Carlos Zottmann wrote:
Hi!! I am new to the list, so, first of all, hello everbody!! We are facing a weird problem here ... We are using authentication in our java web pages, running in Tomcat 5.0.28, through the "com.sun.security.auth.module.Krb5LoginModule", against a MS Active Directory database. Everything works fine, except when the passwords are 10 or 11 characters long. In these cases, we get the error below in the "catalina.out" log file: javax.security.auth.login.LoginException: Pre-authentication information was invalid (24) Have anyone run into this problem before? How could we trace it?
Maybe. Error 24 can also be caused by Java not handling the Kerberos pre-auth correctly. This can occur if the principal name does not match what is stored in AD and what the principal name was when the password was last changed. This can be a case mis match (AD does not care, Kerberos does) or a renamed account where the password has not been changed. Java 1.6 is reported to have a fix for this problem. The fix will accept the pre-auth hint from the KDC as to what "salt" to use when doing the string to key function. The "salt" is derived from the principal name at the time the password was changed. older Java versions assumed they know the salt and tried to skip the first step in the pre-auth. Your problem is in the same area so check for these first problems first. But if there is some artificial limit on the size of the password, like 8! that could be considered a new problem. You can trace this using Ethereal to watch the Kerberos packets.
Best regards, Carlos. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
-- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
