[
https://issues.apache.org/jira/browse/DIRSTUDIO-992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16474231#comment-16474231
]
Jeremy Cocks commented on DIRSTUDIO-992:
----------------------------------------
The exception 'Integrity check on decrypted field failed' commonly means there
is a mismatch between the key stored in the keytab and the key in the KDC.
There is not enough troubleshooting / debug in this bug to check as to whether
that has been verified.
> Unable to enable kerberos authentication to connect to Apache Directory Server
> ------------------------------------------------------------------------------
>
> Key: DIRSTUDIO-992
> URL: https://issues.apache.org/jira/browse/DIRSTUDIO-992
> Project: Directory Studio
> Issue Type: Bug
> Components: studio-connection
> Affects Versions: 2.0.0-M8 (2.0.0.v20130628)
> Environment: Win 7 Professional 64 Bit
> Apache Directory Server V 2.0.0-M17
> Both Directory Server and Studio hosted on the same machine
> Reporter: Gaurav Verma
> Priority: Blocker
> Labels: kerberos
>
> Trying to enable kerberos authentication following the instructions given on
> link
> https://directory.apache.org/apacheds/kerberos-ug/4.2-authenticate-studio.html
> Receiving exception:
> javax.security.auth.login.LoginException: Integrity check on decrypted field
> failed (31) - Integrity check on decrypted field failed
> org.apache.directory.api.ldap.model.exception.LdapException:
> javax.security.auth.login.LoginException: Integrity check on decrypted field
> failed (31) - Integrity check on decrypted field failed
> User password is set to make use of SSHA hashing
> Tried running Studio with administrative privileges but that doesn't fix the
> issue.
> DEBUG level Directory Server logs shows following entries:
> INFO | jvm 1 | 2014/09/03 15:57:14 |
> -------------------------------------------------------------------------------<
> INFO | jvm 1 | 2014/09/03 15:57:14 |
> INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG
> [org.apache.directory.server.KERBEROS_LOG] - Received Authentication Service
> (AS) request:
> INFO | jvm 1 | 2014/09/03 15:57:14 | messageType: AS_REQ
> INFO | jvm 1 | 2014/09/03 15:57:14 | protocolVersionNumber: 5
> INFO | jvm 1 | 2014/09/03 15:57:14 | clientAddress: 127.0.0.1
> INFO | jvm 1 | 2014/09/03 15:57:14 | nonce:
> 1166672761
> INFO | jvm 1 | 2014/09/03 15:57:14 | kdcOptions:
> INFO | jvm 1 | 2014/09/03 15:57:14 | clientPrincipal: {
> name-type: KRB_NT_PRINCIPAL, name-string : <'hnelson'> }
> INFO | jvm 1 | 2014/09/03 15:57:14 | serverPrincipal: {
> name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'> }
> INFO | jvm 1 | 2014/09/03 15:57:14 | encryptionType:
> aes256-cts-hmac-sha1-96 (18), aes128-cts-hmac-sha1-96 (17), des3-cbc-sha1-kd
> (16), rc4-hmac (23), des-cbc-crc (1), des-cbc-md5 (3)
> INFO | jvm 1 | 2014/09/03 15:57:14 | realm:
> EXAMPLE.COM
> INFO | jvm 1 | 2014/09/03 15:57:14 | from time: null
> INFO | jvm 1 | 2014/09/03 15:57:14 | till time:
> 19700101000000Z
> INFO | jvm 1 | 2014/09/03 15:57:14 | renew-till time: null
> INFO | jvm 1 | 2014/09/03 15:57:14 | hostAddresses: null
> INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG
> [org.apache.directory.server.KERBEROS_LOG] - --> Selecting the EncryptionType
> INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG
> [org.apache.directory.server.KERBEROS_LOG] - Encryption types requested by
> client [aes256-cts-hmac-sha1-96 (18), aes128-cts-hmac-sha1-96 (17),
> des3-cbc-sha1-kd (16), rc4-hmac (23), des-cbc-crc (1), des-cbc-md5 (3)].
> INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG
> [org.apache.directory.server.KERBEROS_LOG] - Session will use encryption type
> rc4-hmac (23).
> INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG
> [org.apache.directory.server.KERBEROS_LOG] - --> Getting the client Entry
> INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG
> [org.apache.directory.server.core.authn.AuthenticationInterceptor] -
> Operation Context: SearchContext for Dn 'dc=security,dc=example,dc=com',
> filter :'([email protected])'
> INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG
> [org.apache.directory.server.xdbm.search.impl.DefaultSearchEngine] - Nb
> results : 1 for filter :
> (&:[1]([email protected]:[1])(#{SUBTREE_SCOPE
> (Estimated), 'dc=security,dc=example,dc=com', DEREF_ALWAYS}))
> INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG
> [org.apache.directory.server.protocol.shared.kerberos.StoreUtils] - Found
> entry uid=hnelson,ou=users,dc=security,dc=example,dc=com for kerberos
> principal name [email protected]
> INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG
> [org.apache.directory.server.KERBEROS_LOG] - Found entry
> uid=hnelson,ou=users,dc=security,dc=example,dc=com for kerberos principal
> name [email protected]
> INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG
> [org.apache.directory.server.KERBEROS_LOG] - Found entry
> uid=hnelson,ou=users,dc=security,dc=example,dc=com for principal
> [email protected]
> INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG
> [org.apache.directory.server.KERBEROS_LOG] - --> Verifying the policy
> INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG
> [org.apache.directory.server.KERBEROS_LOG] - --> Verifying using SAM
> subsystem.
> INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG
> [org.apache.directory.server.KERBEROS_LOG] - --> Verifying using encrypted
> timestamp.
> INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG
> [org.apache.directory.server.KERBEROS_LOG] - Entry for client principal
> [email protected] has no SAM type. Proceeding with standard
> pre-authentication.
> INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG
> [org.apache.directory.server.KERBEROS_LOG] - Decrypting data using key
> rc4-hmac (23) and usage ERR_603 AS-REQ PA-ENC-TIMESTAMP padata timestamp,
> encrypted with the client key (1)
> INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] WARN
> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
> Integrity check on decrypted field failed (31)
> INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] WARN
> [org.apache.directory.server.KERBEROS_LOG] - Integrity check on decrypted
> field failed (31)
> INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG
> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
> Responding to request with error:
> INFO | jvm 1 | 2014/09/03 15:57:14 | explanatory text:
> Integrity check on decrypted field failed
> INFO | jvm 1 | 2014/09/03 15:57:14 | error code:
> Integrity check on decrypted field failed
> INFO | jvm 1 | 2014/09/03 15:57:14 | clientPrincipal: null@null
> INFO | jvm 1 | 2014/09/03 15:57:14 | client time: null
> INFO | jvm 1 | 2014/09/03 15:57:14 | serverPrincipal: {
> name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'>realm:
> EXAMPLE.COM }@EXAMPLE.COM
> INFO | jvm 1 | 2014/09/03 15:57:14 | server time:
> 20140903102714Z
> INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG
> [org.apache.directory.server.KERBEROS_LOG] - Responding to request with error:
> INFO | jvm 1 | 2014/09/03 15:57:14 | explanatory text:
> Integrity check on decrypted field failed
> INFO | jvm 1 | 2014/09/03 15:57:14 | error code:
> Integrity check on decrypted field failed
> INFO | jvm 1 | 2014/09/03 15:57:14 | clientPrincipal: null@null
> INFO | jvm 1 | 2014/09/03 15:57:14 | client time: null
> INFO | jvm 1 | 2014/09/03 15:57:14 | serverPrincipal: {
> name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'>realm:
> EXAMPLE.COM }@EXAMPLE.COM
> INFO | jvm 1 | 2014/09/03 15:57:14 | server time:
> 20140903102714Z
> INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG
> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
> /127.0.0.1:61504 SENT:
> INFO | jvm 1 | 2014/09/03 15:57:14 | KRB-ERROR : {
> INFO | jvm 1 | 2014/09/03 15:57:14 | pvno: 5
> INFO | jvm 1 | 2014/09/03 15:57:14 | msgType: KRB_ERROR
> INFO | jvm 1 | 2014/09/03 15:57:14 | sTime: 20140903102714Z
> INFO | jvm 1 | 2014/09/03 15:57:14 | susec: 0
> INFO | jvm 1 | 2014/09/03 15:57:14 | errorCode: Integrity check on
> decrypted field failed
> INFO | jvm 1 | 2014/09/03 15:57:14 | realm: EXAMPLE.COM
> INFO | jvm 1 | 2014/09/03 15:57:14 | sName: { name-type:
> KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'>realm: EXAMPLE.COM }
> INFO | jvm 1 | 2014/09/03 15:57:14 | eText: Integrity check on
> decrypted field failed
> INFO | jvm 1 | 2014/09/03 15:57:14 | }
> INFO | jvm 1 | 2014/09/03 15:57:14 |
> INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG
> [org.apache.directory.server.KERBEROS_LOG] - /127.0.0.1:61504 SENT:
> INFO | jvm 1 | 2014/09/03 15:57:14 | KRB-ERROR : {
> INFO | jvm 1 | 2014/09/03 15:57:14 | pvno: 5
> INFO | jvm 1 | 2014/09/03 15:57:14 | msgType: KRB_ERROR
> INFO | jvm 1 | 2014/09/03 15:57:14 | sTime: 20140903102714Z
> INFO | jvm 1 | 2014/09/03 15:57:14 | susec: 0
> INFO | jvm 1 | 2014/09/03 15:57:14 | errorCode: Integrity check on
> decrypted field failed
> INFO | jvm 1 | 2014/09/03 15:57:14 | realm: EXAMPLE.COM
> INFO | jvm 1 | 2014/09/03 15:57:14 | sName: { name-type:
> KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'>realm: EXAMPLE.COM }
> INFO | jvm 1 | 2014/09/03 15:57:14 | eText: Integrity check on
> decrypted field failed
> INFO | jvm 1 | 2014/09/03 15:57:14 | }
> INFO | jvm 1 | 2014/09/03 15:57:14 |
> INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG
> [org.apache.directory.server.ldap.LdapProtocolHandler] - Cleaning the
> LdapSession : No Ldap session ... session
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
