0 Replies Latest reply on Jan 5, 2011 7:03 PM by ccaung

    JBoss 5.0.1 and Kerberos error - Pre-authentication information was invalid (24)

    ccaung

      Hi

       

      We're upgrading our application from JBoss 4.0.3SP1 to JBoss 5.0.1 with JDK 1.6.0_22

      We're using Kerberos for the authentication with SSL and getting the following error.

      JBoss is running in the development machine - Windows XP Professional.

       

       

      I'm using the correct user name and the password and similar configuration works on JBoss 4.0.3SP1.

       

      Below are the error messages and the extracts of JBoss configuration files.

       

      Any help would be appreciated.

       

      thanks

       

      Error Details:

      2011-01-06 09:58:57,606 INFO  [STDOUT] (RMI TCP Connection(9)-127.0.0.1) Debug is  true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
      2011-01-06 09:58:57,606 INFO  [STDOUT] (RMI TCP Connection(9)-127.0.0.1)   [Krb5LoginModule] user entered username: caung
      2011-01-06 09:58:57,621 INFO  [STDOUT] (RMI TCP Connection(9)-127.0.0.1) Acquire TGT using AS Exchange
      2011-01-06 09:58:57,684 INFO  [STDOUT] (RMI TCP Connection(9)-127.0.0.1)   [Krb5LoginModule] authentication failed
      Pre-authentication information was invalid (24)
      2011-01-06 09:58:57,684 ERROR [org.jboss.ejb.plugins.SecurityInterceptor] (RMI TCP Connection(9)-127.0.0.1) Error in Security Interceptor
      java.lang.SecurityException: Authentication exception, principal=caung@CORP.HN.COM
      at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityContext(SecurityInterceptor.java:321)
      at org.jboss.ejb.plugins.SecurityInterceptor.process(SecurityInterceptor.java:243)
      at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:205)
      at org.jboss.ejb.plugins.security.PreSecurityInterceptor.process(PreSecurityInterceptor.java:136)
      at org.jboss.ejb.plugins.security.PreSecurityInterceptor.invokeHome(PreSecurityInterceptor.java:88)
      at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:132)
      at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invokeHome(ProxyFactoryFinderInterceptor.java:107)
      at org.jboss.ejb.SessionContainer.internalInvokeHome(SessionContainer.java:639)
      at org.jboss.ejb.Container.invoke(Container.java:1046)
      ....

       

      JBoss configuration Files are configured as below:

       

      jboss-service.xml

      ....

      <mbean code="org.jboss.varia.property.SystemPropertiesService"
                 name="jboss.util:type=Service,name=SystemProperties">
                 <attribute name="Properties">
                     java.security.krb5.conf=C:/dev/srv/jboss-5.0.1.GA/server/krb5.conf
                 </attribute>
          </mbean>     
                  
             
         <!-- The SSL domain setup -->
              
           
          <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
                       name="jboss.security:service=JaasSecurityDomain,domain=RMI+SSL">
                    <constructor>
                        <arg type="java.lang.String" value="RMI+SSL"/>
                    </constructor>
                    <attribute name="KeyStoreURL">ps.keystore</attribute>
                    <attribute name="KeyStorePass">xx.yy.in</attribute>
          </mbean>

      ...

      login-config.xml

      <policy>
        <!-- Used by clients within the application server VM such as
        mbeans and servlets that access EJBs.
        -->
          <application-policy name="ps">
              <authentication>
                <!-- This module authenticates the user via kerberos -->
                <!-- The sun module must be used for deployments to windows machines -->
                  <!-- This module simply adds the 'users' role to the authenticated user -->
                  <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
                      <module-option name="debug">true</module-option>              
                  </login-module>
              </authentication>  
          </application-policy>
      ....

       

      jrmp_invoker_service.xml

       

      <?xml version="1.0" encoding="UTF-8"?>
      <Server>
          <mbean code="org.jboss.invocation.jrmp.server.JRMPInvoker"
             name="jboss:service=invoker,type=jrmp,socketType=SSL">
              <attribute name="RMIObjectPort">14445</attribute>
              <attribute name="RMIClientSocketFactory">
                  org.jboss.security.ssl.RMISSLClientSocketFactory
              </attribute>
              <attribute name="RMIServerSocketFactory">
                  org.jboss.security.ssl.RMISSLServerSocketFactory
              </attribute>
              <attribute name="SecurityDomain">java:/jaas/RMI+SSL</attribute>
              <depends>jboss:service=TransactionManager</depends>
              <depends>jboss.security:service=JaasSecurityDomain,domain=RMI+SSL</depends>
          </mbean>
      </Server>

       

      Note: Keystore file and krb5 config files are present and below is the krb5 config file details-

       

      krb5.conf file

      [libdefaults]
              default_realm = CORP.HN.COM
              default_tkt_enctypes = des-cbc-md5 des-cbc-crc
              default_tgs_enctypes = des-cbc-md5 des-cbc-crc

              udp_preference_limit = 1

      [realms]
              HN.COM = {
                      kdc = XX004.hn.com:88
                      kdc = XX009.hn.com:88
                      admin_server = XX004.hn.com:749
                      default_domain = hn.com
              }
              CORP.HN.COM = {
                      kdc = XX003.corp.hn.com:88
                      kdc = XX007.corp.hn.com:88
                      admin_server = XX003.corp.hn.com:749
                      default_domain = corp.hn.com
              }

      [domain_realm]
              .corp.hn.com = CORP.HN.COM