Skip to Content
0
Aug 28, 2007 at 02:02 PM

SPNego Error on Pre-authentication

488 Views

Hello,

I am trying to configure SPNego with "SPNgeo wizard" on EP 7.0 SPS11.

But I have a big issue :

<i>

Refreshing Keytab

>>>KinitOptions cache name is C:\Documents and Settings\XA70316ADM\krb5cc_XA70316ADM

>> Acquire default native Credentials

>>> LSA contains TGT for XA70316ADM@MYDOMAIN.CORP not svc-appl-j2ee-qp1-eu@MYDOMAIN.CORP

Principal is svc-appl-j2ee-qp1-eu@MYDOMAIN.CORP

null credentials from Ticket Cache

>>> KeyTabInputStream, readName(): MYDOMAIN.CORP

>>> KeyTabInputStream, readName(): svc-appl-j2ee-qp1-eu

>>> KeyTab: load() entry length: 65; type: 3

principal's key obtained from the keytab

principal is svc-appl-j2ee-qp1-eu@MYDOMAIN.CORP

>>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType

>>> KrbAsReq calling createMessage

>>> KrbAsReq in createMessage

>>> KrbAsReq etypes are: 1

>>> KrbKdcReq send: kdc=sma2001.mydomain.corp UDP:88, timeout=30000, number of retries =3, #bytes=250

>>> KDCCommunication: kdc=sma2001.mydomain.corp UDP:88, timeout=30000,Attempt =1, #bytes=250

>>> KrbKdcReq send: #bytes read=192

>>> KrbKdcReq send: #bytes read=192

>>> KDCRep: init() encoding tag is 126 req type is 11

>>>KRBError:

sTime is Tue Aug 28 15:44:57 CEST 2007 1188308697000

suSec is 301117

error code is 24

error Message is Pre-authentication information was invalid

realm is MYDOMAIN.CORP

sname is krbtgt/MYDOMAIN.CORP

eData provided.

[Krb5LoginModule] authentication failed Pre-authentication information was invalid (24)

Error creating GSS context.

[EXCEPTION]

GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)

at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)

at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)

at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)

at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)

at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)

at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)

at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)

at com.sap.engine.config.diagtool.tests.authentication.krb.Krb5ServerTest.createGSSContext(Krb5ServerTest.java:104)

at com.sap.engine.config.diagtool.tests.authentication.krb.Krb5ServerTest.execute(Krb5ServerTest.java:75)

at com.sap.engine.config.diagtool.Task.execute(Task.java:55)

at com.sap.engine.config.diagtool.Launcher.run(Launcher.java:343)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

at java.lang.reflect.Method.invoke(Method.java:324)

at com.sap.engine.config.diagtool.Launcher.main(Launcher.java:394)

Caused by: javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)

at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:585)

at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:475)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

at java.lang.reflect.Method.invoke(Method.java:324)

at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)

at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)

at javax.security.auth.login.LoginContext.login(LoginContext.java:534)

at sun.security.jgss.LoginUtility.run(LoginUtility.java:57)

at java.security.AccessController.doPrivileged(Native Method)

at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)

... 15 more

Caused by: KrbException: Pre-authentication information was invalid (24)

at sun.security.krb5.KrbAsRep.<init>(DashoA12275:67)

at sun.security.krb5.KrbAsReq.getReply(DashoA12275:315)

at sun.security.krb5.Credentials.acquireTGT(DashoA12275:361)

at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:576)

... 29 more

Caused by: KrbException: Identifier doesn't match expected value (906)

at sun.security.krb5.internal.ah.a(DashoA12275:134)

at sun.security.krb5.internal.av.a(DashoA12275:63)

at sun.security.krb5.internal.av.<init>(DashoA12275:58)

at sun.security.krb5.KrbAsRep.<init>(DashoA12275:53)

... 32 more

Acquire credential failed for realm MYDOMAIN.CORP

</i>

I try to select the option "Do not require Kerberos preauthentication" on Active Directory user properties. But it still the same !

Does anybody know how to solve this ?

Regards,

Chris