1 Reply Latest reply on Jan 18, 2007 5:19 PM by 807812

    Error with Pre-Authentication for Windows Desktop SSO

    807812
      When I try to use the windows desktop sso module created in the Access Manager I get an error in the amAuthWindowsDesktopSSO file, but I don't know what I'm doing erroneous. It's not an access manager problem, I can't get kinit to work either. I think I'm following the directions correctly from the manual.

      Are these ktpass commands setup right?

      The Windows AD administrator created the accounts:
      C:\>ktpass -princ HOST/amdev.tcpip.com@AD.TCPIPCOM -pass amdev -mapuser AD\amdev$ -out amdev.keytab
      Targeting domain controller: dc2.ad.tcpip.com
      Successfully mapped HOST/amdev.tcpip.com to AMDEV$.
      WARNING: Account AMDEV$ is not a user account (uacflags=0x1021).
      WARNING: Resetting AMDEV$'s password may cause authentication problems if AMDEV$ is being used as a server.
      
      Reset AMDEV$'s password [y/n]?  y
      Key created.
      Output keytab to amdev.keytab:
      Keytab version: 0x502
      keysize 56 HOST/amdev.tcpip.com@AD.TCPIP.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x3 (DES-CBC-MD5) keylength 8 (0x023efe
      3e6846d3cd)
      Account AMDEV$ has been set for DES-only encryption.
      
      C:\>ktpass -princ HTTP/amdev.tcpip.com@AD.TCPIP.COM -pass amdev -mapuser AD\amdev$ -out amdev-http.keytab
      Targeting domain controller: dc2.ad.tcpip.com
      Successfully mapped HTTP/amdev.tcpip.com to AMDEV$.
      WARNING: Account AMDEV$ is not a user account (uacflags=0x201021).
      WARNING: Resetting AMDEV$'s password may cause authentication problems if AMDEV$ is being used as a server.
      
      Reset AMDEV$'s password [y/n]?  y
      Key created.
      Output keytab to amdev-http.keytab:
      Keytab version: 0x502
      keysize 56 HTTP/amdev.tcpip.com@AD.TCPIP.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 4 etype 0x3 (DES-CBC-MD5) keylength 8 (0x45201c
      f4d3ec43e6)
      Account AMDEV$ has been set for DES-only encryption.
      
      C:\>
      I can read the keys with ktutil.
      ktutil:  rkt amdev-http.keytab
      ktutil:  list
      slot KVNO Principal
      ---- ---- --------------------------------------------------------------------------
         1    4            HTTP/amdev.tcpip.com@AD.TCPIP.COM
      ktutil:  rkt amdev.keytab
      ktutil:  list
      slot KVNO Principal
      ---- ---- --------------------------------------------------------------------------
         1    4            HTTP/amdev.tcpip.com@AD.TCPIP.COM
         2    3            HOST/amdev.tcpip.com@AD.TCPIP.COM
      ktutil:  wkt amdev2.keytab
      I then try to do a kinit with the principal:
       kinit -k -t amdev2.keytab HTTP/amdev.tcpip.com@AD.TCPIP.COM
      kinit(v5): Preauthentication failed while getting initial credentials
      Access Manager reports similar problem on access:
      01/17/2007 10:23:56:699 AM CST: Thread[service-j2ee-2,5,main]
      Stack trace:
      javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)
              at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:652)
              at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:512)
              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
              at java.lang.reflect.Method.invoke(Method.java:585)
      . . . 
        • 1. Re: Error with Pre-Authentication for Windows Desktop SSO
          807812
          Something deep, dark, and inside Kerberos way outside of my knowledge base was the problem.

          I could always get a kinit with the HTTP/amdev.tcpip.com service to work. I never got the keytabs from the output of ktpass to operate. I used ktutil to create keytab entries all in vain, kinit using the keytab always resulted in a PA error, although the time clocks are setup the same.

          The AD administrator created the account, this time as a user account, not a machine account, and the keytabs from the Windows domain controller finally worked.

          If anyone knows the difference between machine and user accounts are in AD, I would be obliged for his/her explanation. The UPN and SPN look the same in the directory. I'm at a loss. However, very glad to finally have this working.