directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gaurav Verma (JIRA)" <j...@apache.org>
Subject [jira] [Created] (DIRSTUDIO-992) Unable to enable kerberos authentication to connect to Apache Directory Server
Date Wed, 03 Sep 2014 10:34:51 GMT
Gaurav Verma created DIRSTUDIO-992:
--------------------------------------

             Summary: Unable to enable kerberos authentication to connect to Apache Directory
Server
                 Key: DIRSTUDIO-992
                 URL: https://issues.apache.org/jira/browse/DIRSTUDIO-992
             Project: Directory Studio
          Issue Type: Bug
          Components: studio-connection
    Affects Versions: 2.0.0-M8 (2.0.0.v20130628)
         Environment: Win 7 Professional 64 Bit
Apache Directory Server V 2.0.0-M17
Both Directory Server and Studio hosted on the same machine
            Reporter: Gaurav Verma
            Priority: Blocker


Trying to enable kerberos authentication following the instructions given on link https://directory.apache.org/apacheds/kerberos-ug/4.2-authenticate-studio.html
Receiving exception:
javax.security.auth.login.LoginException: Integrity check on decrypted field failed (31) -
Integrity check on decrypted field failed
org.apache.directory.api.ldap.model.exception.LdapException: javax.security.auth.login.LoginException:
Integrity check on decrypted field failed (31) - Integrity check on decrypted field failed
User password is set to make use of SSHA hashing
Tried running Studio with administrative privileges but that doesn't fix the issue.
DEBUG level Directory Server logs shows following entries:
INFO   | jvm 1    | 2014/09/03 15:57:14 | -------------------------------------------------------------------------------<
INFO   | jvm 1    | 2014/09/03 15:57:14 | 
INFO   | jvm 1    | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.KERBEROS_LOG]
- Received Authentication Service (AS) request:
INFO   | jvm 1    | 2014/09/03 15:57:14 | 	messageType:           AS_REQ
INFO   | jvm 1    | 2014/09/03 15:57:14 | 	protocolVersionNumber: 5
INFO   | jvm 1    | 2014/09/03 15:57:14 | 	clientAddress:         127.0.0.1
INFO   | jvm 1    | 2014/09/03 15:57:14 | 	nonce:                 1166672761
INFO   | jvm 1    | 2014/09/03 15:57:14 | 	kdcOptions:            
INFO   | jvm 1    | 2014/09/03 15:57:14 | 	clientPrincipal:       { name-type: KRB_NT_PRINCIPAL,
name-string : <'hnelson'> }
INFO   | jvm 1    | 2014/09/03 15:57:14 | 	serverPrincipal:       { name-type: KRB_NT_SRV_INST,
name-string : <'krbtgt', 'EXAMPLE.COM'> }
INFO   | jvm 1    | 2014/09/03 15:57:14 | 	encryptionType:        aes256-cts-hmac-sha1-96
(18), aes128-cts-hmac-sha1-96 (17), des3-cbc-sha1-kd (16), rc4-hmac (23), des-cbc-crc (1),
des-cbc-md5 (3)
INFO   | jvm 1    | 2014/09/03 15:57:14 | 	realm:                 EXAMPLE.COM
INFO   | jvm 1    | 2014/09/03 15:57:14 | 	from time:             null
INFO   | jvm 1    | 2014/09/03 15:57:14 | 	till time:             19700101000000Z
INFO   | jvm 1    | 2014/09/03 15:57:14 | 	renew-till time:       null
INFO   | jvm 1    | 2014/09/03 15:57:14 | 	hostAddresses:         null
INFO   | jvm 1    | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.KERBEROS_LOG]
- --> Selecting the EncryptionType
INFO   | jvm 1    | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.KERBEROS_LOG]
- Encryption types requested by client [aes256-cts-hmac-sha1-96 (18), aes128-cts-hmac-sha1-96
(17), des3-cbc-sha1-kd (16), rc4-hmac (23), des-cbc-crc (1), des-cbc-md5 (3)].
INFO   | jvm 1    | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.KERBEROS_LOG]
- Session will use encryption type rc4-hmac (23).
INFO   | jvm 1    | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.KERBEROS_LOG]
- --> Getting the client Entry
INFO   | jvm 1    | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.core.authn.AuthenticationInterceptor]
- Operation Context: SearchContext for Dn 'dc=security,dc=example,dc=com', filter :'(krb5PrincipalName=hnelson@EXAMPLE.COM)'
INFO   | jvm 1    | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.xdbm.search.impl.DefaultSearchEngine]
- Nb results : 1 for filter : (&:[1](krb5PrincipalName=hnelson@EXAMPLE.COM:[1])(#{SUBTREE_SCOPE
(Estimated), 'dc=security,dc=example,dc=com', DEREF_ALWAYS}))
INFO   | jvm 1    | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.protocol.shared.kerberos.StoreUtils]
- Found entry uid=hnelson,ou=users,dc=security,dc=example,dc=com for kerberos principal name
hnelson@EXAMPLE.COM
INFO   | jvm 1    | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.KERBEROS_LOG]
- Found entry uid=hnelson,ou=users,dc=security,dc=example,dc=com for kerberos principal name
hnelson@EXAMPLE.COM
INFO   | jvm 1    | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.KERBEROS_LOG]
- Found entry uid=hnelson,ou=users,dc=security,dc=example,dc=com for principal hnelson@EXAMPLE.COM
INFO   | jvm 1    | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.KERBEROS_LOG]
- --> Verifying the policy
INFO   | jvm 1    | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.KERBEROS_LOG]
- --> Verifying using SAM subsystem.
INFO   | jvm 1    | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.KERBEROS_LOG]
- --> Verifying using encrypted timestamp.
INFO   | jvm 1    | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.KERBEROS_LOG]
- Entry for client principal hnelson@EXAMPLE.COM has no SAM type.  Proceeding with standard
pre-authentication.
INFO   | jvm 1    | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.KERBEROS_LOG]
- Decrypting data using key rc4-hmac (23) and usage ERR_603 AS-REQ PA-ENC-TIMESTAMP padata
timestamp, encrypted with the client key (1)
INFO   | jvm 1    | 2014/09/03 15:57:14 | [15:57:14] WARN [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
- Integrity check on decrypted field failed (31)
INFO   | jvm 1    | 2014/09/03 15:57:14 | [15:57:14] WARN [org.apache.directory.server.KERBEROS_LOG]
- Integrity check on decrypted field failed (31)
INFO   | jvm 1    | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
- Responding to request with error:
INFO   | jvm 1    | 2014/09/03 15:57:14 | 	explanatory text:      Integrity check on decrypted
field failed
INFO   | jvm 1    | 2014/09/03 15:57:14 | 	error code:            Integrity check on decrypted
field failed
INFO   | jvm 1    | 2014/09/03 15:57:14 | 	clientPrincipal:       null@null
INFO   | jvm 1    | 2014/09/03 15:57:14 | 	client time:           null
INFO   | jvm 1    | 2014/09/03 15:57:14 | 	serverPrincipal:       { name-type: KRB_NT_SRV_INST,
name-string : <'krbtgt', 'EXAMPLE.COM'>realm: EXAMPLE.COM }@EXAMPLE.COM
INFO   | jvm 1    | 2014/09/03 15:57:14 | 	server time:           20140903102714Z
INFO   | jvm 1    | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.KERBEROS_LOG]
- Responding to request with error:
INFO   | jvm 1    | 2014/09/03 15:57:14 | 	explanatory text:      Integrity check on decrypted
field failed
INFO   | jvm 1    | 2014/09/03 15:57:14 | 	error code:            Integrity check on decrypted
field failed
INFO   | jvm 1    | 2014/09/03 15:57:14 | 	clientPrincipal:       null@null
INFO   | jvm 1    | 2014/09/03 15:57:14 | 	client time:           null
INFO   | jvm 1    | 2014/09/03 15:57:14 | 	serverPrincipal:       { name-type: KRB_NT_SRV_INST,
name-string : <'krbtgt', 'EXAMPLE.COM'>realm: EXAMPLE.COM }@EXAMPLE.COM
INFO   | jvm 1    | 2014/09/03 15:57:14 | 	server time:           20140903102714Z
INFO   | jvm 1    | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
- /127.0.0.1:61504 SENT:  
INFO   | jvm 1    | 2014/09/03 15:57:14 | KRB-ERROR : {
INFO   | jvm 1    | 2014/09/03 15:57:14 |     pvno: 5
INFO   | jvm 1    | 2014/09/03 15:57:14 |     msgType: KRB_ERROR
INFO   | jvm 1    | 2014/09/03 15:57:14 |     sTime: 20140903102714Z
INFO   | jvm 1    | 2014/09/03 15:57:14 |     susec: 0
INFO   | jvm 1    | 2014/09/03 15:57:14 |     errorCode: Integrity check on decrypted field
failed
INFO   | jvm 1    | 2014/09/03 15:57:14 |     realm: EXAMPLE.COM
INFO   | jvm 1    | 2014/09/03 15:57:14 |     sName: { name-type: KRB_NT_SRV_INST, name-string
: <'krbtgt', 'EXAMPLE.COM'>realm: EXAMPLE.COM }
INFO   | jvm 1    | 2014/09/03 15:57:14 |     eText: Integrity check on decrypted field failed
INFO   | jvm 1    | 2014/09/03 15:57:14 | }
INFO   | jvm 1    | 2014/09/03 15:57:14 | 
INFO   | jvm 1    | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.KERBEROS_LOG]
- /127.0.0.1:61504 SENT:  
INFO   | jvm 1    | 2014/09/03 15:57:14 | KRB-ERROR : {
INFO   | jvm 1    | 2014/09/03 15:57:14 |     pvno: 5
INFO   | jvm 1    | 2014/09/03 15:57:14 |     msgType: KRB_ERROR
INFO   | jvm 1    | 2014/09/03 15:57:14 |     sTime: 20140903102714Z
INFO   | jvm 1    | 2014/09/03 15:57:14 |     susec: 0
INFO   | jvm 1    | 2014/09/03 15:57:14 |     errorCode: Integrity check on decrypted field
failed
INFO   | jvm 1    | 2014/09/03 15:57:14 |     realm: EXAMPLE.COM
INFO   | jvm 1    | 2014/09/03 15:57:14 |     sName: { name-type: KRB_NT_SRV_INST, name-string
: <'krbtgt', 'EXAMPLE.COM'>realm: EXAMPLE.COM }
INFO   | jvm 1    | 2014/09/03 15:57:14 |     eText: Integrity check on decrypted field failed
INFO   | jvm 1    | 2014/09/03 15:57:14 | }
INFO   | jvm 1    | 2014/09/03 15:57:14 | 
INFO   | jvm 1    | 2014/09/03 15:57:14 | [15:57:14] DEBUG [org.apache.directory.server.ldap.LdapProtocolHandler]
- Cleaning the LdapSession : No Ldap session ... session 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message