javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)

Douglas E. Engert deengert at anl.gov
Mon Oct 24 15:41:49 EDT 2005 


Carlos Zottmann wrote:

> Hi!!
> 
> I am new to the list, so, first of all, hello everbody!!
> 
> We are facing a weird problem here ... We are using authentication in
> our java web pages, running in Tomcat 5.0.28, through the
> "com.sun.security.auth.module.Krb5LoginModule", against a MS Active
> Directory database.
> 
> Everything works fine, except when the passwords are 10 or 11
> characters long. In these cases, we get the error below in the
> "catalina.out" log file:
> 
> javax.security.auth.login.LoginException: Pre-authentication
> information was invalid (24)
> 
> Have anyone run into this problem before? How could we trace it?

Maybe. Error 24 can also be caused by Java not handling the Kerberos
pre-auth correctly. This can occur if the principal name does not match
what is stored in AD and what the principal name was when the password was
last changed. This can be a case mis match (AD does not care, Kerberos does)
or a renamed account where the password has not been changed. Java 1.6
is reported to have a fix for this problem. The fix will accept the pre-auth hint
from the KDC as to what "salt" to use when doing the string to key
function. The "salt" is derived from the principal name at the time
the password was changed. older Java versions assumed they know the salt
and tried to skip the first step in the pre-auth.

Your problem is in the same area so check for these first problems first.
But if there is some artificial limit on the size of the password, like 8!
that could be considered a new problem.

You can trace this using Ethereal to watch the Kerberos packets.


> 
> Best regards,
> Carlos.
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list