Skip to Main Content

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

krb_error 24 Pre-authentication information was invalid (24) Pre-authentica

843810Jul 9 2009 — edited Jul 9 2009
Hi:

I'm trying to setup/configure SSO between WebLogic 10g and Microsoft AD/Clients as described in the WebLogic documentation: http://download.oracle.com/docs/cd/E12840_01/wls/docs103/secmanage/sso.html#wp1101370

I have a Windows 2003 Server Domain Controller (with AD) and a VM with Windows 2003 Server with WebLogic 10g. The domain is called SSODEMO.MYDOMAIN.LOCAL and the machine is called oracledev7. The VM is called ssoweblogic and is registered as a machine in the domain. Both machines can access the other.

I followed the steps provided in the mentioned document until step 7 where I got stuck with the following error:
kinit -k -t weblogic.keytab weblogicuser@SSODEMO.MYDOMAIN.LOCAL
Exception: krb_error 24 Pre-authentication information was invalid 
  (24) Pre-authentication information was invalid
KrbException: Pre-authentication information was invalid (24)
        at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:66)
        at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:449)
        at sun.security.krb5.internal.tools.Kinit.sendASRequest(Kinit.java:306)
        at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:257)
        at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:107)
Caused by: KrbException: Identifier doesn't match expected value (906)
        at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
        at sun.security.krb5.internal.ASRep.init(ASRep.java:58)
        at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53)
        at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50)
        ... 4 more
--------------------------------------------------------------
This is my SSO setup

===================================================
On AD Server

Created a user called: weblogicuser and set "Use DES encryption types for this account" option

setspn -a host/ssoweblogic ssoweblogic
setspn -a host/ssoweblogic.ssodemo.mydomain.local ssoweblogic

setspn -a HTTP/ssoweblogic weblogicuser
setspn -a HTTP/ssoweblogic.ssodemo.mydomain.local weblogicuser

setspn -l ssoweblogic
Registered ServicePrincipalNames for CN=SSOWEBLOGIC,CN=Computers,DC=ssodemo,DC=mydomain,DC=local:
HOST/SSOWEBLOGIC
HOST/ssoweblogic.ssodemo.mydomain.local

setspn -l weblogicuser
Output: Registered ServicePrincipalNames for CN=Weblogic User,CN=Users,DC=ssodemo,DC=mydomain,DC=local:
HTTP/ssoweblogic.ssodemo.mydomain.local
HTTP/ssoweblogic

ktpass -princ HOST/ssoweblogic@SSODEMO.MYDOMAIN.LOCAL -pass cw123-x -mapuser weblogicuser@SSODEMO.MYDOMAIN.LOCAL -ptype KRB5_NT_PRINCIPAL -out weblogic.keytab

===================================================
On Weblogic Server

ktab -k weblogic.keytab -a weblogicuser@SSODEMO.MYDOMAIN.LOCAL
Password: ************

kinit -k -t C:\bea\user_projects\domains\sso_domain\weblogic.keytab weblogicuser@SSODEMO.CRIMSONWING.LOCAL

--------------------------------------------------------------


Any help would be appreciated,
Albert
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Aug 6 2009
Added on Jul 9 2009
9 comments
34,802 views