)
at
jrockit.reflect.NativeMethodInvoker.invoke(Ljava.lang.Object;[Ljava.lang.Object;)Ljava.lang.Object;(Unknown
Source)
at
jrockit.reflect.VirtualNativeMethodInvoker.invoke(Ljava.lang.Object;[Ljava.lang.Object;)Ljava.lang.Object;(Unknown
Source)
at
java.lang.reflect.Method.invoke(Ljava.lang.Object;[Ljava.lang.Object;I)Ljava.lang.Object;(Unknown
Source)
at
javax.security.auth.login.LoginContext.invoke(Ljava.lang.String;)V(LoginContext.java:675)
at
javax.security.auth.login.LoginContext.access$000(Ljavax.security.auth.login.LoginContext;Ljava.lang.String;)V(LoginContext.java:129)
at
javax.security.auth.login.LoginContext$4.run()Ljava.lang.Object;(LoginContext.java:610)
at
jrockit.vm.AccessController.do_privileged_exc(Ljava.security.PrivilegedExceptionAction;Ljava.security.AccessControlContext;I)Ljava.lang.Object;(Unknown
Source)
at
jrockit.vm.AccessController.doPrivileged(Ljava.security.PrivilegedExceptionAction;)Ljava.lang.Object;(Unknown
Source)
at
javax.security.auth.login.LoginContext.invokeModule(Ljava.lang.String;)V(LoginContext.java:607)
at javax.security.auth.login.LoginContext.login()V(LoginContext.java:534)
at sun.security.jgss.LoginUtility.run()Ljava.lang.Object;(LoginUtility.java:57)
at
jrockit.vm.AccessController.do_privileged_exc(Ljava.security.PrivilegedExceptionAction;Ljava.security.AccessControlContext;I)Ljava.lang.Object;(Unknown
Source)
at
jrockit.vm.AccessController.doPrivileged(Ljava.security.PrivilegedExceptionAction;)Ljava.lang.Object;(Unknown
Source)
at
sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Lsun.security.jgss.krb5.Krb5NameElement;)Ljavax.security.auth.kerberos.KerberosKey;(Krb5AcceptCredential.java:186)
at
sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Lsun.security.jgss.krb5.Krb5NameElement;)Lsun.security.jgss.krb5.Krb5AcceptCredential;(Krb5AcceptCredential.java:80)
at
sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Lsun.security.jgss.spi.GSSNameSpi;III)Lsun.security.jgss.spi.GSSCredentialSpi;(Krb5MechFactory.java:75)
at
sun.security.jgss.GSSManagerImpl.getCredentialElement(Lsun.security.jgss.spi.GSSNameSpi;IILorg.ietf.jgss.Oid;I)Lsun.security.jgss.spi.GSSCredentialSpi;(GSSManagerImpl.java:149)
at
sun.security.jgss.GSSCredentialImpl.add(Lorg.ietf.jgss.GSSName;IILorg.ietf.jgss.Oid;I)V(GSSCredentialImpl.java:334)
at
sun.security.jgss.GSSCredentialImpl.<init>(Lsun.security.jgss.GSSManagerImpl;Lorg.ietf.jgss.GSSName;ILorg.ietf.jgss.Oid;I)V(GSSCredentialImpl.java:44)
at
sun.security.jgss.GSSManagerImpl.createCredential(Lorg.ietf.jgss.GSSName;ILorg.ietf.jgss.Oid;I)Lorg.ietf.jgss.GSSCredential;(GSSManagerImpl.java:102)
at
sun.security.jgss.GSSContextImpl.acceptSecContext(Ljava.io.InputStream;Ljava.io.OutputStream;)V(GSSContextImpl.java:277)
at sun.security.jgss.GSSContextImpl.acceptSecContext([BII)[B(GSSContextImpl.java:246)
at
weblogic.security.providers.utils.SPNEGONegotiateToken.getUsername()Ljava.lang.String;(SPNEGONegotiateToken.java:371)
at
weblogic.security.providers.authentication.SinglePassNegotiateIdentityAsserterProviderImpl.assertIdentity(Ljava.lang.String;Ljava.lang.Object;)Ljavax.security.auth.callback.CallbackHandler;(SinglePassNegotiateIdentityAsserterProviderImpl.java:201)
at
weblogic.security.service.PrincipalAuthenticator.assertIdentity(Ljava.lang.String;Ljava.lang.Object;)Lweblogic.security.acl.internal.AuthenticatedSubject;(PrincipalAuthenticator.java:553)
at
weblogic.servlet.security.internal.CertSecurityModule.checkUserPerm(Ljavax.servlet.http.HttpServletRequest;Ljavax.servlet.http.HttpServletResponse;Lweblogic.security.acl.internal.AuthenticatedSubject;)Z(CertSecurityModule.java:104)
at
weblogic.servlet.security.internal.SecurityModule.beginCheck(Ljavax.servlet.http.HttpServletRequest;Ljavax.servlet.http.HttpServletResponse;)Z(SecurityModule.java:199)
at
weblogic.servlet.security.internal.CertSecurityModule.checkA(Ljavax.servlet.http.HttpServletRequest;Ljavax.servlet.http.HttpServletResponse;)Z(CertSecurityModule.java:86)
at
weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(Lweblogic.servlet.internal.ServletRequestImpl;Lweblogic.servlet.internal.ServletResponseImpl;)Z(ServletSecurityManager.java:145)
Caused by: KrbException: Pre-authentication information was invalid (24)
at
sun.security.krb5.KrbAsRep.<init>([BLsun.security.krb5.EncryptionKey;Lsun.security.krb5.KrbAsReq;)V(DashoA6275:67)
at
sun.security.krb5.KrbAsReq.getReply(Lsun.security.krb5.EncryptionKey;)Lsun.security.krb5.KrbAsRep;(DashoA6275:315)
at
sun.security.krb5.Credentials.acquireTGT(Lsun.security.krb5.PrincipalName;Lsun.security.krb5.EncryptionKey;)Lsun.security.krb5.Credentials;(DashoA6275:352)
at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Z)V(Krb5LoginModule.java:576)
at com.sun.security.auth.module.Krb5LoginModule.login()Z(Krb5LoginModule.java:475)
at
jrockit.reflect.NativeMethodInvoker.invoke0(Ljava.lang.Object;ILjava.lang.Object;[Ljava.lang.Object;)Ljava.lang.Object;(Unknown
Source)
at
jrockit.reflect.NativeMethodInvoker.invoke(Ljava.lang.Object;[Ljava.lang.Object;)Ljava.lang.Object;(Unknown
Source)
at
jrockit.reflect.VirtualNativeMethodInvoker.invoke(Ljava.lang.Object;[Ljava.lang.Object;)Ljava.lang.Object;(Unknown
Source)
at
java.lang.reflect.Method.invoke(Ljava.lang.Object;[Ljava.lang.Object;I)Ljava.lang.Object;(Unknown
Source)
at
javax.security.auth.login.LoginContext.invoke(Ljava.lang.String;)V(LoginContext.java:675)
at
javax.security.auth.login.LoginContext.access$000(Ljavax.security.auth.login.LoginContext;Ljava.lang.String;)V(LoginContext.java:129)
at
javax.security.auth.login.LoginContext$4.run()Ljava.lang.Object;(LoginContext.java:610)
at
jrockit.vm.AccessController.do_privileged_exc(Ljava.security.PrivilegedExceptionAction;Ljava.security.AccessControlContext;I)Ljava.lang.Object;(Unknown
Source)
at
jrockit.vm.AccessController.doPrivileged(Ljava.security.PrivilegedExceptionAction;)Ljava.lang.Object;(Unknown
Source)
at
javax.security.auth.login.LoginContext.invokeModule(Ljava.lang.String;)V(LoginContext.java:607)
at javax.security.auth.login.LoginContext.login()V(LoginContext.java:534)
at sun.security.jgss.LoginUtility.run()Ljava.lang.Object;(LoginUtility.java:57)
at
jrockit.vm.AccessController.do_privileged_exc(Ljava.security.PrivilegedExceptionAction;Ljava.security.AccessControlContext;I)Ljava.lang.Object;(Unknown
Source)
at
jrockit.vm.AccessController.doPrivileged(Ljava.security.PrivilegedExceptionAction;)Ljava.lang.Object;(Unknown
Source)
at
sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Lsun.security.jgss.krb5.Krb5NameElement;)Ljavax.security.auth.kerberos.KerberosKey;(Krb5AcceptCredential.java:186)
at
sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Lsun.security.jgss.krb5.Krb5NameElement;)Lsun.security.jgss.krb5.Krb5AcceptCredential;(Krb5AcceptCredential.java:80)
at
sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Lsun.security.jgss.spi.GSSNameSpi;III)Lsun.security.jgss.spi.GSSCredentialSpi;(Krb5MechFactory.java:75)
at
sun.security.jgss.GSSManagerImpl.getCredentialElement(Lsun.security.jgss.spi.GSSNameSpi;IILorg.ietf.jgss.Oid;I)Lsun.security.jgss.spi.GSSCredentialSpi;(GSSManagerImpl.java:149)
at
sun.security.jgss.GSSCredentialImpl.add(Lorg.ietf.jgss.GSSName;IILorg.ietf.jgss.Oid;I)V(GSSCredentialImpl.java:334)
at
sun.security.jgss.GSSCredentialImpl.<init>(Lsun.security.jgss.GSSManagerImpl;Lorg.ietf.jgss.GSSName;ILorg.ietf.jgss.Oid;I)V(GSSCredentialImpl.java:44)
at
sun.security.jgss.GSSManagerImpl.createCredential(Lorg.ietf.jgss.GSSName;ILorg.ietf.jgss.Oid;I)Lorg.ietf.jgss.GSSCredential;(GSSManagerImpl.java:102)
at
sun.security.jgss.GSSContextImpl.acceptSecContext(Ljava.io.InputStream;Ljava.io.OutputStream;)V(GSSContextImpl.java:277)
at sun.security.jgss.GSSContextImpl.acceptSecContext([BII)[B(GSSContextImpl.java:246)
at
weblogic.security.providers.utils.SPNEGONegotiateToken.getUsername()Ljava.lang.String;(SPNEGONegotiateToken.java:371)
at
weblogic.security.providers.authentication.SinglePassNegotiateIdentityAsserterProviderImpl.assertIdentity(Ljava.lang.String;Ljava.lang.Object;)Ljavax.security.auth.callback.CallbackHandler;(SinglePassNegotiateIdentityAsserterProviderImpl.java:201)
at
weblogic.security.service.PrincipalAuthenticator.assertIdentity(Ljava.lang.String;Ljava.lang.Object;)Lweblogic.security.acl.internal.AuthenticatedSubject;(PrincipalAuthenticator.java:553)
at
weblogic.servlet.security.internal.CertSecurityModule.checkUserPerm(Ljavax.servlet.http.HttpServletRequest;Ljavax.servlet.http.HttpServletResponse;Lweblogic.security.acl.internal.AuthenticatedSubject;)Z(CertSecurityModule.java:104)
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.af.a(Lsun.security.util.DerValue;I)V(DashoA6275:134)
at sun.security.krb5.internal.at.a(Lsun.security.util.DerValue;)V(DashoA6275:63)
at sun.security.krb5.internal.at.<init>(Lsun.security.util.DerValue;)V(DashoA6275:58)
at
sun.security.krb5.KrbAsRep.<init>([BLsun.security.krb5.EncryptionKey;Lsun.security.krb5.KrbAsReq;)V(DashoA6275:53)
at
sun.security.krb5.KrbAsReq.getReply(Lsun.security.krb5.EncryptionKey;)Lsun.security.krb5.KrbAsRep;(DashoA6275:315)
at
sun.security.krb5.Credentials.acquireTGT(Lsun.security.krb5.PrincipalName;Lsun.security.krb5.EncryptionKey;)Lsun.security.krb5.Credentials;(DashoA6275:352)
at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Z)V(Krb5LoginModule.java:576)
at com.sun.security.auth.module.Krb5LoginModule.login()Z(Krb5LoginModule.java:475)
at
jrockit.reflect.NativeMethodInvoker.invoke0(Ljava.lang.Object;ILjava.lang.Object;[Ljava.lang.Object;)Ljava.lang.Object;(Unknown
Source)
at
jrockit.reflect.NativeMethodInvoker.invoke(Ljava.lang.Object;[Ljava.lang.Object;)Ljava.lang.Object;(Unknown
Source)
at
jrockit.reflect.VirtualNativeMethodInvoker.invoke(Ljava.lang.Object;[Ljava.lang.Object;)Ljava.lang.Object;(Unknown
Source)
at
java.lang.reflect.Method.invoke(Ljava.lang.Object;[Ljava.lang.Object;I)Ljava.lang.Object;(Unknown
Source)
at
javax.security.auth.login.LoginContext.invoke(Ljava.lang.String;)V(LoginContext.java:675)
at
javax.security.auth.login.LoginContext.access$000(Ljavax.security.auth.login.LoginContext;Ljava.lang.String;)V(LoginContext.java:129)
at
javax.security.auth.login.LoginContext$4.run()Ljava.lang.Object;(LoginContext.java:610)
at
jrockit.vm.AccessController.do_privileged_exc(Ljava.security.PrivilegedExceptionAction;Ljava.security.AccessControlContext;I)Ljava.lang.Object;(Unknown
Source)
at
jrockit.vm.AccessController.doPrivileged(Ljava.security.PrivilegedExceptionAction;)Ljava.lang.Object;(Unknown
Source)
at
javax.security.auth.login.LoginContext.invokeModule(Ljava.lang.String;)V(LoginContext.java:607)
at javax.security.auth.login.LoginContext.login()V(LoginContext.java:534)
at sun.security.jgss.LoginUtility.run()Ljava.lang.Object;(LoginUtility.java:57)
at
jrockit.vm.AccessController.do_privileged_exc(Ljava.security.PrivilegedExceptionAction;Ljava.security.AccessControlContext;I)Ljava.lang.Object;(Unknown
Source)
at
jrockit.vm.AccessController.doPrivileged(Ljava.security.PrivilegedExceptionAction;)Ljava.lang.Object;(Unknown
Source)
at
sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Lsun.security.jgss.krb5.Krb5NameElement;)Ljavax.security.auth.kerberos.KerberosKey;(Krb5AcceptCredential.java:186)
at
sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Lsun.security.jgss.krb5.Krb5NameElement;)Lsun.security.jgss.krb5.Krb5AcceptCredential;(Krb5AcceptCredential.java:80)
at
sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Lsun.security.jgss.spi.GSSNameSpi;III)Lsun.security.jgss.spi.GSSCredentialSpi;(Krb5MechFactory.java:75)
at
sun.security.jgss.GSSManagerImpl.getCredentialElement(Lsun.security.jgss.spi.GSSNameSpi;IILorg.ietf.jgss.Oid;I)Lsun.security.jgss.spi.GSSCredentialSpi;(GSSManagerImpl.java:149)
at
sun.security.jgss.GSSCredentialImpl.add(Lorg.ietf.jgss.GSSName;IILorg.ietf.jgss.Oid;I)V(GSSCredentialImpl.java:334)
at
sun.security.jgss.GSSCredentialImpl.<init>(Lsun.security.jgss.GSSManagerImpl;Lorg.ietf.jgss.GSSName;ILorg.ietf.jgss.Oid;I)V(GSSCredentialImpl.java:44)
at
sun.security.jgss.GSSManagerImpl.createCredential(Lorg.ietf.jgss.GSSName;ILorg.ietf.jgss.Oid;I)Lorg.ietf.jgss.GSSCredential;(GSSManagerImpl.java:102)
at
sun.security.jgss.GSSContextImpl.acceptSecContext(Ljava.io.InputStream;Ljava.io.OutputStream;)V(GSSContextImpl.java:277)
at sun.security.jgss.GSSContextImpl.acceptSecContext([BII)[B(GSSContextImpl.java:246)
at
weblogic.security.providers.utils.SPNEGONegotiateToken.getUsername()Ljava.lang.String;(SPNEGONegotiateToken.java:371)
>
More information about the Kerberos
mailing list