[IMPORTANT] Kerberos Issue : Pre Authentication failed (Error Code 24) with SAM account / No error with UPN account
John Hascall
john at iastate.edu
Mon Nov 26 15:47:34 EST 2007
Yes, we had a similar lamely done pre-auth issue with the java libs,
1.6 seems much better.
John
>
> Bornil Bruno bb (DBB) wrote:
> > Hello,
> >
> >
> > I'm a Business Intelligence consultant working on Business Objects
> > products and the last one: BusinessObjects Enterprise XI Release 2 (BOE
> > XI-R2).
> > The BOE XI-R2 product allows to set up Active Directory, LDAP, NT
> > authentications mechanisms (and also additionally SSO).
> > I have to set up Single Sign On on BOE XI-R2 products and I did it
> > successfully several times (on LDAP, AD and NT).
> >
> > On a specific project, the SSO (using Kerberos with Active Directory)
> > does not work and we have difficulties to identify why it is not
> > working...
> >
> > The Kerberos authentication is done through a JVM (1.4.2) and we can
> > test it using "kinit" utility. We setup the krb5.ini and all files
> > correctly.
> > Here are the content of the krb5.ini file:
> > [logging]
> > default = CONSOLE
> > kdc = CONSOLE
> > admin_server = CONSOLE
> >
> > [libdefaults]
> > default_realm = DBB.INT.DEXWIRED.NET
> > dns_lookup_kdc = true
> > dns_lookup_realm = true
> > kdc_timeout = 30000
> >
> > [realms]
> > DBB.INT.DEXWIRED.NET = {
> > kdc = DLU0SINF001P.DBB.INT.DEXWIRED.NET
> > default_domain = DBB.INT.DEXWIRED.NET
> > }
> >
> > Note: We try to use logging with this syntax : default =
> > FILE:C:/WINNT/default.log, but no logs were generated ! And CONSOLE
> > outputs nothing on Windows.
> >
> > If we use kinit with a SAM account, we get an error code 24 (pre
> > authentication failed).
> > If we use kinit with an UPN account (for the same user account), we
> > succeed to authenticate a user.
> >
> > Can you give me some information about how is done the authentication
> > mechanism.
>
> This sounds like the problem with Java 1.4 assuming it know
> the "salt" to use for a user, and taking a short cut with the
> Kerberos protocol, skipping the first step of asking the KDC for
> any pre-auth parameters including the salt assuming it knew the salt.
> The salt for DES is the realm concatenated with the principle name
> components as of the last time the password was changed. The salt is
> concatenated with the password as input to a string-to-key function
> to get a key. The client and server do need to use the same salt.
>
> Google for java pre-auth
>
> http://www.webservertalk.com/archive213-2005-8-1171299.html
>
> > Is that possible to specify to the JVM that we want to authenticate
> > users with SAM rather UPN, and How ?
> >
> > Have you any idea and suggestions, please ?
>
> I believe it is fixed in 1.6
>
> >
> > Thanks for your help.
> >
> >
> > Regards,
> > Bruno.
> >
> >
> > --------------------------------------
> > Dexia Bank disclaimer:
> > http://www.dexia.be/maildisclaimer.htm
> > --------------------------------------
> > ________________________________________________
> > Kerberos mailing list Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> >
>
> --
>
> Douglas E. Engert <DEEngert at anl.gov>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois 60439
> (630) 252-5444
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list