Skip to Main Content
Forums

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

HELP!! "Checksum failed" & "Integrity check on decrypted field failed "

843810Dec 3 2006 — edited May 11 2007
I hope this is a newbie question for you guys out there since I've been googling for a solution for days but no luck so far.

I am trying to learn JAAS programming and got started from a very simple example where a client authenticate to kerberos and send messages to a echo server. I am using kerberos from MIT and it's running on a linux box. "krb5.conf" is as following: 
[libdefaults]
        ticket_lifetime = 600
        default_realm = AMAIL.COM
        #default_tkt_enctypes = des-cbc-crc
        #default_tgs_enctypes = des-cbc-crc
        #permitted_enctypes = des-cbc-crc des-cbc-md5 

[realms]
        AMAIL.COM = {
                kdc = amail1.amail.com:88
                admin_server = amail1.amail.com:749
                default_domain = amail.com
        }

[domain_realm]
        .amail.com = AMAIL.COM
        amail.com = AMAIL.COM

[logging]
        kdc = FILE:/var/log/krb5kdc.log
          admin_server = FILE:/var/log/kadmin.log
    default = FILE:/var/log/krb5lib.log
the configuration file for the echo server and client is as following: 
GSSClient{
     com.sun.security.auth.module.Krb5LoginModule required debug=true;
};

GSSServer{
    com.sun.security.auth.module.Krb5LoginModule required
    storeKey=true debug=true;
};
The problems is when I run the client programme, the server outputs : 
"GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)"
However, when I uncomment "#permitted_enctypes = des-cbc-crc des-cbc-md5 " in krb5.conf, the server outputs: 
 "GSSException: Failure unspecified at GSS-API level (Mechanism level: Integrity check on decrypted field failed (31))"
I can see that I authenticated to kerberos successfully but the server fails when exchanging tokens with the client. Do I need to do any configurations on the echo server side or even the client side( there's a krb5.ini file in the windows folder and I modified it to have the same content as krb5.conf and I found varies sites mentioned keytab files but I am using username and password to authenticate client and server to kerberos)? I've tried to run the server and client on both Java 1.5 and Java 1.6 but got the same errors. Following is the full output of the server: 
Debug is  true storeKey true useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
                [Krb5LoginModule] user entered username: root

Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
Acquire TGT using AS Exchange
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.

KrbAsReq calling createMessage

KrbAsReq in createMessage

KrbKdcReq send: kdc=10.10.10.1 UDP:88, timeout=30000, number of retries =3, #bytes=139

KDCCommunication: kdc=10.10.10.1 UDP:88, timeout=30000,Attempt =1, #bytes=139

KrbKdcReq send: #bytes read=492

KrbKdcReq send: #bytes read=492

EType: sun.security.krb5.internal.crypto.DesCbcMd5EType

KrbAsRep cons in KrbAsReq.getReply root
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
principal is root@AMAIL.COM
EncryptionKey: keyType=3 keyBytes (hex dump)=0000: FD 13 B5 83 FB 01 34 FB   
EncryptionKey: keyType=1 keyBytes (hex dump)=0000: FD 13 B5 83 FB 01 34 FB   
EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 32 91 53 F5 60 EB 32 9C   0E 1D EE A5 5E 88 A1 E9  2.S.`.2.....^...

EncryptionKey: keyType=16 keyBytes (hex dump)=0000: F8 3D E5 C2 C1 9D 2A 67   52 68 70 54 D5 E9 D0 58  .=....*gRhpT...X
0010: 85 8F 5B BF F4 91 23 B9   
EncryptionKey: keyType=17 keyBytes (hex dump)=0000: E6 96 AD 05 B0 43 07 23   86 99 D6 DC 0E 7B 60 39  .....C.#......`9

Added server's keyKerberos Principal root@AMAIL.COMKey Version 0key EncryptionKey: keyType=3 keyBytes (hex dump)=
0000: FD 13 B5 83 FB 01 34 FB   

                [Krb5LoginModule] added Krb5Principal  root@AMAIL.COM to Subject
Added server's keyKerberos Principal root@AMAIL.COMKey Version 0key EncryptionKey: keyType=1 keyBytes (hex dump)=
0000: FD 13 B5 83 FB 01 34 FB   

                [Krb5LoginModule] added Krb5Principal  root@AMAIL.COM to Subject
Added server's keyKerberos Principal root@AMAIL.COMKey Version 0key EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: 32 91 53 F5 60 EB 32 9C   0E 1D EE A5 5E 88 A1 E9  2.S.`.2.....^...


                [Krb5LoginModule] added Krb5Principal  root@AMAIL.COM to Subject
Added server's keyKerberos Principal root@AMAIL.COMKey Version 0key EncryptionKey: keyType=16 keyBytes (hex dump)=
0000: F8 3D E5 C2 C1 9D 2A 67   52 68 70 54 D5 E9 D0 58  .=....*gRhpT...X
0010: 85 8F 5B BF F4 91 23 B9   

                [Krb5LoginModule] added Krb5Principal  root@AMAIL.COM to Subject
Added server's keyKerberos Principal root@AMAIL.COMKey Version 0key EncryptionKey: keyType=17 keyBytes (hex dump)=
0000: E6 96 AD 05 B0 43 07 23   86 99 D6 DC 0E 7B 60 39  .....C.#......`9


                [Krb5LoginModule] added Krb5Principal  root@AMAIL.COM to Subject
Commit Succeeded 

Found key for root@AMAIL.COM(16)
Found key for root@AMAIL.COM(23)
Found key for root@AMAIL.COM(17)
Found key for root@AMAIL.COM(1)
Found key for root@AMAIL.COM(3)

GSSServer starts... Waiting for incoming connection
GSSException: Failure unspecified at GSS-API level (Mechanism level: Integrity check on decrypted field failed (31))
        at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
Entered Krb5Context.acceptSecContext with state=STATE_NEW

EType: sun.security.krb5.internal.crypto.DesCbcCrcEType

crc32: 8bc7ac62

crc32: 10001011110001111010110001100010
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
        at GSSServer.run(GSSServer.java:130)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:337)
        at GSSServer.startServer(GSSServer.java:91)
        at GSSServer.main(GSSServer.java:66)
Caused by: KrbException: Integrity check on decrypted field failed (31)
        at sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:154)
        at sun.security.krb5.internal.crypto.DesCbcCrcEType.decrypt(DesCbcCrcEType.java:30)
        at sun.security.krb5.internal.crypto.DesCbcCrcEType.decrypt(DesCbcCrcEType.java:77)
        at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
        at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:267)
        at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
        at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
        at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
        ... 7 more
Someone please help as I've already spent a week on searching a solution for this problem. Thanks in advance!!
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Jun 8 2007
Added on Dec 3 2006
#kerberos-java-gss-jgss
6 comments
597 views