This discussion is archived
2 Replies Latest reply: Jun 10, 2011 8:18 AM by 868126 RSS

"Integrity check on decrypted field failed"; Windows 7 & WinServer 2008

843810 Newbie
Currently Being Moderated
Hi guys,

we have been using Kerberos native ticket cache on Windows XP successfully for a couple of years now. Our setup is Windows Server 2008 (as KDC) and Windows XP and Windows 7 clients. The problem described below occurs only on Windows 7, Windows XP works fine. The same thing happens if I logon to the a Windows 2008 domain controller locally (guess because Win2008 and Win7 have the same code base).

When I try to start a Java application that tries to initiate a service ticket the program fails with the (very generic) error "*Integrity check on decrypted field failed*". This only happens when accessing the native ticket cache of Windows 7 (and Windows 2008 server locally). The problems is not connected to a specific user setting because all users fail on Win 7 and succeed in Win XP.

It seems that the problem is related to encryption types in Windows 7. There is policy setting where I can select encryption types for the Kerberos TGT. By default (none selected), I have a TGT with etype AES (so says klist.exe), which the Java Kerberos debug shows as etype 3, which is in fact DES! This is very weird! After that I changed the selection in the policy to RC4 only and got a RC4 TGT (as shown below) after the next logon. The error, however, persists even with RC4 as etype. It seems like the ticket cache is somehow broken/protected so Java can not access the ticket anymore. Could this have anything to do with UAC? The reg key allowsessiontgt is also set, even though I does not have any effect on Win7/Win2008 any more. I used the latests JDK6 (Update 17) for my tests.

Has anyone of you ever had that problem?

Cheers,

This is the Kerberos output:
Debug is  true storeKey false useTicketCache true useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
KinitOptions cache name is C:\Users\x3maier\krb5cc_x3maier
Acquire default native Credentials
Obtained TGT from LSA: Credentials:
client=X3MAIER@AD.XXXX.CO.AT server=krbtgt/AD.XXXX.CO.AT@AD.XXXX.CO.AT authTime=20091217141406Z startTime=20091217141406Z endTime=20091218001406Z renewTill=20091224141406Z flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT EType (int): 23 Principal is X3MAIER@AD.XXXX.CO.AT Commit Succeeded Encryption Types: ------ DesCbcCrcEType: 1 ------ DesCbcMd5EType: 3 ------ ArcFourHmacEType: 23 ------ Aes128CtsHmacSha1EType: 17 ------ Aes256CtsHmacSha1EType: 18 --------------------------------------------------------------------- Found ticket for X3MAIER@AD.XXXX.CO.AT to go to krbtgt/AD.XXXX.CO.AT@AD.XXXX.CO.AT expiring on Fri Dec 18 01:14:06 CET 2009 Entered Krb5Context.initSecContext with state=STATE_NEW Service ticket not found in the subject
Credentials acquireServiceCreds: same realm
default etypes for default_tgs_enctypes: 23.
CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbKdcReq send: kdc=anasv00.ad.XXXX.co.at TCP:88, timeout=3000, number of retries =3, #bytes=2328
DEBUG: TCPClient reading 93 bytes
KrbKdcReq send: #bytes read=93
KrbKdcReq send: #bytes read=93
KDCRep: init() encoding tag is 126 req type is 13
KRBError:
      sTime is Thu Dec 17 15:30:57 CET 2009 1261060257000       suSec is 7056       error code is 31       error Message is Integrity check on decrypted field failed       realm is AD.XXXX.CO.AT       sname is HTTP/ecommonhost       msgType is 30
The Java code produces the following error:
INFO: Using SPN HTTP/ecommonhost with server HTTP/ecommonhost
KrbException: Integrity check on decrypted field failed (31)
        at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:61)
        at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185)
        at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294)
        at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106)
        at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:562)
        at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594)
        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
        at at.xxxx.common.security.KerberosAuthenticator.initiate(KerberosAuthenticator.java:242)
        at Main.main(Main.java:40)
Caused by: KrbException: Identifier doesn't match expected value (906)
        at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
        at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58)
        at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53)
        at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46)
        ... 9 more
Exception in thread "main" java.lang.SecurityException: GSSException: No valid credentials provided (Mechanism level: Integrity check on decrypted field failed (31))
        at at.xxxx.common.security.KerberosAuthenticator.initiate(KerberosAuthenticator.java:249)
        at Main.main(Main.java:40)
Caused by: GSSException: No valid credentials provided (Mechanism level: Integrity check on decrypted field failed (31))
        at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:663)
        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
        at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
        at at.xxxx.common.security.KerberosAuthenticator.initiate(KerberosAuthenticator.java:242)
        ... 1 more
Caused by: KrbException: Integrity check on decrypted field failed (31)
        at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:61)
        at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:185)
        at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:294)
        at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:106)
        at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:562)
        at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:594)
        ... 4 more
Caused by: KrbException: Identifier doesn't match expected value (906)
        at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
        at sun.security.krb5.internal.TGSRep.init(TGSRep.java:58)
        at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:53)
        at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:46)
        ... 9 more
The output of klist.exe shows the following TGT:
#0>     Client: x3maier @ AD.XXXX.CO.AT
        Server: krbtgt/AD.XXXX.CO.AT @ AD.XXXX.CO.AT
        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
        Ticket Flags 0x60a00000 -> forwardable forwarded renewable pre_authent
        Start Time: 12/17/2009 15:14:06 (local)
        End Time:   12/18/2009 1:14:06 (local)
        Renew Time: 12/24/2009 15:14:06 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)
krb5.ini is nothing fancy:
[libdefaults]
       default_realm = AD.XXXX.CO.AT
       kdc_timeout = 3000
       udp_preference_limit = 1
[realms]
       AD.XXXX.CO.AT = {
     kdc = xxxx
     kdc = xxxx
     kdc = xxxx
       }