I removed the allow_weak_crypto = true from krb5.conf and set the ads-krbEncryptionTypes to have only one value aes256-cts-hmac-sha1-96. But I still get the same error. See the log
[10:29:58] ERROR [org.apache.directory.server.KERBEROS_LOG] - No timestamp found [10:29:58] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Additional pre-authentication required (25) [10:29:58] WARN [org.apache.directory.server.KERBEROS_LOG] - Additional pre-authentication required (25) [10:30:02] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Integrity check on decrypted field failed (31) [10:30:02] WARN [org.apache.directory.server.KERBEROS_LOG] - Integrity check on decrypted field failed (31) I am wondering about the "No timestamp found" error. Does it have any relation to the "Integrity check on decrypted field failed" error? Regards, james From: [email protected] [mailto:[email protected]] On Behalf Of Kiran Ayyagari Sent: Monday, April 08, 2013 10:16 AM To: Apache Directory Developers List Subject: Re: kinit failed on - Integrity check on decrypted field failed very likely that the default weak encryption type set in ApacheDS is the reason. either you enable the weak encrytion support in krb5.conf [libdefaults] allow_weak_crypto = true or modify the encryption types configured in ApacheDS 1. go to the entry ads-serverId=kerberosServer,ou=servers,ads-directoryServiceId=default,ou=config 2. remove des3-cbc-sha1-kd from ads-krbEncryptionTypes attribute (you can add another value like aes256-cts-hmac-sha1-96) 3. restart the server let us know if you still have an issue On Mon, Apr 8, 2013 at 10:24 PM, Wu, James C. <[email protected]<mailto:[email protected]>> wrote: I installed the JCE and using the JVM from Oracle now. But I am getting the same error as when I used the OpenJDK JVM. [09:48:32] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Integrity check on decrypted field failed (31) [09:48:32] WARN [org.apache.directory.server.KERBEROS_LOG] - Integrity check on decrypted field failed (31) I tried to use kinit from two machines, both show the same error. The kinit is part of the krb5-lib/krb5-workstation library. Do I have to other implementation of kinit? Regards, james -----Original Message----- From: Emmanuel Lécharny [mailto:[email protected]<mailto:[email protected]>] Sent: Sunday, April 07, 2013 10:38 PM To: Apache Directory Developers List Subject: Re: kinit failed on - Integrity check on decrypted field failed Le 4/8/13 3:35 AM, Wu, James C. a écrit : > The apacheDS version I am using is apacheds-2.0.0-M11-64bit.bin > > When I switched the JVM to Oracle JVM by installing the > jdk-7u17-linux-x64.rpm from Oracle, I even get NullPointerException. See the > following stack trace. AES256 is not included by default in the standard J2SE installation. You have to install JCE in order to be able to use AES 256. -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com<http://www.iktek.com> -- Kiran Ayyagari http://keydap.com
