Hi Team, We are using 1.20 Kerberos library on our Windows platform for authenticating with our Netezza server. We are having issues using API & MSLSA cache types in krb5.conf. We receive the below error while authenticating.
Error: "Pre-authentication information was invalid (24) - PREAUTH_FAILED" Please note the FILE: option works as attached. Please let us know if this is a bug in Kerberos ? Regards, Samir Sayyed [email protected]
C:\JDBC\jre\bin>.\java.exe -Djava.security.krb5.conf="C:\ProgramData\MIT\Kerberos5\krb5.ini" -Dsun.security.krb5.debug=true -jar C:\JDBC\nzjdbc.jar Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt false ticketCache is API:Initial default ccache isInitiator true KeyTab is null refreshKrb5Config is true principal is [email protected] tryFirstPass is false useFirstPass is false storePass is false clearPass is false Refreshing Kerberos configuration Java config name: C:\ProgramData\MIT\Kerberos5\krb5.ini Loading krb5 profile at C:\ProgramData\MIT\Kerberos5\krb5.ini Loaded from Java config >>> KdcAccessibility: reset >>> KdcAccessibility: reset Acquire TGT from Cache Principal is [email protected] null credentials from Ticket Cache [Krb5LoginModule] user entered username: [email protected] Using builtin default etypes for default_tkt_enctypes default etypes for default_tkt_enctypes: 18 17 20 19 16 23. >>> KrbAsReq creating message >>> KrbKdcReq send: kdc=ym1.fyre.ibm.com UDP:88, timeout=30000, number of >>> retries =3, #bytes=154 >>> KDCCommunication: kdc=ym1.fyre.ibm.com UDP:88, timeout=30000,Attempt =1, >>> #bytes=154 SocketTimeOutException with attempt: 1 >>> KDCCommunication: kdc=ym1.fyre.ibm.com UDP:88, timeout=30000,Attempt =2, >>> #bytes=154 >>> KrbKdcReq send: #bytes read=469 >>>Pre-Authentication Data: PA-DATA type = 136 >>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 18, salt = NZSQA.IBM.COMMYUSER, s2kparams = null >>>Pre-Authentication Data: PA-DATA type = 151 >>>Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP >>>Pre-Authentication Data: PA-DATA type = 133 >>> KdcAccessibility: remove ym1.fyre.ibm.com:88 >>> KDCRep: init() encoding tag is 126 req type is 11 >>>KRBError: sTime is Thu Nov 21 13:46:32 IST 2024 1732176992000 suSec is 763984 error code is 25 error Message is Additional pre-authentication required cname is [email protected] sname is krbtgt/[email protected] eData provided. msgType is 30 >>>Pre-Authentication Data: PA-DATA type = 136 >>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 18, salt = NZSQA.IBM.COMMYUSER, s2kparams = null >>>Pre-Authentication Data: PA-DATA type = 151 >>>Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP >>>Pre-Authentication Data: PA-DATA type = 133 KRBError received: NEEDED_PREAUTH KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ Using builtin default etypes for default_tkt_enctypes default etypes for default_tkt_enctypes: 18 17 20 19 16 23. Using builtin default etypes for default_tkt_enctypes default etypes for default_tkt_enctypes: 18 17 20 19 16 23. >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType >>> KrbAsReq creating message >>> KrbKdcReq send: kdc=ym1.fyre.ibm.com UDP:88, timeout=30000, number of >>> retries =3, #bytes=236 >>> KDCCommunication: kdc=ym1.fyre.ibm.com UDP:88, timeout=30000,Attempt =1, >>> #bytes=236 >>> KrbKdcReq send: #bytes read=469 >>>Pre-Authentication Data: PA-DATA type = 136 >>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 18, salt = NZSQA.IBM.COMMYUSER, s2kparams = null >>>Pre-Authentication Data: PA-DATA type = 151 >>>Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP >>>Pre-Authentication Data: PA-DATA type = 133 >>> KdcAccessibility: remove ym1.fyre.ibm.com:88 >>> KDCRep: init() encoding tag is 126 req type is 11 >>>KRBError: sTime is Thu Nov 21 13:46:33 IST 2024 1732176993000 suSec is 253258 error code is 24 error Message is Pre-authentication information was invalid cname is [email protected] sname is krbtgt/[email protected] eData provided. msgType is 30 >>>Pre-Authentication Data: PA-DATA type = 136 >>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 18, salt = NZSQA.IBM.COMMYUSER, s2kparams = null >>>Pre-Authentication Data: PA-DATA type = 151 >>>Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP >>>Pre-Authentication Data: PA-DATA type = 133 KRBError received: PREAUTH_FAILED [Krb5LoginModule] authentication failed Pre-authentication information was invalid (24) - PREAUTH_FAILED [Krb5LoginModule]: Entering logout Pre-authentication information was invalid (24) - PREAUTH_FAILED C:\JDBC\jre\bin>
C:\JDBC\jre\bin>.\java.exe -Djava.security.krb5.conf="C:\ProgramData\MIT\Kerberos5\krb5.ini" -Dsun.security.krb5.debug=true -jar C:\JDBC\nzjdbc.jar Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt false ticketCache is D:\JDBC\ticket isInitiator true KeyTab is null refreshKrb5Config is true principal is [email protected] tryFirstPass is false useFirstPass is false storePass is false clearPass is false Refreshing Kerberos configuration Java config name: C:\ProgramData\MIT\Kerberos5\krb5.ini Loading krb5 profile at C:\ProgramData\MIT\Kerberos5\krb5.ini Loaded from Java config >>> KdcAccessibility: reset >>> KdcAccessibility: reset Acquire TGT from Cache >>>DEBUG <CCacheInputStream> client principal is [email protected] >>>DEBUG <CCacheInputStream> server principal is >>>krbtgt/[email protected] >>>DEBUG <CCacheInputStream> key type: 18 >>>DEBUG <CCacheInputStream> auth time: Thu Nov 21 14:51:18 IST 2024 >>>DEBUG <CCacheInputStream> start time: Thu Nov 21 14:51:18 IST 2024 >>>DEBUG <CCacheInputStream> end time: Fri Nov 22 12:06:17 IST 2024 >>>DEBUG <CCacheInputStream> renew_till time: Thu Nov 21 14:51:18 IST 2024 >>> CCacheInputStream: readFlags() FORWARDABLE; PROXIABLE; RENEWABLE; INITIAL; >>> PRE_AUTH; >>>DEBUG <CCacheInputStream> client principal is [email protected] >>>DEBUG <CCacheInputStream> server principal is >>>X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/[email protected]@NZSQA.IBM.COM >>>DEBUG <CCacheInputStream> key type: 0 >>>DEBUG <CCacheInputStream> auth time: Thu Jan 01 05:30:00 IST 1970 >>>DEBUG <CCacheInputStream> start time: null >>>DEBUG <CCacheInputStream> end time: Thu Jan 01 05:30:00 IST 1970 >>>DEBUG <CCacheInputStream> renew_till time: null >>> CCacheInputStream: readFlags() >>>DEBUG <CCacheInputStream> client principal is [email protected] >>>DEBUG <CCacheInputStream> server principal is >>>X-CACHECONF:/krb5_ccache_conf_data/pa_type/krbtgt/[email protected]@NZSQA.IBM.COM >>>DEBUG <CCacheInputStream> key type: 0 >>>DEBUG <CCacheInputStream> auth time: Thu Jan 01 05:30:00 IST 1970 >>>DEBUG <CCacheInputStream> start time: null >>>DEBUG <CCacheInputStream> end time: Thu Jan 01 05:30:00 IST 1970 >>>DEBUG <CCacheInputStream> renew_till time: null >>> CCacheInputStream: readFlags() Principal is [email protected] Commit Succeeded Found ticket for [email protected] to go to krbtgt/[email protected] expiring on Fri Nov 22 12:06:17 IST 2024 Found ticket for [email protected] to go to krbtgt/[email protected] expiring on Fri Nov 22 12:06:17 IST 2024 Entered Krb5Context.initSecContext with state=STATE_NEW Found ticket for [email protected] to go to krbtgt/[email protected] expiring on Fri Nov 22 12:06:17 IST 2024 Service ticket not found in the subject >>> Credentials acquireServiceCreds: same realm Using builtin default etypes for default_tgs_enctypes default etypes for default_tgs_enctypes: 18 17 20 19 16 23. >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType >>> KrbKdcReq send: kdc=ym1.fyre.ibm.com UDP:88, timeout=30000, number of >>> retries =3, #bytes=828 >>> KDCCommunication: kdc=ym1.fyre.ibm.com UDP:88, timeout=30000,Attempt =1, >>> #bytes=828 >>> KrbKdcReq send: #bytes read=915 >>> KdcAccessibility: remove ym1.fyre.ibm.com:88 >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType >>> KrbApReq: APOptions are 00100000 00000000 00000000 00000000 >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType Krb5Context setting mySeqNumber to: 114645397 Created InitSecContextToken: 0000: 01 00 6E 82 03 40 30 82 03 3C A0 03 02 01 05 A1 ..n..@0..<...... 0010: 03 02 01 0E A2 07 03 05 00 20 00 00 00 A3 82 02 ......... ...... 0020: 51 61 82 02 4D 30 82 02 49 A0 03 02 01 05 A1 0F Qa..M0..I....... 0030: 1B 0D 4E 5A 53 51 41 2E 49 42 4D 2E 43 4F 4D A2 ..NZSQA.IBM.COM. 0040: 2A 30 28 A0 03 02 01 00 A1 21 30 1F 1B 07 6E 65 *0(......!0...ne 0050: 74 65 7A 7A 61 1B 14 63 35 35 36 39 76 31 2E 66 tezza..c5569v1.f 0060: 79 72 65 2E 69 62 6D 2E 63 6F 6D A3 82 02 03 30 yre.ibm.com....0 0070: 82 01 FF A0 03 02 01 14 A1 03 02 01 02 A2 82 01 ................ 0080: F1 04 82 01 ED 6D 0E 0F F2 F3 00 AD F7 7B A0 F4 .....m.......... 0090: DF 85 86 D0 C4 60 FD 0C 9E FD 8D 45 85 FE CA 22 .....`.....E..." 00A0: AF E7 7E 64 88 87 C0 EF D8 97 1E D8 83 B5 70 27 ...d..........p' 00B0: 72 00 51 77 F8 A1 90 3E EE D2 F3 79 CD 6B C3 38 r.Qw...>...y.k.8 00C0: BE 91 5B 17 2F 7E 4C CF 70 3D EB FB CD 3B D1 5A ..[./.L.p=...;.Z 00D0: 64 D6 B3 51 FA 92 2A 7D 5D F7 C4 85 2E 58 C7 57 d..Q..*.]....X.W 00E0: CE F0 FF 62 07 87 FE 52 AC B4 0C AD EE 71 2A 01 ...b...R.....q*. 00F0: 4A 96 B9 C1 C8 3B 35 A4 3A 73 D3 B3 12 52 AE 5A J....;5.:s...R.Z 0100: 2C ED AB D9 0D 8C 48 DC 5D 19 82 DE D9 A5 1E 3D ,.....H.]......= 0110: 40 28 0B DA 40 8F 42 75 46 67 B2 61 0F 2D 89 A4 @([email protected].. 0120: B0 A9 F3 FD A1 74 86 7E 6C DC 96 1F E1 1C BE 0B .....t..l....... 0130: 85 B9 A1 DE 17 09 08 5A 14 1D 11 1D DD D3 9D BC .......Z........ 0140: 4C D0 52 9D 57 3B 15 F8 87 0E F5 75 49 8C D3 82 L.R.W;.....uI... 0150: ED 7D F1 DA 6D B8 1F CE 8D CF 16 3F E6 B5 6C 6B ....m......?..lk 0160: 88 18 06 0C DF 93 13 13 A0 16 A3 EC 36 9D 0A 73 ............6..s 0170: 8E D9 21 41 70 35 8C 3D BE A5 05 81 32 C5 AD F7 ..!Ap5.=....2... 0180: A8 7B BD 70 75 18 C2 05 5B F5 B9 DA 3A 24 8B 78 ...pu...[...:$.x 0190: 81 D7 B4 98 4B 57 8B CE EC 45 F1 4F C5 AA 23 D1 ....KW...E.O..#. 01A0: B5 76 D9 3B A1 91 78 CE 14 9C 16 FA 2D 3F FB D0 .v.;..x.....-?.. 01B0: 74 5B 79 E8 23 53 0B D2 DD 00 F1 3B 95 85 D0 84 t[y.#S.....;.... 01C0: 36 EA ED 94 92 71 60 21 01 22 45 3B 0D 91 1F 80 6....q`!."E;.... 01D0: DE 87 99 D9 30 CF 7A E3 3F B9 93 59 2B 72 12 29 ....0.z.?..Y+r.) 01E0: 92 9A BE E7 56 1D B8 D6 CD F6 04 9F E2 E9 CA A3 ....V........... 01F0: CE 15 82 E2 D1 D3 62 28 57 63 2C 31 6D E2 D3 60 ......b(Wc,1m..` 0200: DF 62 A5 F1 E3 D2 2C 80 EE 1D 10 E2 30 6F 23 47 .b....,.....0o#G 0210: 09 23 50 65 04 F9 28 22 99 BD 69 09 68 B3 C5 E2 .#Pe..("..i.h... 0220: 1C 64 68 C8 35 AC 4B 2E 17 B8 D8 C9 4E 1F 34 20 .dh.5.K.....N.4 0230: A8 FE 65 DA 07 74 16 3B 22 2B 02 D7 06 81 ED 1C ..e..t.;"+...... 0240: A7 4F F6 21 F1 31 24 AF A7 60 75 49 92 61 A7 19 .O.!.1$..`uI.a.. 0250: 80 FB DE AD 25 A3 20 7B 70 EC 33 C5 AE 51 5A 47 ....%. .p.3..QZG 0260: 8A 54 71 C2 E0 7A 33 64 2D 36 E5 80 AC 64 54 2D .Tq..z3d-6...dT- 0270: B8 73 A4 81 D1 30 81 CE A0 03 02 01 12 A2 81 C6 .s...0.......... 0280: 04 81 C3 75 45 90 0B B7 09 FC FD 31 A0 F2 5F 4A ...uE......1.._J 0290: A1 C2 38 F7 11 16 C8 37 BB D9 24 12 17 4C 1E 53 ..8....7..$..L.S 02A0: B3 CD 14 4D 2C 03 9E 06 89 E4 6B 6D B8 E1 A3 F3 ...M,.....km.... 02B0: 9D 69 B0 FF BD D2 E7 1A 6D C6 B5 54 C3 D3 DF A7 .i......m..T.... 02C0: 7D 99 3E 2D 57 95 28 C4 E3 4B 66 21 59 59 81 F2 ..>-W.(..Kf!YY.. 02D0: 1E 7E 8E 10 F0 11 63 FC 3F FB EA 41 09 40 DB B8 ......c.?..A.@.. 02E0: 29 DB 1B B3 EF 98 DC 42 0C 53 96 FE 15 EF E1 B0 )......B.S...... 02F0: BB E2 40 FC 07 B1 1D 4E 72 A0 1B FD 2A 0B E9 B4 [email protected]...*... 0300: E6 D8 E2 40 F6 2A A3 DA D6 F7 C2 51 C0 89 35 3A ...@.*.....Q..5: 0310: 96 17 60 90 AC 43 EB FC 51 03 1D DA 0E 02 21 D4 ..`..C..Q.....!. 0320: 0D 92 9E 99 52 FD 36 E2 3B 09 EF 33 59 4B 8E 0C ....R.6.;..3YK.. 0330: 36 B6 21 37 92 89 15 01 8F 46 91 23 35 E0 66 ED 6.!7.....F.#5.f. 0340: E0 47 18 76 F5 96 .G.v.. Entered Krb5Context.initSecContext with state=STATE_IN_PROCESS >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType Krb5Context setting peerSeqNumber to: 938612062 [Krb5LoginModule]: Entering logout [Krb5LoginModule]: logged out Subject C:\JDBC\jre\bin>
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
