very likely that the default weak encryption type set in ApacheDS is the reason.

either you enable the weak encrytion support in krb5.conf

[libdefaults]
áááááá allow_weak_crypto = true

or modify the encryption types configured in ApacheDS

á1. go to the entry ads-serverId=kerberosServer,ou=servers,ads-directoryServiceId=default,ou=config

á2. remove des3-cbc-sha1-kd from ads-krbEncryptionTypes attribute (you can add another value like aes256-cts-hmac-sha1-96)

á3. restart the server

let us know if you still have an issue





On Mon, Apr 8, 2013 at 10:24 PM, Wu, James C. <James.C.Wu@disney.com> wrote:
I installed the JCE and using the JVM from Oracle now. But I am getting the same error as when I used the OpenJDK JVM.

[09:48:32] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] - Integrity check on decrypted field failed (31)
[09:48:32] WARN [org.apache.directory.server.KERBEROS_LOG] - Integrity check on decrypted field failed (31)

I tried to use kinit from two machines, both show the same error. áThe kinit is part of the krb5-lib/krb5-workstation library. áDo I have to other implementation of kinit?

Regards,

james


-----Original Message-----
From: Emmanuel LÚcharny [mailto:elecharny@gmail.com]
Sent: Sunday, April 07, 2013 10:38 PM
To: Apache Directory Developers List
Subject: Re: kinit failed on - Integrity check on decrypted field failed

Le 4/8/13 3:35 AM, Wu, James C. a Úcrit :
> The apacheDS version I am using is apacheds-2.0.0-M11-64bit.bin
>
> When I switched the JVM to Oracle JVM by installing áthe ájdk-7u17-linux-x64.rpm from Oracle, I even get NullPointerException. See the following stack trace.

AES256 is not included by default in the standard J2SE installation. You have to install JCE in order to be able to use AES 256.


--
Regards,
Cordialement,
Emmanuel LÚcharny
www.iktek.com




--
Kiran Ayyagari
http://keydap.com