Java GSS/Kerberos issue - Autheticating server

Seema Malkani Seema.Malkani at Sun.COM
Wed Nov 30 16:00:21 EST 2005 

Douglas E. Engert wrote On 11/30/05 08:27,:

>
>
> Laurence wrote:
>
>> Hey guys, hopefully someone can help me out here.
>>
>> I am having a problem with authenticating a user to a KDC (I believe
>> the MIT reference implementation) using Java (JDK1.5 and JDK1.4)
>> through GSS.
>>
>> Here is the background:
>>
>> I have two processes running on one machine (Client and Server).
>>
>> 1. Client authenticates to kerberos server and logs in, uses the GSS
>> libraries to create a service ticket for destination server
>> (Authenticates with principal test/admin at realm.com).
>> 2. Server receives request from client (Through soap transcation).
>> Generates a login context and tries to authenticate against the
>> kerberos server using test2/admin at realm.com. Server is returned an
>> error from the kerberos server (Integrity check on decrypted field
>> failed (31) - PREAUTH_FAILED).
>
>
> There is a bug in Java related to PREAUTH. (Its fixed in 1.6 I believe.)
> It has to do with Jave assuming it knows the "salt" to use when 
> generating
> the key from the password. key = fun(passwrod,salt); The salt is based on
> user and realm. Jave assumes that the these have not changed since the
> password was last changed. Windows is also case insensitive but does
> preserve the case of the salt when changing the password.
>
> So if you have moved an AD account from one domain to another or changed
> the acount name (even the case) and not changed the password  you could
> have problems.
>
> So make sure the case of the principal and the principal is the same
> as when the password for the acount was last changed.

I think we have a different scenario here. If I understand correctly, 
submitter says he can authenticate using same principal/password 
"test2/admin" from the client-side, but cannot use the same 
principal/password from the server-side.

Laurence, can you try to simple JAAS Kerberos login, and check if you 
can authenticate from the server-side.

Seema

>
>
>>
>> If I configured the client to use the same username/password I can
>> authenticate on the client, but no matter what I put in the server it
>> fails.
>>
>> I don't know the kerberos protocol well enough to know if I can even do
>> this (Having the server contact the KDC after a service ticket has been
>> issued to the client to authenticate). Is that why I'm getting what
>> I've read indicates a password error?
>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>

More information about the Kerberos mailing list