You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Jeremy Cocks (JIRA)" <ji...@apache.org> on 2018/05/14 13:38:00 UTC
[jira] [Commented] (DIRSTUDIO-992) Unable to enable kerberos
authentication to connect to Apache Directory Server
[ https://issues.apache.org/jira/browse/DIRSTUDIO-992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16474231#comment-16474231 ]
Jeremy Cocks commented on DIRSTUDIO-992:
----------------------------------------
The exception 'Integrity check on decrypted field failed' commonly means there is a mismatch between the key stored in the keytab and the key in the KDC. There is not enough troubleshooting / debug in this bug to check as to whether that has been verified.
> Unable to enable kerberos authentication to connect to Apache Directory Server
> ------------------------------------------------------------------------------
>
> Key: DIRSTUDIO-992
> URL: https://issues.apache.org/jira/browse/DIRSTUDIO-992
> Project: Directory Studio
> Issue Type: Bug
> Components: studio-connection
> Affects Versions: 2.0.0-M8 (2.0.0.v20130628)
> Environment: Win 7 Professional 64 Bit
> Apache Directory Server V 2.0.0-M17
> Both Directory Server and Studio hosted on the same machine
> Reporter: Gaurav Verma
> Priority: Blocker
> Labels: kerberos
>
> Trying to enable kerberos authentication following the instructions given on link https://directory.apache.org/apacheds/kerberos-ug/4.2-authenticate-studio.html
> Receiving exception:
> javax.security.auth.login.LoginException: Integrity check on decrypted field failed (31) - Integrity check on decrypted field failed
> org.apache.directory.api.ldap.model.exception.LdapException: javax.security.auth.login.LoginException: Integrity check on decrypted field failed (31) - Integrity check on decrypted field failed
> User password is set to make use of SSHA hashing
> Tried running Studio with administrative privileges but that doesn't fix the issue.
> DEBUG level Directory Server logs shows following entries:
> INFO | jvm 1 | 2014/09/03 15:57:14 | -------------------------------------------------------------------------------<
> INFO | jvm 1 | 2014/09/03 15:57:14 |
> INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.KERBEROS_LOG] - Received Authentication Service (AS) request:
> INFO | jvm 1 | 2014/09/03 15:57:14 | messageType: AS_REQ
> INFO | jvm 1 | 2014/09/03 15:57:14 | protocolVersionNumber: 5
> INFO | jvm 1 | 2014/09/03 15:57:14 | clientAddress: 127.0.0.1
> INFO | jvm 1 | 2014/09/03 15:57:14 | nonce: 1166672761
> INFO | jvm 1 | 2014/09/03 15:57:14 | kdcOptions:
> INFO | jvm 1 | 2014/09/03 15:57:14 | clientPrincipal: { name-type: KRB_NT_PRINCIPAL, name-string : <'hnelson'> }
> INFO | jvm 1 | 2014/09/03 15:57:14 | serverPrincipal: { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'> }
> INFO | jvm 1 | 2014/09/03 15:57:14 | encryptionType: aes256-cts-hmac-sha1-96 (18), aes128-cts-hmac-sha1-96 (17), des3-cbc-sha1-kd (16), rc4-hmac (23), des-cbc-crc (1), des-cbc-md5 (3)
> INFO | jvm 1 | 2014/09/03 15:57:14 | realm: EXAMPLE.COM
> INFO | jvm 1 | 2014/09/03 15:57:14 | from time: null
> INFO | jvm 1 | 2014/09/03 15:57:14 | till time: 19700101000000Z
> INFO | jvm 1 | 2014/09/03 15:57:14 | renew-till time: null
> INFO | jvm 1 | 2014/09/03 15:57:14 | hostAddresses: null
> INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.KERBEROS_LOG] - --> Selecting the EncryptionType
> INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.KERBEROS_LOG] - Encryption types requested by client [aes256-cts-hmac-sha1-96 (18), aes128-cts-hmac-sha1-96 (17), des3-cbc-sha1-kd (16), rc4-hmac (23), des-cbc-crc (1), des-cbc-md5 (3)].
> INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.KERBEROS_LOG] - Session will use encryption type rc4-hmac (23).
> INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.KERBEROS_LOG] - --> Getting the client Entry
> INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.core.authn.AuthenticationInterceptor] - Operation Context: SearchContext for Dn 'dc=security,dc=example,dc=com', filter :'(krb5PrincipalName=hnelson@EXAMPLE.COM)'
> INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.xdbm.search.impl.DefaultSearchEngine] - Nb results : 1 for filter : (&:[1](krb5PrincipalName=hnelson@EXAMPLE.COM:[1])(#{SUBTREE_SCOPE (Estimated), 'dc=security,dc=example,dc=com', DEREF_ALWAYS}))
> INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.protocol.shared.kerberos.StoreUtils] - Found entry uid=hnelson,ou=users,dc=security,dc=example,dc=com for kerberos principal name hnelson@EXAMPLE.COM
> INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.KERBEROS_LOG] - Found entry uid=hnelson,ou=users,dc=security,dc=example,dc=com for kerberos principal name hnelson@EXAMPLE.COM
> INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.KERBEROS_LOG] - Found entry uid=hnelson,ou=users,dc=security,dc=example,dc=com for principal hnelson@EXAMPLE.COM
> INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.KERBEROS_LOG] - --> Verifying the policy
> INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.KERBEROS_LOG] - --> Verifying using SAM subsystem.
> INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.KERBEROS_LOG] - --> Verifying using encrypted timestamp.
> INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.KERBEROS_LOG] - Entry for client principal hnelson@EXAMPLE.COM has no SAM type. Proceeding with standard pre-authentication.
> INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.KERBEROS_LOG] - Decrypting data using key rc4-hmac (23) and usage ERR_603 AS-REQ PA-ENC-TIMESTAMP padata timestamp, encrypted with the client key (1)
> INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Integrity check on decrypted field failed (31)
> INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] WARN [org.apache.directory.server.KERBEROS_LOG] - Integrity check on decrypted field failed (31)
> INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Responding to request with error:
> INFO | jvm 1 | 2014/09/03 15:57:14 | explanatory text: Integrity check on decrypted field failed
> INFO | jvm 1 | 2014/09/03 15:57:14 | error code: Integrity check on decrypted field failed
> INFO | jvm 1 | 2014/09/03 15:57:14 | clientPrincipal: null@null
> INFO | jvm 1 | 2014/09/03 15:57:14 | client time: null
> INFO | jvm 1 | 2014/09/03 15:57:14 | serverPrincipal: { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'>realm: EXAMPLE.COM }@EXAMPLE.COM
> INFO | jvm 1 | 2014/09/03 15:57:14 | server time: 20140903102714Z
> INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.KERBEROS_LOG] - Responding to request with error:
> INFO | jvm 1 | 2014/09/03 15:57:14 | explanatory text: Integrity check on decrypted field failed
> INFO | jvm 1 | 2014/09/03 15:57:14 | error code: Integrity check on decrypted field failed
> INFO | jvm 1 | 2014/09/03 15:57:14 | clientPrincipal: null@null
> INFO | jvm 1 | 2014/09/03 15:57:14 | client time: null
> INFO | jvm 1 | 2014/09/03 15:57:14 | serverPrincipal: { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'>realm: EXAMPLE.COM }@EXAMPLE.COM
> INFO | jvm 1 | 2014/09/03 15:57:14 | server time: 20140903102714Z
> INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /127.0.0.1:61504 SENT:
> INFO | jvm 1 | 2014/09/03 15:57:14 | KRB-ERROR : {
> INFO | jvm 1 | 2014/09/03 15:57:14 | pvno: 5
> INFO | jvm 1 | 2014/09/03 15:57:14 | msgType: KRB_ERROR
> INFO | jvm 1 | 2014/09/03 15:57:14 | sTime: 20140903102714Z
> INFO | jvm 1 | 2014/09/03 15:57:14 | susec: 0
> INFO | jvm 1 | 2014/09/03 15:57:14 | errorCode: Integrity check on decrypted field failed
> INFO | jvm 1 | 2014/09/03 15:57:14 | realm: EXAMPLE.COM
> INFO | jvm 1 | 2014/09/03 15:57:14 | sName: { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'>realm: EXAMPLE.COM }
> INFO | jvm 1 | 2014/09/03 15:57:14 | eText: Integrity check on decrypted field failed
> INFO | jvm 1 | 2014/09/03 15:57:14 | }
> INFO | jvm 1 | 2014/09/03 15:57:14 |
> INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.KERBEROS_LOG] - /127.0.0.1:61504 SENT:
> INFO | jvm 1 | 2014/09/03 15:57:14 | KRB-ERROR : {
> INFO | jvm 1 | 2014/09/03 15:57:14 | pvno: 5
> INFO | jvm 1 | 2014/09/03 15:57:14 | msgType: KRB_ERROR
> INFO | jvm 1 | 2014/09/03 15:57:14 | sTime: 20140903102714Z
> INFO | jvm 1 | 2014/09/03 15:57:14 | susec: 0
> INFO | jvm 1 | 2014/09/03 15:57:14 | errorCode: Integrity check on decrypted field failed
> INFO | jvm 1 | 2014/09/03 15:57:14 | realm: EXAMPLE.COM
> INFO | jvm 1 | 2014/09/03 15:57:14 | sName: { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'>realm: EXAMPLE.COM }
> INFO | jvm 1 | 2014/09/03 15:57:14 | eText: Integrity check on decrypted field failed
> INFO | jvm 1 | 2014/09/03 15:57:14 | }
> INFO | jvm 1 | 2014/09/03 15:57:14 |
> INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.ldap.LdapProtocolHandler] - Cleaning the LdapSession : No Ldap session ... session
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)