This discussion is archived
9 Replies Latest reply: Jul 9, 2009 6:17 AM by 843810 RSS

krb_error 24 Pre-authentication information was invalid (24) Pre-authentica

843810 Newbie
Currently Being Moderated
Hi:

I'm trying to setup/configure SSO between WebLogic 10g and Microsoft AD/Clients as described in the WebLogic documentation: http://download.oracle.com/docs/cd/E12840_01/wls/docs103/secmanage/sso.html#wp1101370

I have a Windows 2003 Server Domain Controller (with AD) and a VM with Windows 2003 Server with WebLogic 10g. The domain is called SSODEMO.MYDOMAIN.LOCAL and the machine is called oracledev7. The VM is called ssoweblogic and is registered as a machine in the domain. Both machines can access the other.

I followed the steps provided in the mentioned document until step 7 where I got stuck with the following error:
kinit -k -t weblogic.keytab weblogicuser@SSODEMO.MYDOMAIN.LOCAL
Exception: krb_error 24 Pre-authentication information was invalid 
  (24) Pre-authentication information was invalid
KrbException: Pre-authentication information was invalid (24)
        at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:66)
        at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:449)
        at sun.security.krb5.internal.tools.Kinit.sendASRequest(Kinit.java:306)
        at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:257)
        at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:107)
Caused by: KrbException: Identifier doesn't match expected value (906)
        at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
        at sun.security.krb5.internal.ASRep.init(ASRep.java:58)
        at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53)
        at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50)
        ... 4 more
--------------------------------------------------------------
This is my SSO setup

===================================================
On AD Server

Created a user called: weblogicuser and set "Use DES encryption types for this account" option

setspn -a host/ssoweblogic ssoweblogic
setspn -a host/ssoweblogic.ssodemo.mydomain.local ssoweblogic

setspn -a HTTP/ssoweblogic weblogicuser
setspn -a HTTP/ssoweblogic.ssodemo.mydomain.local weblogicuser

setspn -l ssoweblogic
Registered ServicePrincipalNames for CN=SSOWEBLOGIC,CN=Computers,DC=ssodemo,DC=mydomain,DC=local:
HOST/SSOWEBLOGIC
HOST/ssoweblogic.ssodemo.mydomain.local

setspn -l weblogicuser
Output: Registered ServicePrincipalNames for CN=Weblogic User,CN=Users,DC=ssodemo,DC=mydomain,DC=local:
HTTP/ssoweblogic.ssodemo.mydomain.local
HTTP/ssoweblogic

ktpass -princ HOST/ssoweblogic@SSODEMO.MYDOMAIN.LOCAL -pass cw123-x -mapuser weblogicuser@SSODEMO.MYDOMAIN.LOCAL -ptype KRB5_NT_PRINCIPAL -out weblogic.keytab

===================================================
On Weblogic Server

ktab -k weblogic.keytab -a weblogicuser@SSODEMO.MYDOMAIN.LOCAL
Password: ************

kinit -k -t C:\bea\user_projects\domains\sso_domain\weblogic.keytab weblogicuser@SSODEMO.CRIMSONWING.LOCAL

--------------------------------------------------------------


Any help would be appreciated,
Albert
  • 1. Re: krb_error 24 Pre-authentication information was invalid (24) Pre-authentica
    843810 Newbie
    Currently Being Moderated
    You should not call ktab to create the keytab, the ktpass command has already created one.

    BTW, I think you needn't call so many setpsn.exe, a ktpass.exe is enough.
  • 2. Re: krb_error 24 Pre-authentication information was invalid (24) Pre-authen
    843810 Newbie
    Currently Being Moderated
    Thanks for your input.

    I've executed the ktpass command (Step 6) on the AD server as shown next:
    C:\>ktpass -princ HOST/ssoweblogic@SSODEMO.MYDOMAIN.LOCAL -pass cw123-x 
      -mapuser weblogicuser@SSODEMO.MYDOMAIN.LOCAL -ptype KRB5_NT_PRINCIPAL -out weblogic.keytab
    I got the following output:
    Targeting domain controller: oracledev7.ssodemo.mydomain.local
    Using legacy password setting method
    Successfully mapped HOST/ssoweblogic to weblogicuser.
    Key created.
    Output keytab to weblogic.keytab:
    Keytab version: 0x502
    keysize 77 HOST/ssoweblogic@SSODEMO.MYDOMAIN.LOCAL ptype 1 (KRB5_NT_PRINCIPAL
    ) vno 8 etype 0x17 (RC4-HMAC) keylength 16 (0xa2579c7c7e8b87e0127e81fe829d3c9b)
    I'm not sure about the second output line: "+Using legacy password setting method+". Then I proceeded to step 7 (the next step on the document) and executed the following command on the WebLogic server:
    C:\bea\jrockit_160_05\bin>kinit -k -t C:\bea\user_projects\domains\sso_domain\weblogic.keytab 
      weblogicuser@SSODEMO.MYDOMAIN.LOCAL
    and got a different error:
    Exception: krb_error 0 No supported key found in keytab for principal 
      weblogicuser@SSODEMO.MYDOMAIN.LOCAL No error
    KrbException: No supported key found in keytab for principal 
      weblogicuser@SSODEMO.MYDOMAIN.LOCAL
            at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:192)
            at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:107)
    Am I missing something in the previous steps?

    Any help would be appreciated,
    Albert
  • 3. Re: krb_error 24 Pre-authentication information was invalid (24) Pre-authen
    843810 Newbie
    Currently Being Moderated
    I guess you are going to use the SPN on the Weblogic server side, right? Why not use the SPN "HOST/ssoweblogic@SSODEMO.MYDOMAIN.LOCAL" in the kinit command. If you use ktab to view the keytab file, you will not see the original username webloginuser.

    Also, why use the simple server host name "ssoweblogic". As I understand, the Kerberos service principal name should use the full qualified DNS name, something like ssoweblogin.ssodemo.mydomain.local. Please try use the fullname in both ktpass and kinit.
  • 4. Re: krb_error 24 Pre-authentication information was invalid (24) Pre-authen
    843810 Newbie
    Currently Being Moderated
    Hi:

    Yes. The SPN will be used by WebLogic server as described in: [http://download.oracle.com/docs/cd/E12840_01/wls/docs103/secmanage/sso.html#wp1101370|http://download.oracle.com/docs/cd/E12840_01/wls/docs103/secmanage/sso.html#wp1101370] . Basically what I'm after is to provide SSO for my intranet/web applications running on WebLogic. Once the user logs onto the network (AD), he/she does not have to login to the intranet web applications as his/her AD credentials will be used.

    I've emended the ktpass command as suggested and added the option -crypto DES-CBC-CRC to match the parameter that I have in the krb5.ini file on the WebLogic Server:
    C:\>ktpass -princ HTTP/ssoweblogic.ssodemo.mydomain.local@SSODEMO.MYDOMAIN.LOCAL 
    -pass cw123-x -mapuser weblogicuser@SSODEMO.MYDOMAIN.LOCAL 
    -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-CRC -out weblogic.keytab
    The output was:
    Targeting domain controller: oracledev7.ssodemo.mydomain.local
    Using legacy password setting method
    Successfully mapped HTTP/ssoweblogic.ssodemo.mydomain.local to weblogicuser.
    Key created.
    Output keytab to C:\VMS\Shared\weblogic.keytab:
    Keytab version: 0x502
    keysize 95 HTTP/ssoweblogic.ssodemo.mydomain.local@SSODEMO.MYDOMAIN.LOCAL
    ptype 1 (KRB5_NT_PRINCIPAL) vno 12 etype 0x1 (DES-CBC-CRC) keylength 8 (0xef6ead
    a2890bad01)
    Then executed the kinit command on the WebLogic server but still got the same error:
    C:\bea\jrockit_160_05\bin>kinit -k -t C:\bea\user_projects\domains\sso_domain\weblogic.keytab
     weblogicuser@SSODEMO.MYDOMAIN.LOCAL
    Exception: krb_error 0 No supported key found in keytab for 
      principal weblogicuser@SSODEMO.MYDOMAIN.LOCAL No error
    KrbException: No supported key found in keytab for 
      principal weblogicuser@SSODEMO.MYDOMAIN.LOCAL
            at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:192)
            at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:107)
    I didn't understand the following:
    >
    Why not use the SPN "HOST/ssoweblogic@SSODEMO.MYDOMAIN.LOCAL" in the kinit command. If you use ktab to view the keytab file, you will not see the original username webloginuser.
    >

    Can you elaborate please?

    Cheers,
    Albert Attard
  • 5. Re: krb_error 24 Pre-authentication information was invalid (24) Pre-authen
    843810 Newbie
    Currently Being Moderated
    I've executed the kinit in debug mode:
    C:\bea\jrockit_160_05\bin>kinit -J-Dsun.security.krb5.debug=true -k -t 
    C:\bea\user_projects\domains\sso_domain\weblogic.keytab 
      weblogicuser@SSODEMO.MYDOMAIN.LOCAL
    Output
    KinitOptions cache name is C:\Documents and Settings\Administrator.SSODEMO\
      krb5cc_Administrator  Principal is weblogicuser@SSODEMO.MYDOMAIN.LOCAL
    Kinit using keytab
    Kinit keytab file name: C:\bea\user_projects\domains\sso_domain\weblogic.keytab
    KeyTabInputStream, readName(): SSODEMO.MYDOMAIN.LOCAL
    KeyTabInputStream, readName(): HTTP
    KeyTabInputStream, readName(): ssoweblogic.ssodemo.mydomain.local
    KeyTab: load() entry length: 95; type: 1
    Exception: krb_error 0 No supported key found in keytab for principal 
      weblogicuser@SSODEMO.MYDOMAIN.LOCAL No error
    KrbException: No supported key found in keytab for principal 
      weblogicuser@SSODEMO.MYDOMAIN.LOCAL
            at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:192)
            at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:107)
    What else I can change/check?
    Albert
  • 6. Re: krb_error 24 Pre-authentication information was invalid (24) Pre-authen
    843810 Newbie
    Currently Being Moderated
    I mean you should run

    kinit -k -t C:\bea\user_projects\domains\sso_domain\weblogic.keytab
    HTTP/ssoweblogic.ssodemo.mydomain.local@SSODEMO.MYDOMAIN.LOCAL

    If you run "ktab -l" on the keytab file you generated, it contains no more reference to webloginuser.
  • 7. Re: krb_error 24 Pre-authentication information was invalid (24) Pre-authen
    843810 Newbie
    Currently Being Moderated
    Hi and thanks a lot for your help

    I've executed the suggested command:
    C:\bea\jrockit_160_05\bin>kinit -J-Dsun.security.krb5.debug=true -k -t 
      C:\bea\user_projects\domains\sso_domain\weblogic.keytab 
      HTTP/ssoweblogic.ssodemo.mydomain.local
    Output (the greater than chars were removed not to disrupt the formatting):
    Config name: C:\WINDOWS\krb5.ini
    KinitOptions cache name is C:\Documents and Settings\
    Administrator.SSODEMO\krb5cc_Administrator
    Principal is HTTP/ssoweblogic.ssodemo.mydomain.local
      @SSODEMO.MYDOMAIN.LOCAL
    Kinit using keytab
    Kinit keytab file name: C:\bea\user_projects\domains\sso_domain\weblogic.keytab
    KeyTabInputStream, readName(): SSODEMO.MYDOMAIN.LOCAL
    KeyTabInputStream, readName(): HTTP
    KeyTabInputStream, readName(): ssoweblogic.ssodemo.mydomain.local
    KeyTab: load() entry length: 95; type: 1
    Added key: 1version: 12
    Ordering keys wrt default_tkt_enctypes list
    default etypes for default_tkt_enctypes: 1.
    0: EncryptionKey: keyType=1 kvno=12 keyValue (hex dump)=
    0000: EF 6E AD A2 89 0B AD 01
    
    Kinit realm name is SSODEMO.MYDOMAIN.LOCAL
    Creating KrbAsReq
    KrbKdcReq local addresses for ssoweblogic are:
    
            ssoweblogic/192.168.1.18
    IPv4 address
    default etypes for default_tkt_enctypes: 1.
    KrbAsReq calling createMessage
    KrbAsReq in createMessage
    Kinit: sending as_req to realm SSODEMO.MYDOMAIN.LOCAL
    KrbKdcReq send: kdc=192.168.1.50 UDP:88, timeout=30000, 
      number of retries =3, #bytes=219
    KDCCommunication: kdc=192.168.1.50 UDP:88, 
      timeout=30000,Attempt =1, #bytes=219
    KrbKdcReq send: #bytes read=241
    KrbKdcReq send: #bytes read=241
    reading response from kdc
    KDCRep: init() encoding tag is 126 req type is 11
    KRBError:
             sTime is Thu Jul 09 13:55:18 CEST 2009 1247140518000
             suSec is 436
             error code is 25
             error Message is Additional pre-authentication required
             realm is SSODEMO.MYDOMAIN.LOCAL
             sname is krbtgt/SSODEMO.MYDOMAIN.LOCAL
             eData provided.
             msgType is 30
    Pre-Authentication Data:
             PA-DATA type = 11
             PA-ETYPE-INFO etype = 1
    Pre-Authentication Data:
             PA-DATA type = 2
             PA-ENC-TIMESTAMP
    Pre-Authentication Data:
             PA-DATA type = 15
    Kinit: PREAUTH FAILED/REQ, re-send AS-REQ
    Updated salt from pre-auth = 
    SSODEMO.MYDOMAIN.LOCALHTTPssoweblogic.ssodemo.mydomain.local
    KrbAsReq salt is SSODEMO.MYDOMAIN.LOCALHTTPssoweblogic.ssodemo.mydomain.local
    Pre-Authenticaton: find key for etype = 1
    AS-REQ: Add PA_ENC_TIMESTAMP now
    EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
    crc32: f7fd372
    crc32: 1111011111111101001101110010
    KrbAsReq calling createMessage
    KrbAsReq in createMessage
    Kinit: sending as_req to realm SSODEMO.MYDOMAIN.LOCAL
    KrbKdcReq send: kdc=192.168.1.50 UDP:88, timeout=30000, 
      number of retries =3, #bytes=300
    KDCCommunication: kdc=192.168.1.50 UDP:88, timeout=30000,
      Attempt =1, #bytes=300
    rbKdcReq send: #bytes read=122
    KrbKdcReq send: #bytes read=122
    reading response from kdc
    KDCRep: init() encoding tag is 126 req type is 11
    KRBError:
             sTime is Thu Jul 09 13:55:19 CEST 2009 1247140519000
             suSec is 797311
             error code is 52
             error Message is Response too big for UDP, retry with TCP
             realm is SSODEMO.MYDOMAIN.LOCAL
             sname is krbtgt/SSODEMO.MYDOMAIN.LOCAL
             msgType is 30
    KrbKdcReq send: kdc=192.168.1.50 TCP:88, timeout=30000,
       number of retries =3, #bytes=300
    DEBUG: TCPClient reading 1542 bytes
    KrbKdcReq send: #bytes read=1542
    KrbKdcReq send: #bytes read=1542
    EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
    crc32: d0968eb6
    crc32: 11010000100101101000111010110110
     KrbAsRep cons in KrbAsReq.getReply HTTP/ssoweblogic.ssodemo.mydomain.local
    New ticket is stored in cache file C:\Documents and 
      Settings\Administrator.SSODEMO\krb5cc_Administrator
    I don't know what this output means but it shows some errors, or at least that's what I think:
    KRBError:
             sTime is Thu Jul 09 13:55:19 CEST 2009 1247140519000
             suSec is 797311
             error code is 52
             error Message is Response too big for UDP, retry with TCP
             realm is SSODEMO.MYDOMAIN.LOCAL
             sname is krbtgt/SSODEMO.MYDOMAIN.LOCAL
             msgType is 30
    Any ideas?
    Albert
  • 8. Re: krb_error 24 Pre-authentication information was invalid (24) Pre-authen
    843810 Newbie
    Currently Being Moderated
    Both errors you see are very normal:

    1. error Message is Additional pre-authentication required

    This means pre-authentication is required. Unless you check the "Does not allow Preauthentication" checkbox in Windows AD Account settings for the user. The AD server will prompt the client for a preauth.

    2. error Message is Response too big for UDP, retry with TCP

    This means after the preauth info is added into the request, the UDP packet is so big that the server decides using TCP might be more convenient.
  • 9. Re: krb_error 24 Pre-authentication information was invalid (24) Pre-authen
    843810 Newbie
    Currently Being Moderated
    Thanks a lot.

    I'm stuck on another point, but will post it on another thread.

    Much appreciated,
    Albert