Uploaded image for project: 'Directory Studio'
  1. Directory Studio
  2. DIRSTUDIO-992

Unable to enable kerberos authentication to connect to Apache Directory Server

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Blocker
    • Resolution: Unresolved
    • 2.0.0-M8 (2.0.0.v20130628)
    • None
    • studio-connection
    • Win 7 Professional 64 Bit
      Apache Directory Server V 2.0.0-M17
      Both Directory Server and Studio hosted on the same machine

    Description

      Trying to enable kerberos authentication following the instructions given on link https://directory.apache.org/apacheds/kerberos-ug/4.2-authenticate-studio.html
      Receiving exception:
      javax.security.auth.login.LoginException: Integrity check on decrypted field failed (31) - Integrity check on decrypted field failed
      org.apache.directory.api.ldap.model.exception.LdapException: javax.security.auth.login.LoginException: Integrity check on decrypted field failed (31) - Integrity check on decrypted field failed
      User password is set to make use of SSHA hashing
      Tried running Studio with administrative privileges but that doesn't fix the issue.
      DEBUG level Directory Server logs shows following entries:
      INFO | jvm 1 | 2014/09/03 15:57:14 | -------------------------------------------------------------------------------<
      INFO | jvm 1 | 2014/09/03 15:57:14 |
      INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.KERBEROS_LOG] - Received Authentication Service (AS) request:
      INFO | jvm 1 | 2014/09/03 15:57:14 | messageType: AS_REQ
      INFO | jvm 1 | 2014/09/03 15:57:14 | protocolVersionNumber: 5
      INFO | jvm 1 | 2014/09/03 15:57:14 | clientAddress: 127.0.0.1
      INFO | jvm 1 | 2014/09/03 15:57:14 | nonce: 1166672761
      INFO | jvm 1 | 2014/09/03 15:57:14 | kdcOptions:
      INFO | jvm 1 | 2014/09/03 15:57:14 | clientPrincipal:

      { name-type: KRB_NT_PRINCIPAL, name-string : <'hnelson'> }

      INFO | jvm 1 | 2014/09/03 15:57:14 | serverPrincipal:

      { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'> }

      INFO | jvm 1 | 2014/09/03 15:57:14 | encryptionType: aes256-cts-hmac-sha1-96 (18), aes128-cts-hmac-sha1-96 (17), des3-cbc-sha1-kd (16), rc4-hmac (23), des-cbc-crc (1), des-cbc-md5 (3)
      INFO | jvm 1 | 2014/09/03 15:57:14 | realm: EXAMPLE.COM
      INFO | jvm 1 | 2014/09/03 15:57:14 | from time: null
      INFO | jvm 1 | 2014/09/03 15:57:14 | till time: 19700101000000Z
      INFO | jvm 1 | 2014/09/03 15:57:14 | renew-till time: null
      INFO | jvm 1 | 2014/09/03 15:57:14 | hostAddresses: null
      INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.KERBEROS_LOG] - --> Selecting the EncryptionType
      INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.KERBEROS_LOG] - Encryption types requested by client [aes256-cts-hmac-sha1-96 (18), aes128-cts-hmac-sha1-96 (17), des3-cbc-sha1-kd (16), rc4-hmac (23), des-cbc-crc (1), des-cbc-md5 (3)].
      INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.KERBEROS_LOG] - Session will use encryption type rc4-hmac (23).
      INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.KERBEROS_LOG] - --> Getting the client Entry
      INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.core.authn.AuthenticationInterceptor] - Operation Context: SearchContext for Dn 'dc=security,dc=example,dc=com', filter :'(krb5PrincipalName=hnelson@EXAMPLE.COM)'
      INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.xdbm.search.impl.DefaultSearchEngine] - Nb results : 1 for filter : (&:[1](krb5PrincipalName=hnelson@EXAMPLE.COM:[1])(#

      {SUBTREE_SCOPE (Estimated), 'dc=security,dc=example,dc=com', DEREF_ALWAYS}

      ))
      INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.protocol.shared.kerberos.StoreUtils] - Found entry uid=hnelson,ou=users,dc=security,dc=example,dc=com for kerberos principal name hnelson@EXAMPLE.COM
      INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.KERBEROS_LOG] - Found entry uid=hnelson,ou=users,dc=security,dc=example,dc=com for kerberos principal name hnelson@EXAMPLE.COM
      INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.KERBEROS_LOG] - Found entry uid=hnelson,ou=users,dc=security,dc=example,dc=com for principal hnelson@EXAMPLE.COM
      INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.KERBEROS_LOG] - --> Verifying the policy
      INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.KERBEROS_LOG] - --> Verifying using SAM subsystem.
      INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.KERBEROS_LOG] - --> Verifying using encrypted timestamp.
      INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.KERBEROS_LOG] - Entry for client principal hnelson@EXAMPLE.COM has no SAM type. Proceeding with standard pre-authentication.
      INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.KERBEROS_LOG] - Decrypting data using key rc4-hmac (23) and usage ERR_603 AS-REQ PA-ENC-TIMESTAMP padata timestamp, encrypted with the client key (1)
      INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Integrity check on decrypted field failed (31)
      INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] WARN [org.apache.directory.server.KERBEROS_LOG] - Integrity check on decrypted field failed (31)
      INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Responding to request with error:
      INFO | jvm 1 | 2014/09/03 15:57:14 | explanatory text: Integrity check on decrypted field failed
      INFO | jvm 1 | 2014/09/03 15:57:14 | error code: Integrity check on decrypted field failed
      INFO | jvm 1 | 2014/09/03 15:57:14 | clientPrincipal: null@null
      INFO | jvm 1 | 2014/09/03 15:57:14 | client time: null
      INFO | jvm 1 | 2014/09/03 15:57:14 | serverPrincipal:

      { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'>realm: EXAMPLE.COM }

      @EXAMPLE.COM
      INFO | jvm 1 | 2014/09/03 15:57:14 | server time: 20140903102714Z
      INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.KERBEROS_LOG] - Responding to request with error:
      INFO | jvm 1 | 2014/09/03 15:57:14 | explanatory text: Integrity check on decrypted field failed
      INFO | jvm 1 | 2014/09/03 15:57:14 | error code: Integrity check on decrypted field failed
      INFO | jvm 1 | 2014/09/03 15:57:14 | clientPrincipal: null@null
      INFO | jvm 1 | 2014/09/03 15:57:14 | client time: null
      INFO | jvm 1 | 2014/09/03 15:57:14 | serverPrincipal:

      { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'>realm: EXAMPLE.COM }

      @EXAMPLE.COM
      INFO | jvm 1 | 2014/09/03 15:57:14 | server time: 20140903102714Z
      INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - /127.0.0.1:61504 SENT:
      INFO | jvm 1 | 2014/09/03 15:57:14 | KRB-ERROR : {
      INFO | jvm 1 | 2014/09/03 15:57:14 | pvno: 5
      INFO | jvm 1 | 2014/09/03 15:57:14 | msgType: KRB_ERROR
      INFO | jvm 1 | 2014/09/03 15:57:14 | sTime: 20140903102714Z
      INFO | jvm 1 | 2014/09/03 15:57:14 | susec: 0
      INFO | jvm 1 | 2014/09/03 15:57:14 | errorCode: Integrity check on decrypted field failed
      INFO | jvm 1 | 2014/09/03 15:57:14 | realm: EXAMPLE.COM
      INFO | jvm 1 | 2014/09/03 15:57:14 | sName:

      { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'>realm: EXAMPLE.COM }

      INFO | jvm 1 | 2014/09/03 15:57:14 | eText: Integrity check on decrypted field failed
      INFO | jvm 1 | 2014/09/03 15:57:14 | }
      INFO | jvm 1 | 2014/09/03 15:57:14 |
      INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.KERBEROS_LOG] - /127.0.0.1:61504 SENT:
      INFO | jvm 1 | 2014/09/03 15:57:14 | KRB-ERROR : {
      INFO | jvm 1 | 2014/09/03 15:57:14 | pvno: 5
      INFO | jvm 1 | 2014/09/03 15:57:14 | msgType: KRB_ERROR
      INFO | jvm 1 | 2014/09/03 15:57:14 | sTime: 20140903102714Z
      INFO | jvm 1 | 2014/09/03 15:57:14 | susec: 0
      INFO | jvm 1 | 2014/09/03 15:57:14 | errorCode: Integrity check on decrypted field failed
      INFO | jvm 1 | 2014/09/03 15:57:14 | realm: EXAMPLE.COM
      INFO | jvm 1 | 2014/09/03 15:57:14 | sName:

      { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', 'EXAMPLE.COM'>realm: EXAMPLE.COM }

      INFO | jvm 1 | 2014/09/03 15:57:14 | eText: Integrity check on decrypted field failed
      INFO | jvm 1 | 2014/09/03 15:57:14 | }
      INFO | jvm 1 | 2014/09/03 15:57:14 |
      INFO | jvm 1 | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.ldap.LdapProtocolHandler] - Cleaning the LdapSession : No Ldap session ... session

      Attachments

        Activity

          People

            Unassigned Unassigned
            gauravverma Gaurav Verma
            Votes:
            3 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated: