Laurence wrote:
Hey guys, hopefully someone can help me out here. I am having a problem with authenticating a user to a KDC (I believe the MIT reference implementation) using Java (JDK1.5 and JDK1.4) through GSS. Here is the background: I have two processes running on one machine (Client and Server). 1. Client authenticates to kerberos server and logs in, uses the GSS libraries to create a service ticket for destination server (Authenticates with principal test/[EMAIL PROTECTED]). 2. Server receives request from client (Through soap transcation). Generates a login context and tries to authenticate against the kerberos server using test2/[EMAIL PROTECTED] Server is returned an error from the kerberos server (Integrity check on decrypted field failed (31) - PREAUTH_FAILED).
There is a bug in Java related to PREAUTH. (Its fixed in 1.6 I believe.) It has to do with Jave assuming it knows the "salt" to use when generating the key from the password. key = fun(passwrod,salt); The salt is based on user and realm. Jave assumes that the these have not changed since the password was last changed. Windows is also case insensitive but does preserve the case of the salt when changing the password. So if you have moved an AD account from one domain to another or changed the acount name (even the case) and not changed the password you could have problems. So make sure the case of the principal and the principal is the same as when the password for the acount was last changed.
If I configured the client to use the same username/password I can authenticate on the client, but no matter what I put in the server it fails. I don't know the kerberos protocol well enough to know if I can even do this (Having the server contact the KDC after a service ticket has been issued to the client to authenticate). Is that why I'm getting what I've read indicates a password error? ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
-- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos