javax.security.auth.login.LoginException: Pre-authenticationinformation was invalid (24) - Kerberos

This is a discussion on javax.security.auth.login.LoginException: Pre-authenticationinformation was invalid (24) - Kerberos ; Hi!! I am new to the list, so, first of all, hello everbody!! We are facing a weird problem here ... We are using authentication in our java web pages, running in Tomcat 5.0.28, through the "com.sun.security.auth.module.Krb5LoginModule", against a MS ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: javax.security.auth.login.LoginException: Pre-authenticationinformation was invalid (24)

  1. javax.security.auth.login.LoginException: Pre-authenticationinformation was invalid (24)

    Hi!!

    I am new to the list, so, first of all, hello everbody!!

    We are facing a weird problem here ... We are using authentication in
    our java web pages, running in Tomcat 5.0.28, through the
    "com.sun.security.auth.module.Krb5LoginModule", against a MS Active
    Directory database.

    Everything works fine, except when the passwords are 10 or 11
    characters long. In these cases, we get the error below in the
    "catalina.out" log file:

    javax.security.auth.login.LoginException: Pre-authentication
    information was invalid (24)

    Have anyone run into this problem before? How could we trace it?

    Best regards,
    Carlos.

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: javax.security.auth.login.LoginException: Pre-authenticationinformation was invalid (24)



    Carlos Zottmann wrote:

    > Hi!!
    >
    > I am new to the list, so, first of all, hello everbody!!
    >
    > We are facing a weird problem here ... We are using authentication in
    > our java web pages, running in Tomcat 5.0.28, through the
    > "com.sun.security.auth.module.Krb5LoginModule", against a MS Active
    > Directory database.
    >
    > Everything works fine, except when the passwords are 10 or 11
    > characters long. In these cases, we get the error below in the
    > "catalina.out" log file:
    >
    > javax.security.auth.login.LoginException: Pre-authentication
    > information was invalid (24)
    >
    > Have anyone run into this problem before? How could we trace it?


    Maybe. Error 24 can also be caused by Java not handling the Kerberos
    pre-auth correctly. This can occur if the principal name does not match
    what is stored in AD and what the principal name was when the password was
    last changed. This can be a case mis match (AD does not care, Kerberos does)
    or a renamed account where the password has not been changed. Java 1.6
    is reported to have a fix for this problem. The fix will accept the pre-auth hint
    from the KDC as to what "salt" to use when doing the string to key
    function. The "salt" is derived from the principal name at the time
    the password was changed. older Java versions assumed they know the salt
    and tried to skip the first step in the pre-auth.

    Your problem is in the same area so check for these first problems first.
    But if there is some artificial limit on the size of the password, like 8!
    that could be considered a new problem.

    You can trace this using Ethereal to watch the Kerberos packets.


    >
    > Best regards,
    > Carlos.
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: javax.security.auth.login.LoginException: Pre-authenticationinformation was invalid (24)

    2005/10/24, Douglas E. Engert :
    >
    >
    >
    > Carlos Zottmann wrote:
    >
    > > Hi!!
    > >
    > > I am new to the list, so, first of all, hello everbody!!
    > >
    > > We are facing a weird problem here ... We are using authentication in
    > > our java web pages, running in Tomcat 5.0.28, through the
    > > "com.sun.security.auth.module.Krb5LoginModule", against a MS Active
    > > Directory database.
    > >
    > > Everything works fine, except when the passwords are 10 or 11
    > > characters long. In these cases, we get the error below in the
    > > "catalina.out" log file:
    > >
    > > javax.security.auth.login.LoginException: Pre-authentication
    > > information was invalid (24)
    > >
    > > Have anyone run into this problem before? How could we trace it?

    >
    > Maybe. Error 24 can also be caused by Java not handling the Kerberos
    > pre-auth correctly. This can occur if the principal name does not match
    > what is stored in AD and what the principal name was when the password was
    > last changed. This can be a case mis match (AD does not care, Kerberos
    > does)
    > or a renamed account where the password has not been changed. Java 1.6
    > is reported to have a fix for this problem. The fix will accept the
    > pre-auth hint
    > from the KDC as to what "salt" to use when doing the string to key
    > function. The "salt" is derived from the principal name at the time
    > the password was changed. older Java versions assumed they know the salt
    > and tried to skip the first step in the pre-auth.
    >
    > Your problem is in the same area so check for these first problems first.
    > But if there is some artificial limit on the size of the password, like 8!
    > that could be considered a new problem.
    >
    > You can trace this using Ethereal to watch the Kerberos packets.
    >
    >
    > >
    > > Best regards,
    > > Carlos.
    > >
    > > ________________________________________________
    > > Kerberos mailing list Kerberos@mit.edu
    > > https://mailman.mit.edu/mailman/listinfo/kerberos
    > >
    > >

    >
    > --
    >
    > Douglas E. Engert
    > Argonne National Laboratory
    > 9700 South Cass Avenue
    > Argonne, Illinois 60439
    > (630) 252-5444
    >


    HI !!

    I have sent this question a while ago, but didnīt have the time to deal with
    this again until now.

    I have done some more tests with this case, turning on the kerberos loggin
    at the Domain Controllers, but the results that I found just confused me
    more:

    - The scenario is this:
    - Apache Tomcat 5.0.28
    - JVM: Sunīs 1.4.2_03_b02
    - Module being used: "com.sun.security.auth.module.Krb5LoginModule"
    - Domain Controller: Windows 2000 SP4

    - Both the Tomcat log and the Ethereal packet capture shows that the problem
    is due to Pre-authentication (the error code shown by Ethereal is
    KRB5KDC_ERR_PREAUTH_FAILED)

    - The only error logged by Kerberos at the domain controller by the time I
    run the tests shows this:

    Error Code: 18:58:1.0000 4/26/2006 (null) 0x7
    Extended Error: KDC_ERR_S_PRINCIPAL_UNKNOWN

    The oddest thing is that this error only occur if I chose a password that is
    10 or 11 characters long !! If it is up to 9 characters, or above 11, with
    the same username, things work just great !!

    Can anybody give me some help on this?

    Thanks in Advance,
    Carlos.
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread