Checksum failed problem

Sarris Overbosch | Everett sarris.overbosch at everett.nl
Wed Mar 30 04:39:20 EDT 2011 

Hi All,

I'm trying to get single sign on working using kerberos, on my local
test environment it works like a charm but in the real environment I
cannot get it to work. The only difference I see so far is this:
(Environment: Windows 2008 Server as DC, JBoss AS with Negotiation, IE 8)

Local:
Client Addresses  Null
        Private Credential: Kerberos Principal
host/jbossserver at DOMAIN.LOCALKey Version 3key EncryptionKey: keyType=23
keyBytes (hex dump)=
0000: 9C 2E 64 A4 22 2E 9C 6A   40 D8 89 FA 21 30 F5 9C  ..d."..j at ...!0..

Real:
Client Addresses  Null
    Private Credential: Kerberos Principal
host/jbossserver at SHIPYARD.LOCALKey Version 4key EncryptionKey:
keyType=23 keyBytes (hex dump)=
0000: 4F C6 44 97 D0 B8 9C 96   A9 79 5B 87 EB 44 71 33  O.D......y[..Dq3

As you can see the Key Version is different, does anybody know what this
means and if, why this causes the problem:

2011-03-30 10:22:13,171 INFO  [STDOUT] (http-0.0.0.0-8888-1) Found key
for host/jbossserver at SHIPYARD.LOCAL(23)
2011-03-30 10:22:13,172 INFO  [STDOUT] (http-0.0.0.0-8888-1) Entered
Krb5Context.acceptSecContext with state=STATE_NEW
2011-03-30 10:22:13,174 INFO  [STDOUT] (http-0.0.0.0-8888-1) >>> EType:
sun.security.krb5.internal.crypto.ArcFourHmacEType
2011-03-30 10:22:13,175 ERROR [STDERR] (http-0.0.0.0-8888-1) Checksum
failed !
2011-03-30 10:22:13,175 TRACE
[org.jboss.security.negotiation.spnego.SPNEGOLoginModule]
(http-0.0.0.0-8888-1) Result - GSSException: Failure unspecified at
GSS-API level (Mechanism level: Checksum failed)
2011-03-30 10:22:13,175 ERROR
[org.jboss.security.negotiation.spnego.SPNEGOLoginModule]
(http-0.0.0.0-8888-1) Unable to authenticate
GSSException: Failure unspecified at GSS-API level (Mechanism level:
Checksum failed)
    at
sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
    at
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
    at
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
    at
org.jboss.security.negotiation.spnego.SPNEGOLoginModule$AcceptSecContext.run(SPNEGOLoginModule.java:294)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAs(Subject.java:337)

Best regard,

Sarris Overbosch

More information about the Kerberos mailing list