[IMPORTANT] Kerberos Issue : Pre Authentication failed (Error Code 24) with SAM account / No error with UPN account

Douglas E. Engert deengert at anl.gov
Mon Nov 26 15:42:44 EST 2007 

Bornil Bruno bb (DBB) wrote:
> Hello, 
> 
> 
> I'm a Business Intelligence consultant working on Business Objects
> products and the last one: BusinessObjects Enterprise XI Release 2 (BOE
> XI-R2). 
> The BOE XI-R2 product allows to set up Active Directory, LDAP, NT
> authentications mechanisms (and also additionally SSO). 
> I have to set up Single Sign On on BOE XI-R2 products and I did it
> successfully several times (on LDAP, AD and NT). 
> 
> On a specific project, the SSO (using Kerberos with Active Directory)
> does not work and we have difficulties to identify why it is not
> working... 
> 
> The Kerberos authentication is done through a JVM (1.4.2) and we can
> test it using "kinit" utility. We setup the krb5.ini and all files
> correctly.
> Here are the content of the krb5.ini file:
> [logging]
>    default = CONSOLE
>    kdc = CONSOLE
>    admin_server = CONSOLE
> 
> [libdefaults]
>    default_realm = DBB.INT.DEXWIRED.NET
>    dns_lookup_kdc = true
>    dns_lookup_realm = true
>    kdc_timeout = 30000
> 
> [realms]
>    DBB.INT.DEXWIRED.NET = {
>       kdc = DLU0SINF001P.DBB.INT.DEXWIRED.NET
>       default_domain = DBB.INT.DEXWIRED.NET
>    }
> 
> Note: We try to use logging with this syntax : default =
> FILE:C:/WINNT/default.log, but no logs were generated ! And CONSOLE
> outputs nothing on Windows. 
> 
> If we use kinit with a SAM account, we get an error code 24 (pre
> authentication failed). 
> If we use kinit with an UPN account (for the same user account), we
> succeed to authenticate a user. 
> 
> Can you give me some information about how is done the authentication
> mechanism. 

This sounds like the problem with Java 1.4 assuming it know
the "salt" to use for a user, and taking a short cut with the
Kerberos protocol, skipping the first step of asking the KDC for
any pre-auth parameters including the salt assuming it knew the salt.
The salt for DES is the realm concatenated with the principle name
components as of the last time the password was changed. The salt is
concatenated with the password as input to a string-to-key function
to get a key. The client and server do need to use the same salt.

Google for java pre-auth

http://www.webservertalk.com/archive213-2005-8-1171299.html

> Is that possible to specify to the JVM that we want to authenticate
> users with SAM rather UPN, and How ? 
> 
> Have you any idea and suggestions, please ? 

I believe it is fixed in 1.6

> 
> Thanks for your help. 
> 
> 
> Regards,
> Bruno.
> 
> 
> --------------------------------------
> Dexia Bank disclaimer:
> http://www.dexia.be/maildisclaimer.htm
> --------------------------------------
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list