JBoss 5.0.1 and Kerberos error - Pre-authentication information was invalid (24)
ccaung Jan 5, 2011 7:03 PMHi
We're upgrading our application from JBoss 4.0.3SP1 to JBoss 5.0.1 with JDK 1.6.0_22
We're using Kerberos for the authentication with SSL and getting the following error.
JBoss is running in the development machine - Windows XP Professional.
I'm using the correct user name and the password and similar configuration works on JBoss 4.0.3SP1.
Below are the error messages and the extracts of JBoss configuration files.
Any help would be appreciated.
thanks
Error Details:
2011-01-06 09:58:57,606 INFO [STDOUT] (RMI TCP Connection(9)-127.0.0.1) Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
2011-01-06 09:58:57,606 INFO [STDOUT] (RMI TCP Connection(9)-127.0.0.1) [Krb5LoginModule] user entered username: caung
2011-01-06 09:58:57,621 INFO [STDOUT] (RMI TCP Connection(9)-127.0.0.1) Acquire TGT using AS Exchange
2011-01-06 09:58:57,684 INFO [STDOUT] (RMI TCP Connection(9)-127.0.0.1) [Krb5LoginModule] authentication failed
Pre-authentication information was invalid (24)
2011-01-06 09:58:57,684 ERROR [org.jboss.ejb.plugins.SecurityInterceptor] (RMI TCP Connection(9)-127.0.0.1) Error in Security Interceptor
java.lang.SecurityException: Authentication exception, principal=caung@CORP.HN.COM
at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityContext(SecurityInterceptor.java:321)
at org.jboss.ejb.plugins.SecurityInterceptor.process(SecurityInterceptor.java:243)
at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:205)
at org.jboss.ejb.plugins.security.PreSecurityInterceptor.process(PreSecurityInterceptor.java:136)
at org.jboss.ejb.plugins.security.PreSecurityInterceptor.invokeHome(PreSecurityInterceptor.java:88)
at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:132)
at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invokeHome(ProxyFactoryFinderInterceptor.java:107)
at org.jboss.ejb.SessionContainer.internalInvokeHome(SessionContainer.java:639)
at org.jboss.ejb.Container.invoke(Container.java:1046)
....
JBoss configuration Files are configured as below:
jboss-service.xml
....
<mbean code="org.jboss.varia.property.SystemPropertiesService"
name="jboss.util:type=Service,name=SystemProperties">
<attribute name="Properties">
java.security.krb5.conf=C:/dev/srv/jboss-5.0.1.GA/server/krb5.conf
</attribute>
</mbean>
<!-- The SSL domain setup -->
<mbean code="org.jboss.security.plugins.JaasSecurityDomain"
name="jboss.security:service=JaasSecurityDomain,domain=RMI+SSL">
<constructor>
<arg type="java.lang.String" value="RMI+SSL"/>
</constructor>
<attribute name="KeyStoreURL">ps.keystore</attribute>
<attribute name="KeyStorePass">xx.yy.in</attribute>
</mbean>
...
login-config.xml
<policy>
<!-- Used by clients within the application server VM such as
mbeans and servlets that access EJBs.
-->
<application-policy name="ps">
<authentication>
<!-- This module authenticates the user via kerberos -->
<!-- The sun module must be used for deployments to windows machines -->
<!-- This module simply adds the 'users' role to the authenticated user -->
<login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
<module-option name="debug">true</module-option>
</login-module>
</authentication>
</application-policy>
....
jrmp_invoker_service.xml
<?xml version="1.0" encoding="UTF-8"?>
<Server>
<mbean code="org.jboss.invocation.jrmp.server.JRMPInvoker"
name="jboss:service=invoker,type=jrmp,socketType=SSL">
<attribute name="RMIObjectPort">14445</attribute>
<attribute name="RMIClientSocketFactory">
org.jboss.security.ssl.RMISSLClientSocketFactory
</attribute>
<attribute name="RMIServerSocketFactory">
org.jboss.security.ssl.RMISSLServerSocketFactory
</attribute>
<attribute name="SecurityDomain">java:/jaas/RMI+SSL</attribute>
<depends>jboss:service=TransactionManager</depends>
<depends>jboss.security:service=JaasSecurityDomain,domain=RMI+SSL</depends>
</mbean>
</Server>
Note: Keystore file and krb5 config files are present and below is the krb5 config file details-
krb5.conf file
[libdefaults]
default_realm = CORP.HN.COM
default_tkt_enctypes = des-cbc-md5 des-cbc-crc
default_tgs_enctypes = des-cbc-md5 des-cbc-crc
udp_preference_limit = 1
[realms]
HN.COM = {
kdc = XX004.hn.com:88
kdc = XX009.hn.com:88
admin_server = XX004.hn.com:749
default_domain = hn.com
}
CORP.HN.COM = {
kdc = XX003.corp.hn.com:88
kdc = XX007.corp.hn.com:88
admin_server = XX003.corp.hn.com:749
default_domain = corp.hn.com
}
[domain_realm]
.corp.hn.com = CORP.HN.COM