[jira] [Created] (DIRSTUDIO-992) Unable to enable kerberos authentication to connect to Apache Directory Server

Gaurav Verma (JIRA) Wed, 03 Sep 2014 03:35:32 -0700

Gaurav Verma created DIRSTUDIO-992:
--------------------------------------

             Summary: Unable to enable kerberos authentication to connect to 
Apache Directory Server
                 Key: DIRSTUDIO-992
                 URL: https://issues.apache.org/jira/browse/DIRSTUDIO-992
             Project: Directory Studio
          Issue Type: Bug
          Components: studio-connection
    Affects Versions: 2.0.0-M8 (2.0.0.v20130628)
         Environment: Win 7 Professional 64 Bit
Apache Directory Server V 2.0.0-M17
Both Directory Server and Studio hosted on the same machine
            Reporter: Gaurav Verma
            Priority: Blocker



Trying to enable kerberos authentication following the instructions given on 
link 
https://directory.apache.org/apacheds/kerberos-ug/4.2-authenticate-studio.html
Receiving exception:
javax.security.auth.login.LoginException: Integrity check on decrypted field 
failed (31) - Integrity check on decrypted field failed
org.apache.directory.api.ldap.model.exception.LdapException: 
javax.security.auth.login.LoginException: Integrity check on decrypted field 
failed (31) - Integrity check on decrypted field failed
User password is set to make use of SSHA hashing
Tried running Studio with administrative privileges but that doesn't fix the 
issue.
DEBUG level Directory Server logs shows following entries:
INFO   | jvm 1    | 2014/09/03 15:57:14 | 
-------------------------------------------------------------------------------<
INFO   | jvm 1    | 2014/09/03 15:57:14 | 
INFO   | jvm 1    | 2014/09/03 15:57:14 | [15:57:14] DEBUG 
[org.apache.directory.server.KERBEROS_LOG] - Received Authentication Service 
(AS) request:
INFO   | jvm 1    | 2014/09/03 15:57:14 |       messageType:           AS_REQ
INFO   | jvm 1    | 2014/09/03 15:57:14 |       protocolVersionNumber: 5
INFO   | jvm 1    | 2014/09/03 15:57:14 |       clientAddress:         127.0.0.1
INFO   | jvm 1    | 2014/09/03 15:57:14 |       nonce:                 
1166672761
INFO   | jvm 1    | 2014/09/03 15:57:14 |       kdcOptions:            
INFO   | jvm 1    | 2014/09/03 15:57:14 |       clientPrincipal:       { 
name-type: KRB_NT_PRINCIPAL, name-string : <'hnelson'> }
INFO   | jvm 1    | 2014/09/03 15:57:14 |       serverPrincipal:       { 
name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'> }
INFO   | jvm 1    | 2014/09/03 15:57:14 |       encryptionType:        
aes256-cts-hmac-sha1-96 (18), aes128-cts-hmac-sha1-96 (17), des3-cbc-sha1-kd 
(16), rc4-hmac (23), des-cbc-crc (1), des-cbc-md5 (3)
INFO   | jvm 1    | 2014/09/03 15:57:14 |       realm:                 
EXAMPLE.COM
INFO   | jvm 1    | 2014/09/03 15:57:14 |       from time:             null
INFO   | jvm 1    | 2014/09/03 15:57:14 |       till time:             
19700101000000Z
INFO   | jvm 1    | 2014/09/03 15:57:14 |       renew-till time:       null
INFO   | jvm 1    | 2014/09/03 15:57:14 |       hostAddresses:         null
INFO   | jvm 1    | 2014/09/03 15:57:14 | [15:57:14] DEBUG 
[org.apache.directory.server.KERBEROS_LOG] - --> Selecting the EncryptionType
INFO   | jvm 1    | 2014/09/03 15:57:14 | [15:57:14] DEBUG 
[org.apache.directory.server.KERBEROS_LOG] - Encryption types requested by 
client [aes256-cts-hmac-sha1-96 (18), aes128-cts-hmac-sha1-96 (17), 
des3-cbc-sha1-kd (16), rc4-hmac (23), des-cbc-crc (1), des-cbc-md5 (3)].
INFO   | jvm 1    | 2014/09/03 15:57:14 | [15:57:14] DEBUG 
[org.apache.directory.server.KERBEROS_LOG] - Session will use encryption type 
rc4-hmac (23).
INFO   | jvm 1    | 2014/09/03 15:57:14 | [15:57:14] DEBUG 
[org.apache.directory.server.KERBEROS_LOG] - --> Getting the client Entry
INFO   | jvm 1    | 2014/09/03 15:57:14 | [15:57:14] DEBUG 
[org.apache.directory.server.core.authn.AuthenticationInterceptor] - Operation 
Context: SearchContext for Dn 'dc=security,dc=example,dc=com', filter 
:'([email protected])'
INFO   | jvm 1    | 2014/09/03 15:57:14 | [15:57:14] DEBUG 
[org.apache.directory.server.xdbm.search.impl.DefaultSearchEngine] - Nb results 
: 1 for filter : 
(&:[1]([email protected]:[1])(#{SUBTREE_SCOPE (Estimated), 
'dc=security,dc=example,dc=com', DEREF_ALWAYS}))
INFO   | jvm 1    | 2014/09/03 15:57:14 | [15:57:14] DEBUG 
[org.apache.directory.server.protocol.shared.kerberos.StoreUtils] - Found entry 
uid=hnelson,ou=users,dc=security,dc=example,dc=com for kerberos principal name 
[email protected]
INFO   | jvm 1    | 2014/09/03 15:57:14 | [15:57:14] DEBUG 
[org.apache.directory.server.KERBEROS_LOG] - Found entry 
uid=hnelson,ou=users,dc=security,dc=example,dc=com for kerberos principal name 
[email protected]
INFO   | jvm 1    | 2014/09/03 15:57:14 | [15:57:14] DEBUG 
[org.apache.directory.server.KERBEROS_LOG] - Found entry 
uid=hnelson,ou=users,dc=security,dc=example,dc=com for principal 
[email protected]
INFO   | jvm 1    | 2014/09/03 15:57:14 | [15:57:14] DEBUG 
[org.apache.directory.server.KERBEROS_LOG] - --> Verifying the policy
INFO   | jvm 1    | 2014/09/03 15:57:14 | [15:57:14] DEBUG 
[org.apache.directory.server.KERBEROS_LOG] - --> Verifying using SAM subsystem.
INFO   | jvm 1    | 2014/09/03 15:57:14 | [15:57:14] DEBUG 
[org.apache.directory.server.KERBEROS_LOG] - --> Verifying using encrypted 
timestamp.
INFO   | jvm 1    | 2014/09/03 15:57:14 | [15:57:14] DEBUG 
[org.apache.directory.server.KERBEROS_LOG] - Entry for client principal 
[email protected] has no SAM type.  Proceeding with standard 
pre-authentication.
INFO   | jvm 1    | 2014/09/03 15:57:14 | [15:57:14] DEBUG 
[org.apache.directory.server.KERBEROS_LOG] - Decrypting data using key rc4-hmac 
(23) and usage ERR_603 AS-REQ PA-ENC-TIMESTAMP padata timestamp, encrypted with 
the client key (1)
INFO   | jvm 1    | 2014/09/03 15:57:14 | [15:57:14] WARN 
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - 
Integrity check on decrypted field failed (31)
INFO   | jvm 1    | 2014/09/03 15:57:14 | [15:57:14] WARN 
[org.apache.directory.server.KERBEROS_LOG] - Integrity check on decrypted field 
failed (31)
INFO   | jvm 1    | 2014/09/03 15:57:14 | [15:57:14] DEBUG 
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - 
Responding to request with error:
INFO   | jvm 1    | 2014/09/03 15:57:14 |       explanatory text:      
Integrity check on decrypted field failed
INFO   | jvm 1    | 2014/09/03 15:57:14 |       error code:            
Integrity check on decrypted field failed
INFO   | jvm 1    | 2014/09/03 15:57:14 |       clientPrincipal:       null@null
INFO   | jvm 1    | 2014/09/03 15:57:14 |       client time:           null
INFO   | jvm 1    | 2014/09/03 15:57:14 |       serverPrincipal:       { 
name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'>realm: 
EXAMPLE.COM }@EXAMPLE.COM
INFO   | jvm 1    | 2014/09/03 15:57:14 |       server time:           
20140903102714Z
INFO   | jvm 1    | 2014/09/03 15:57:14 | [15:57:14] DEBUG 
[org.apache.directory.server.KERBEROS_LOG] - Responding to request with error:
INFO   | jvm 1    | 2014/09/03 15:57:14 |       explanatory text:      
Integrity check on decrypted field failed
INFO   | jvm 1    | 2014/09/03 15:57:14 |       error code:            
Integrity check on decrypted field failed
INFO   | jvm 1    | 2014/09/03 15:57:14 |       clientPrincipal:       null@null
INFO   | jvm 1    | 2014/09/03 15:57:14 |       client time:           null
INFO   | jvm 1    | 2014/09/03 15:57:14 |       serverPrincipal:       { 
name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'>realm: 
EXAMPLE.COM }@EXAMPLE.COM
INFO   | jvm 1    | 2014/09/03 15:57:14 |       server time:           
20140903102714Z
INFO   | jvm 1    | 2014/09/03 15:57:14 | [15:57:14] DEBUG 
[org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - 
/127.0.0.1:61504 SENT:  
INFO   | jvm 1    | 2014/09/03 15:57:14 | KRB-ERROR : {
INFO   | jvm 1    | 2014/09/03 15:57:14 |     pvno: 5
INFO   | jvm 1    | 2014/09/03 15:57:14 |     msgType: KRB_ERROR
INFO   | jvm 1    | 2014/09/03 15:57:14 |     sTime: 20140903102714Z
INFO   | jvm 1    | 2014/09/03 15:57:14 |     susec: 0
INFO   | jvm 1    | 2014/09/03 15:57:14 |     errorCode: Integrity check on 
decrypted field failed
INFO   | jvm 1    | 2014/09/03 15:57:14 |     realm: EXAMPLE.COM
INFO   | jvm 1    | 2014/09/03 15:57:14 |     sName: { name-type: 
KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'>realm: EXAMPLE.COM }
INFO   | jvm 1    | 2014/09/03 15:57:14 |     eText: Integrity check on 
decrypted field failed
INFO   | jvm 1    | 2014/09/03 15:57:14 | }
INFO   | jvm 1    | 2014/09/03 15:57:14 | 
INFO   | jvm 1    | 2014/09/03 15:57:14 | [15:57:14] DEBUG 
[org.apache.directory.server.KERBEROS_LOG] - /127.0.0.1:61504 SENT:  
INFO   | jvm 1    | 2014/09/03 15:57:14 | KRB-ERROR : {
INFO   | jvm 1    | 2014/09/03 15:57:14 |     pvno: 5
INFO   | jvm 1    | 2014/09/03 15:57:14 |     msgType: KRB_ERROR
INFO   | jvm 1    | 2014/09/03 15:57:14 |     sTime: 20140903102714Z
INFO   | jvm 1    | 2014/09/03 15:57:14 |     susec: 0
INFO   | jvm 1    | 2014/09/03 15:57:14 |     errorCode: Integrity check on 
decrypted field failed
INFO   | jvm 1    | 2014/09/03 15:57:14 |     realm: EXAMPLE.COM
INFO   | jvm 1    | 2014/09/03 15:57:14 |     sName: { name-type: 
KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'>realm: EXAMPLE.COM }
INFO   | jvm 1    | 2014/09/03 15:57:14 |     eText: Integrity check on 
decrypted field failed
INFO   | jvm 1    | 2014/09/03 15:57:14 | }
INFO   | jvm 1    | 2014/09/03 15:57:14 | 
INFO   | jvm 1    | 2014/09/03 15:57:14 | [15:57:14] DEBUG 
[org.apache.directory.server.ldap.LdapProtocolHandler] - Cleaning the 
LdapSession : No Ldap session ... session 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Created] (DIRSTUDIO-992) Unable to enable kerberos authentication to connect to Apache Directory Server

Reply via email to