[jcifs] Java SPNEGO Kerberos | Integrity check on decrypted field failed

andlebedev andlebedev at list.ru
Fri May 11 10:06:26 GMT 2007


Hi, Mike!
I'm sorry for trouble you.
I've read your letter: http://mailman.mit.edu/pipermail/kerberos/2006-November/010858.html
And decide to contact with you.
I'm using jcifs-ext_0.9.4 wich contains AuthenticationFilter and provides Kerberos Single-Sign-On authentication. But it doesn't work on my system.
In brief I have such configuration:
1. Windows 2000 server. It controlls TESTSPNEGO.TEST.MSK domain.
 In AD there is 2 test users:
 - user for machine, on wich apache server started
 - user for test machine, wich connects to my apache server.

Using ldap utilities I setup this Windows 2000 server to use only DES-encryption (it really works, KERBTRAY shows,that all my tickets are encrypted by DES-CBC-MD5).

User for apache machine - also has "DES only..." flag.

Using ktpass utility, I set: ktapss -princ HTTP/INFO038 at TESTSPNEGO.TEST.MSK -mapUser apacheUser -pass ... -crypto DES-CBC-MD5

2. Windows XP server (INFO038), with tomcat Apache on it, and my Java program with AuthenticateFilter.


When using kinit utility I noticed, that if user for apache server has flag "do not require Kerberos pre-authentication..." kinit throws exception: 
Exception: krb_error 31 Integrity check on decrypted field failed (31) Integrity check on decrypted field failed
KrbException: Integrity check on decrypted field failed (31)
        at sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:154)
        at sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:125)
        at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:167)
        at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:87)
        at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:486)
        at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:444)
        at sun.security.krb5.internal.tools.Kinit.sendASRequest(Kinit.java:310)
        at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:239)
        at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:106)

If this flag is OFF (not checked), kinit works OK.

So, when I run my tomcat apache server, and trying to connect to it from test machine, I got this log:

14:01:22,851  INFO AuthenticationFilter:185 - MSG: null
14:01:22,871  INFO AuthenticationFilter:185 - MSG: Negotiate YIIFAAYGKwYBBQUCoIIE9DCCBPCgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBMYEggTCYIIEvgYJKoZIhvcSAQICAQBuggStMIIEqaADAgEFoQMCAQ6iBwMFACAAAACjggPRYYIDzTCCA8mgAwIBBaEVGxNURVNUU1BORUdPLk5CS0kuTVNLoi4wLKADAgECoSUwIxsESFRUUBsbaW5mbzAzOC50ZXN0c3BuZWdvLm5ia2kubXNro4IDeTCCA3WgAwIBA6KCA2wEggNoZp+K4xDcLZzsuBr7lIG8Al+tGUYJxgCYVgHVvT66CJv/t9fM6IohqOwZ1IxahG39fbP7fW/sJ42DKs9d2YMuCpyCw0XrndwA/tKI8t8yzlWZtfQoVKB3JGp3rZfwpYKZ4FmBmZZYRpIHmLlr2f2ZDARrG4vZQin+SKhj+hMy0s5bOX3X1ym2zhKKGicbDsTw1AqX3as8EpmR82pL5wytpW/a6hJBVkUIIdhdnJ8cAPcGWdrJN6kbWOyvfImP/m/XAtPCYCjpi+uV4NzhryUNAVCQx8vj2Usz7yMpiTA3Zhq9GwNJuf7oSoMvyCX7NDaYRf+wcWBOGaCU5FoLxuC5kiiklLqEYegxKmjpHsmriX66h6349UkrOY9dcNya+8QLD9D5W9R0+2z4u98gmcTeus+IbK46nS12D3l4jmeDoMktgXkoAjkhWVgZLm9xNAoAeCUXMngtGpsH8PWoXKUc26PWRgjlElmSEuZRjN6OYLoiDUerzVJFXr38RRn7jfXL77N1CC7kzMMN2dkXVEmMgXADt1CpeVqYxU84I/w6H9hXgBG2D05DhEnkYxfFYPNKmfS0GSLIomwxqE61mLvNZkH2ZU6TiV4zgxOWdMrOF5N/aBVukUQUH96l87dWL
 DBZ2y47qJsQd3yRSbU1pAE/1b3xNN1mmhRVjLXJxdfhue1BSPm+dVzii0YHPBDak16/rReP5y7jnlCwLRieL7JgVD91Yd1BF2OnKJ597DchBTHMfJ9Ba6la+DvR2h7teoFU7ZXR786mVKAfckJ2/GGmKTC41m+Vk79IlkmGU3k/FJvaeHv3AdByfzqWC7a+k60hmiFqCzXD4WTs06uID3YWCEYR7MPv+INGcSJMRYEm2uDceV6qga3LvmJLQ9qYFxe4A6bZvRP/uehmn8mxzjJJWmKULcQO5w3yo1Q8hmrOreyp/MS8oaTmmhg5jFYs006IaPpKmjAl+QDCMzmmuZX9tVvUCSUOonB2HDMRwQ0ZzhAUPFLiHWuZJG0Q10L3MYPvIG240qpjzNkFj8QhiA6m8CDFHVzYeYXHbKSHACpKC+HrYwEFwnE1Sb2xwsDr+OBn46+ve5y6zm8twaUMg9IdVTGsJW+hjxhwHEpvW6gg9m+GJab0CCkPEMePwHgz4Ux0cAOTS521McGkgb4wgbugAwIBA6KBswSBsI3rAGP8a639nYs3LQDEBbOjg7Ed4+SuGiWVFjKwZE88/uOPfaNAc3RWdz3hAsNSrFDU7hl+O7GgszSEaSu/8kmIseo5ZyZH4J/AXHkXmJFsWwbqOrLPQiNrbpLO14YWFIhYaoeyTgW9S0LktD4g8I2WrZeFfbJ5qxj6ZOV7wyjmCnx7HwJnFB/2sfTPK1ZqpSNZ5NrywGdVG+PBcNRgmbM6Kwl4dVhhGolny0zoMgbw
14:01:22,871  INFO AuthenticationFilter:199 - auth type: Negotiate
14:01:22,871  INFO AuthenticationFilter:201 - NEGOTIATE
14:01:22,871  INFO Authentication:238 - IN Authentication class: it is NEGOTIATE!!!
Debug is  true storeKey true useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
		[Krb5LoginModule] user entered username: HTTP/info038 at TESTSPNEGO.TEST.MSK

Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
Acquire TGT using AS Exchange
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=10.230.231.26 UDP:88, timeout=30000, number of retries =3, #bytes=170
>>> KDCCommunication: kdc=10.230.231.26 UDP:88, timeout=30000,Attempt =1, #bytes=170
>>> KrbKdcReq send: #bytes read=235
>>> KrbKdcReq send: #bytes read=235
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
	 sTime is Fri May 11 14:01:50 MSD 2007 1178877710000
	 suSec is 790996
	 error code is 25
	 error Message is Additional pre-authentication required
	 realm is TESTSPNEGO.TEST.MSK
	 sname is krbtgt/TESTSPNEGO.TEST.MSK
	 eData provided.
	 msgType is 30
>>>Pre-Authentication Data:
	 PA-DATA type = 11
	 PA-ETYPE-INFO etype = 3
>>>Pre-Authentication Data:
	 PA-DATA type = 2
	 PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
	 PA-DATA type = 15
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
Pre-Authentication: Set preferred etype = 3
Updated salt from pre-auth = TESTSPNEGO.TEST.MSKHTTPinfo038
>>>KrbAsReq salt is TESTSPNEGO.TEST.MSKHTTPinfo038
Pre-Authenticaton: find key for etype = 3
AS-REQ: Add PA_ENC_TIMESTAMP now
>>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=10.230.231.26 UDP:88, timeout=30000, number of retries =3, #bytes=240
>>> KDCCommunication: kdc=10.230.231.26 UDP:88, timeout=30000,Attempt =1, #bytes=240
>>> KrbKdcReq send: #bytes read=1337
>>> KrbKdcReq send: #bytes read=1337
>>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/info038
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
principal is HTTP/info038 at TESTSPNEGO.TEST.MSK
EncryptionKey: keyType=3 keyBytes (hex dump)=0000: 2C 85 0D 61 8F C1 5B E0   
EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 2C 85 0D 61 8F C1 5B E0   
EncryptionKey: keyType=23 keyBytes (hex dump)=0000: E9 91 E6 DB A2 B1 EB D9   7E 8E 6E 45 A9 B4 66 90  ..........nE..f.

EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 64 89 AE C1 0D 57 31 34   37 85 25 49 45 BA 0E 01  d....W147.%IE...
0010: F2 07 DC D3 2A 8F 51 E9   
EncryptionKey: keyType=17 keyBytes (hex dump)=0000: B8 3B 19 48 A1 89 38 6E   1B C2 14 E7 2D A1 20 DE  .;.H..8n....-. .

Added server's keyKerberos Principal HTTP/info038 at TESTSPNEGO.TEST.MSKKey Version 0key EncryptionKey: keyType=3 keyBytes (hex dump)=
0000: 2C 85 0D 61 8F C1 5B E0   

		[Krb5LoginModule] added Krb5Principal  HTTP/info038 at TESTSPNEGO.TEST.MSK to Subject
Added server's keyKerberos Principal HTTP/info038 at TESTSPNEGO.TEST.MSKKey Version 0key EncryptionKey: keyType=1 keyBytes (hex dump)=
0000: 2C 85 0D 61 8F C1 5B E0   

		[Krb5LoginModule] added Krb5Principal  HTTP/info038 at TESTSPNEGO.TEST.MSK to Subject
Added server's keyKerberos Principal HTTP/info038 at TESTSPNEGO.TEST.MSKKey Version 0key EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: E9 91 E6 DB A2 B1 EB D9   7E 8E 6E 45 A9 B4 66 90  ..........nE..f.


		[Krb5LoginModule] added Krb5Principal  HTTP/info038 at TESTSPNEGO.TEST.MSK to Subject
Added server's keyKerberos Principal HTTP/info038 at TESTSPNEGO.TEST.MSKKey Version 0key EncryptionKey: keyType=16 keyBytes (hex dump)=
0000: 64 89 AE C1 0D 57 31 34   37 85 25 49 45 BA 0E 01  d....W147.%IE...
0010: F2 07 DC D3 2A 8F 51 E9   

		[Krb5LoginModule] added Krb5Principal  HTTP/info038 at TESTSPNEGO.TEST.MSK to Subject
Added server's keyKerberos Principal HTTP/info038 at TESTSPNEGO.TEST.MSKKey Version 0key EncryptionKey: keyType=17 keyBytes (hex dump)=
0000: B8 3B 19 48 A1 89 38 6E   1B C2 14 E7 2D A1 20 DE  .;.H..8n....-. .


		[Krb5LoginModule] added Krb5Principal  HTTP/info038 at TESTSPNEGO.TEST.MSK to Subject
Commit Succeeded 

Found key for HTTP/info038 at TESTSPNEGO.TEST.MSK(1)
Found key for HTTP/info038 at TESTSPNEGO.TEST.MSK(17)
Found key for HTTP/info038 at TESTSPNEGO.TEST.MSK(3)
Found key for HTTP/info038 at TESTSPNEGO.TEST.MSK(16)
Found key for HTTP/info038 at TESTSPNEGO.TEST.MSK(23)
Entered Krb5Context.acceptSecContext with state=STATE_NEW
>>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
jcifs.spnego.AuthenticationException: Error performing Kerberos authentication: java.lang.reflect.InvocationTargetException
	at jcifs.spnego.Authentication.processKerberos(Authentication.java:452)
	at jcifs.spnego.Authentication.processSpnego(Authentication.java:350)
	at jcifs.spnego.Authentication.process(Authentication.java:239)
	at ru.krb.filter.Negotiate.authenticate(Negotiate.java:45)
	at ru.krb.filter.AuthenticationFilter.doFilter(AuthenticationFilter.java:203)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
	at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
	at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
	at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
	at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
	at java.lang.Thread.run(Thread.java:595)
Caused by: java.lang.reflect.InvocationTargetException
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:585)
	at jcifs.spnego.Authentication.processKerberos(Authentication.java:435)
	... 18 more
Caused by: java.security.PrivilegedActionException: java.lang.reflect.InvocationTargetException
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
	... 23 more
Caused by: java.lang.reflect.InvocationTargetException
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:585)
	at jcifs.spnego.Authentication$ServerAction.run(Authentication.java:522)
	... 25 more
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Integrity check on decrypted field failed (31))
	at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:730)
	at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:300)
	at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246)
	... 30 more
Caused by: KrbException: Integrity check on decrypted field failed (31)
	at sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:154)
	at sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:125)
	at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:167)
	at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:267)
	at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
	at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
	at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:715)
	... 32 more
14:01:23,273 ERROR [action]:253 - Servlet.service() for servlet action threw exception
java.lang.reflect.InvocationTargetException
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:585)
	at jcifs.spnego.Authentication.processKerberos(Authentication.java:435)
	at jcifs.spnego.Authentication.processSpnego(Authentication.java:350)
	at jcifs.spnego.Authentication.process(Authentication.java:239)
	at ru.krb.filter.Negotiate.authenticate(Negotiate.java:45)
	at ru.krb.filter.AuthenticationFilter.doFilter(AuthenticationFilter.java:203)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
	at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
	at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
	at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
	at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
	at java.lang.Thread.run(Thread.java:595)
Caused by: java.security.PrivilegedActionException: java.lang.reflect.InvocationTargetException
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
	... 23 more
Caused by: java.lang.reflect.InvocationTargetException
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:585)
	at jcifs.spnego.Authentication$ServerAction.run(Authentication.java:522)
	... 25 more
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Integrity check on decrypted field failed (31))
	at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:730)
	at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:300)
	at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246)
	... 30 more
Caused by: KrbException: Integrity check on decrypted field failed (31)
	at sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:154)
	at sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:125)
	at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:167)
	at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:267)
	at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
	at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
	at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:715)
	... 32 more


I could not undestand WHY this error throws. I try to connect from IEXPLORE and MOZILLA FIREFOX - there isn't any difference.


More information about the jcifs mailing list