Haven't seen this specifically -- but try changing the password for that user. My guess from "Pre-authentication information was invalid (24)" is that the AD 2k8 is looking for Kerberos salting info that hasn't yet been generated. Changing the password, even to the same thing it currently is, may fix that.
Another possibility - make sure your default realm is specified uppercase in your krb5.conf. Also - maybe something here will help: http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/Troubleshooting.html On Thu, Feb 5, 2009 at 10:10 AM, Andrew Feller <afel...@lsu.edu> wrote: > Recently, we ran into some weird exceptions in the Tomcat log that we have > never seen before. We are using CAS 3.2.1 on Tomcat 6 with the > JaasAuthenticationHandler and the Krb5LoginModule to authenticate users to > Active Directory on a RHEL 5 box. The only thing I know that has changed is > that our Active Directory administrators upgraded a few domain controllers > from AD 2003 to AD 2008. In the log sample below, the following exception > was logged from a user entering an invalid password. > > Has anyone encountered similar issues? > > Thanks, > A- > > javax.security.auth.login.LoginException: Pre-authentication information was > invalid (24) at > com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696) > at > com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542) > at sun.reflect.GeneratedMethodAccessor54.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) > at java.lang.reflect.Method.invoke(Method.java:597) at > javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) > at > javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) > at > javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) > at java.security.AccessController.doPrivileged(Native Method) > at > javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) > at > javax.security.auth.login.LoginContext.login(LoginContext.java:579) > at > org.jasig.cas.authentication.handler.support.JaasAuthenticationHandler.authenticateUsernamePasswordInternal(JaasAuthenticationHandler.java:76) > at > org.jasig.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler.doAuthentication(AbstractUsernamePasswordAuthenticationHandler.java:56) > at > org.jasig.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler.authenticate(AbstractPreAndPostProcessingAuthenticationHandler.java:71) > at > org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(AuthenticationManagerImpl.java:88) > at > org.jasig.cas.CentralAuthenticationServiceImpl.createTicketGrantingTicket(CentralAuthenticationServiceImpl.java:411) > at > org.jasig.cas.web.flow.AuthenticationViaFormAction.submit(AuthenticationViaFormAction.java:107) > at sun.reflect.GeneratedMethodAccessor52.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) > at java.lang.reflect.Method.invoke(Method.java:597) at > org.springframework.webflow.util.DispatchMethodInvoker.invoke(DispatchMethodInvoker.java:99) > at > org.springframework.webflow.action.MultiAction.doExecute(MultiAction.java:133) > at > org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:192) > at > org.springframework.webflow.engine.AnnotatedAction.execute(AnnotatedAction.java:146) > at > org.springframework.webflow.engine.ActionExecutor.execute(ActionExecutor.java:59) > at > org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:156) > at org.springframework.webflow.engine.State.enter(State.java:191) > at > org.springframework.webflow.engine.Transition.execute(Transition.java:212) > at > org.springframework.webflow.engine.TransitionableState.onEvent(TransitionableState.java:107) > at org.springframework.webflow.engine.Flow.onEvent(Flow.java:534) > at > org.springframework.webflow.engine.impl.RequestControlContextImpl.signalEvent(RequestControlContextImpl.java:205) > at > org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:161) > at org.springframework.webflow.engine.State.enter(State.java:191) > at > org.springframework.webflow.engine.Transition.execute(Transition.java:212) > at > org.springframework.webflow.engine.TransitionableState.onEvent(TransitionableState.java:107) > at org.springframework.webflow.engine.Flow.onEvent(Flow.java:534) > at > org.springframework.webflow.engine.impl.RequestControlContextImpl.signalEvent(RequestControlContextImpl.java:205) > at > org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:161) > at org.springframework.webflow.engine.State.enter(State.java:191) > at > org.springframework.webflow.engine.Transition.execute(Transition.java:212) > at > org.springframework.webflow.engine.TransitionableState.onEvent(TransitionableState.java:107) > at org.springframework.webflow.engine.Flow.onEvent(Flow.java:534) > at > org.springframework.webflow.engine.impl.RequestControlContextImpl.signalEvent(RequestControlContextImpl.java:205) > at > org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:161) > at org.springframework.webflow.engine.State.enter(State.java:191) > at > org.springframework.webflow.engine.Transition.execute(Transition.java:212) > at > org.springframework.webflow.engine.TransitionableState.onEvent(TransitionableState.java:107) > at org.springframework.webflow.engine.Flow.onEvent(Flow.java:534) > at > org.springframework.webflow.engine.impl.RequestControlContextImpl.signalEvent(RequestControlContextImpl.java:205) > at > org.springframework.webflow.engine.impl.FlowExecutionImpl.signalEvent(FlowExecutionImpl.java:202) > at > org.springframework.webflow.executor.FlowExecutorImpl.resume(FlowExecutorImpl.java:222) > at > org.springframework.webflow.executor.support.FlowRequestHandler.handleFlowRequest(FlowRequestHandler.java:111) > at > org.springframework.webflow.executor.mvc.FlowController.handleRequestInternal(FlowController.java:165) > at > org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:153) > at > org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48) > at > org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:875) > at > org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:809) > at > org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:476) > at > org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:441) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:710) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) > at > org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServlet.java:115) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at > org.inspektr.common.web.ClientInfoThreadLocalFilter.doFilterInternal(ClientInfoThreadLocalFilter.java:48) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:75) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) > at > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:563) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:263) > at > org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:852) > at > org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:584) > at > org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1508) > at java.lang.Thread.run(Thread.java:619) Caused by: KrbException: > Pre-authentication information was invalid (24) at > sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:66) at > sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:449) at > sun.security.krb5.Credentials.sendASRequest(Credentials.java:406) at > sun.security.krb5.Credentials.acquireTGT(Credentials.java:378) at > com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:662) > ... 72 more Caused by: KrbException: Identifier doesn't match > expected value (906) at > sun.security.krb5.internal.KDCRep.init(KDCRep.java:133) at > sun.security.krb5.internal.ASRep.init(ASRep.java:58) at > sun.security.krb5.internal.ASRep.<init>(ASRep.java:53) at > sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50) ... 76 more > javax.security.auth.login.LoginException: Pre-authentication information was > invalid (24) at > com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696) > at > com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542) > at sun.reflect.GeneratedMethodAccessor54.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) > at java.lang.reflect.Method.invoke(Method.java:597) at > javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) > at > javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) > at > javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) > at java.security.AccessController.doPrivileged(Native Method) > at > javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) > at > javax.security.auth.login.LoginContext.login(LoginContext.java:579) > at > org.jasig.cas.authentication.handler.support.JaasAuthenticationHandler.authenticateUsernamePasswordInternal(JaasAuthenticationHandler.java:76) > at > org.jasig.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler.doAuthentication(AbstractUsernamePasswordAuthenticationHandler.java:56) > at > org.jasig.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler.authenticate(AbstractPreAndPostProcessingAuthenticationHandler.java:71) > at > org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(AuthenticationManagerImpl.java:88) > at > org.jasig.cas.CentralAuthenticationServiceImpl.createTicketGrantingTicket(CentralAuthenticationServiceImpl.java:411) > at > org.jasig.cas.web.flow.AuthenticationViaFormAction.submit(AuthenticationViaFormAction.java:107) > at sun.reflect.GeneratedMethodAccessor52.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) > at java.lang.reflect.Method.invoke(Method.java:597) at > org.springframework.webflow.util.DispatchMethodInvoker.invoke(DispatchMethodInvoker.java:99) > at > org.springframework.webflow.action.MultiAction.doExecute(MultiAction.java:133) > at > org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:192) > at > org.springframework.webflow.engine.AnnotatedAction.execute(AnnotatedAction.java:146) > at > org.springframework.webflow.engine.ActionExecutor.execute(ActionExecutor.java:59) > at > org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:156) > at org.springframework.webflow.engine.State.enter(State.java:191) > at > org.springframework.webflow.engine.Transition.execute(Transition.java:212) > at > org.springframework.webflow.engine.TransitionableState.onEvent(TransitionableState.java:107) > at org.springframework.webflow.engine.Flow.onEvent(Flow.java:534) > at > org.springframework.webflow.engine.impl.RequestControlContextImpl.signalEvent(RequestControlContextImpl.java:205) > at > org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:161) > at org.springframework.webflow.engine.State.enter(State.java:191) > at > org.springframework.webflow.engine.Transition.execute(Transition.java:212) > at > org.springframework.webflow.engine.TransitionableState.onEvent(TransitionableState.java:107) > at org.springframework.webflow.engine.Flow.onEvent(Flow.java:534) > at > org.springframework.webflow.engine.impl.RequestControlContextImpl.signalEvent(RequestControlContextImpl.java:205) > at > org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:161) > at org.springframework.webflow.engine.State.enter(State.java:191) > at > org.springframework.webflow.engine.Transition.execute(Transition.java:212) > at > org.springframework.webflow.engine.TransitionableState.onEvent(TransitionableState.java:107) > at org.springframework.webflow.engine.Flow.onEvent(Flow.java:534) > at > org.springframework.webflow.engine.impl.RequestControlContextImpl.signalEvent(RequestControlContextImpl.java:205) > at > org.springframework.webflow.engine.impl.FlowExecutionImpl.signalEvent(FlowExecutionImpl.java:202) > at > org.springframework.webflow.executor.FlowExecutorImpl.resume(FlowExecutorImpl.java:222) > at > org.springframework.webflow.executor.support.FlowRequestHandler.handleFlowRequest(FlowRequestHandler.java:111) > at > org.springframework.webflow.executor.mvc.FlowController.handleRequestInternal(FlowController.java:165) > at > org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:153) > at > org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48) > at > org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:875) > at > org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:809) > at > org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:476) > at > org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:441) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:710) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) > at > org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServlet.java:115) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at > org.inspektr.common.web.ClientInfoThreadLocalFilter.doFilterInternal(ClientInfoThreadLocalFilter.java:48) > at > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:75) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) > at > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:563) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:263) > at > org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:852) > at > org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:584) > at > org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1508) > at java.lang.Thread.run(Thread.java:619) Caused by: KrbException: > Pre-authentication information was invalid (24) at > sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:66) at > sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:449) at > sun.security.krb5.Credentials.sendASRequest(Credentials.java:406) at > sun.security.krb5.Credentials.acquireTGT(Credentials.java:378) at > com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:662) > ... 72 more Caused by: KrbException: Identifier doesn't match > expected value (906) at > sun.security.krb5.internal.KDCRep.init(KDCRep.java:133) at > sun.security.krb5.internal.ASRep.init(ASRep.java:58) at > sun.security.krb5.internal.ASRep.<init>(ASRep.java:53) at > sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50) ... 76 more > > -- > Andrew Feller, Analyst > LSU University Information Services > 200 Frey Computing Services Center > Baton Rouge, LA 70803 > Office: 225.578.3737 > Fax: 225.578.6400 > > -- > You are currently subscribed to cas-user@lists.jasig.org as: > m...@forsetti.com > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- m...@forsetti.com Key ID:D6EEC5B5 -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
