javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)

Wed Apr 26 15:58:23 EDT 2006

2005/10/24, Douglas E. Engert <deengert at anl.gov>:
>
>
>
> Carlos Zottmann wrote:
>
> > Hi!!
> >
> > I am new to the list, so, first of all, hello everbody!!
> >
> > We are facing a weird problem here ... We are using authentication in
> > our java web pages, running in Tomcat 5.0.28, through the
> > "com.sun.security.auth.module.Krb5LoginModule", against a MS Active
> > Directory database.
> >
> > Everything works fine, except when the passwords are 10 or 11
> > characters long. In these cases, we get the error below in the
> > "catalina.out" log file:
> >
> > javax.security.auth.login.LoginException: Pre-authentication
> > information was invalid (24)
> >
> > Have anyone run into this problem before? How could we trace it?
>
> Maybe. Error 24 can also be caused by Java not handling the Kerberos
> pre-auth correctly. This can occur if the principal name does not match
> what is stored in AD and what the principal name was when the password was
> last changed. This can be a case mis match (AD does not care, Kerberos
> does)
> or a renamed account where the password has not been changed. Java 1.6
> is reported to have a fix for this problem. The fix will accept the
> pre-auth hint
> from the KDC as to what "salt" to use when doing the string to key
> function. The "salt" is derived from the principal name at the time
> the password was changed. older Java versions assumed they know the salt
> and tried to skip the first step in the pre-auth.
>
> Your problem is in the same area so check for these first problems first.
> But if there is some artificial limit on the size of the password, like 8!
> that could be considered a new problem.
>
> You can trace this using Ethereal to watch the Kerberos packets.
>
>
> >
> > Best regards,
> > Carlos.
> >
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> >
>
> --
>
>   Douglas E. Engert  <DEEngert at anl.gov>
>   Argonne National Laboratory
>   9700 South Cass Avenue
>   Argonne, Illinois  60439
>   (630) 252-5444
>

HI !!

I have sent this question a while ago, but didn´t have the time to deal with
this again until now.

I have done some more tests with this case, turning on the kerberos loggin
at the Domain Controllers, but the results that I found just confused me
more:

- The scenario is this:
    - Apache Tomcat 5.0.28
    - JVM: Sun´s 1.4.2_03_b02
    - Module being used: "com.sun.security.auth.module.Krb5LoginModule"
    - Domain Controller: Windows 2000 SP4

- Both the Tomcat log and the Ethereal packet capture shows that the problem
is due to Pre-authentication  (the error code shown by Ethereal is
KRB5KDC_ERR_PREAUTH_FAILED)

- The only error logged by Kerberos at the domain controller by the time I
run the tests shows this:

Error Code: 18:58:1.0000 4/26/2006 (null) 0x7
Extended Error: KDC_ERR_S_PRINCIPAL_UNKNOWN

The oddest thing is that this error only occur if I chose a password that is
10 or 11 characters long !!  If it is up to 9 characters, or above 11, with
the same username, things work just great !!

Can anybody give me some help on this?

Thanks in Advance,
Carlos.