Login Error when authenticating with Kerberos

yogsma picture yogsma · Mar 2, 2017 · Viewed 9.7k times · Source

We are facing an interesting problem. Users login to application with Kerberos authentication. Few times they are successful, but suddenly they face lockout for their user login information and they see the error below on their screen

Login error: com.ibm.security.krb5.KrbException, status code: 24
    message: Pre-authentication information was invalid
Stack Trace : 
javax.security.auth.login.FailedLoginException: Login error: com.ibm.security.krb5.KrbException, status code: 24
    message: Pre-authentication information was invalid
    at com.ibm.security.jgss.i18n.I18NException.throwFailedLoginException(I18NException.java:33)
    at com.ibm.security.auth.module.Krb5LoginModule.a(Krb5LoginModule.java:457)
    at com.ibm.security.auth.module.Krb5LoginModule.b(Krb5LoginModule.java:377)
    at com.ibm.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:200)
    at sun.reflect.GeneratedMethodAccessor36.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:56)
    at java.lang.reflect.Method.invoke(Method.java:620)
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:781)
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:215)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:706)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:704)
    at java.security.AccessController.doPrivileged(AccessController.java:452)

When we restart websphere application servers, everything works for the same users till they face the issue again. We have tried to check logs and change keytab file, but nothing has worked. Has anyone face this issue?

Answer

olivierg picture olivierg · Mar 6, 2017

It might be linked to a time (NTP) issue.

Kerberos preauthentification uses a timestamp as far as I know (to generate one-time-passwords), so I bet an NTP issue could cause that kind of problems.

Also, credentials not being destroyed could lead in such problems I suppose (e;g users not logged off correctly)

Check that all your servers (appservers where the app is running, as well as the Kerberos KDC) are synchronized with an NTP server and have the exact same time.