Announcement Announcement Module
Collapse
No announcement yet.
Spring Security Kerberos - Integrity Check on decrypted field failure Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring Security Kerberos - Integrity Check on decrypted field failure

    I'm trying to get SPNEGO to work and am running into a problem that I *think* means that my service principal isn't matching what Windows Active Directory is receiving? Here is the exception:

    2010-02-19 21:45:39,742 INFO [STDOUT] (http-10.14.2.191-8080-1) Authentication attempt using org.springframework.security.extensions.kerberos.K erberosServiceAuthenticationProvider
    2010-02-19 21:45:39,742 INFO [STDOUT] (http-10.14.2.191-8080-1) Try to validate Kerberos Token
    2010-02-19 21:45:39,758 INFO [STDOUT] (http-10.14.2.191-8080-1) Negotiate Header was invalid: Negotiate YIIFZAYGKwYBBQUCoIIFWDCCBVSgJDAiBgkqhkiC9xIBAgIGCS qGSIb3EgECAgYKKwYBBAGCNwICCqKCBSoEggUmYIIFIgYJKoZI hvcSAQICAQBuggURMIIFDaADAgEFoQMCAQ6iBwMFACAAAACjgg Q1YYIEMTCCBC2gAwIBBaESGxBDT1JQLlJPT1QuR0xPQkFMoigw JqADAgECoR8wHRsESFRUUBsVemV1c19kZXYubWFucG93ZXIuY2 9to4ID5jCCA+KgAwIBA6EDAgEDooID1ASCA9AcrwF8ruxWLIsY qYOlTX+xDWkY3gjnNsKz9+6vpQ2b+C5j941dogqIzFWEu/YTUVWna4jcTwiIt1S2vFpGiebJxJf68xeiThvjHDcTkzO062rw AGSwX3fxsrD8QbhfLWZF2feEDuPUWaEASximsicsupp5nhna32 J9LhFJ1uvDH7g1tZnEaK6He2wWeQvtbjEfT9uUuJeZLRk6p3BY qDBeWTFA4Cc7K8eAaqkrA/+lyBxoANoQoaSt7fEykxywL9WjCmjFUyBz9kX3VmirWr8ZCbri T0gHptWMwnpRl1mFeOmzVYbFM6mZABfXpYdSfXK+7ZiJO8z9bL TkLUKPDOitKGXvimAryM75EXzcx84g6Kz2sl5UIzaT+ZTty/qdn3GCCIB/vHyHkK0p8KlzXt+kqujrliuhSGqL9RRfiuH22LeC+bYgC/APBvKtcVmLgB9O+TPXnnM2wNL30HJaPGn1/FQ0LC7IsnYCkGlp8DxzYVfnoLn+x0+2ElWMKt6XkqAK11KuqIJ t7dEjVzRlmqgjiz1h681uOYbG6igD0kZIzJJS1hbCTiM8u/GDtSlLFujiaaqdvnjMjg5Flood6FrkFDn6a7rNem7LoxBm05fe ekSTTmO0t+tJ9zUjCJDq/mdds5ToRGCZ9WTCOxXfcFAgmIK7zI4tCoyU9QbHMGzQNSdpO+/tlk0WekShAuVr4N5QtKWMDJRcGXG6W/ly9InWNK8eevylPJMShj5Do82NjYIW27BF3nII5yM5FscuHj6Y 2jQlrq31UN6j6uNWeQhttjUHtoed0K5bj1Sr/fNIFJzVEpEVDuI0jCd7XWwec8EqDL9vEChfySGclvz/+n2/1kGqpu2wmFFgaZ6yWE3LV9TgXbJFf6g43VxAEY9i60D31ynWLW gmgsfnMq/xzhty0LFEFa0MJPgrev2Qgb/QJpIOkpnywHLmwU+j0816zHwJxMwvATgnQICWaTYIdiTLgL+Vj TUWcZb+ht4COtvpgOX5F0g0rkZRjKIypGw5o2q8100IABlnEvd sJVnZ52GClJY0dQCf9yls6z9SITIGoPsuha/dO3n1ELqyTZNgEn+VJ7RaUeJsMQzKJ7WQrdsKfZ+oMVitBzJuR D6pDhGze94qzxsZPkvSCjvjNNTy0hrk6btkM2XphU5BwsLk0yp pheKV6fPb3grHayNeD18w7dwBivgsEIIFeRlICLVQBeNGFnepA Pp4GHHTk7FxIFC3FEchK00MMw4vKtLrhx1aXFwUlPahxw6Myb4 M6x58qTtDiuPjenGtvfI6ul8WETU9pIG+MIG7oAMCAQOigbMEg bBq11IzMEn2HrvIFLF3xa2rmcHaoKv68Vf8vKZmH5gQ3EWXhva 3IuMwlCOP8iBp/kKBeU33eBaBnImirDDMp7H8NvYQY6iUKJwPYJRkKH8/+vYzFYMNf7/wKIVZh5n2savP4pw81OgeGL9UwBbw1viJOrlU85AxpequAFz0T 9V5OrqWEDwIX1iEvWX8+CIDPLelAVGid5oTBKmJRRb8mjUDPNa dlWCczSN2rFGWLcpgMw==
    org.springframework.security.authentication.BadCre dentialsException: Kerberos validation not succesfull
    at org.springframework.security.extensions.kerberos.S unJaasKerberosTicketValidator.validateTicket(SunJa asKerberosTicketValidator.java:65)
    at org.springframework.security.extensions.kerberos.K erberosServiceAuthenticationProvider.authenticate( KerberosServiceAuthenticationProvider.java:86)
    at org.springframework.security.authentication.Provid erManager.doAuthentication(ProviderManager.java:12 7)
    at org.springframework.security.authentication.Abstra ctAuthenticationManager.authenticate(AbstractAuthe nticationManager.java:49)
    at org.springframework.security.extensions.kerberos.w eb.SpnegoAuthenticationProcessingFilter.doFilter(S pnegoAuthenticationProcessingFilter.java:118)
    at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 356)
    at org.springframework.security.web.context.SecurityC ontextPersistenceFilter.doFilter(SecurityContextPe rsistenceFilter.java:80)
    at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 356)
    at org.springframework.security.web.FilterChainProxy. doFilter(FilterChainProxy.java:150)
    at org.springframework.web.filter.DelegatingFilterPro xy.invokeDelegate(DelegatingFilterProxy.java:237)
    at org.springframework.web.filter.DelegatingFilterPro xy.doFilter(DelegatingFilterProxy.java:167)
    at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:206)
    at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doF ilter(ReplyHeaderFilter.java:96)
    at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invo ke(StandardWrapperValve.java:235)
    at org.apache.catalina.core.StandardContextValve.invo ke(StandardContextValve.java:191)
    at org.jboss.web.tomcat.security.SecurityAssociationV alve.invoke(SecurityAssociationValve.java:190)
    at org.jboss.web.tomcat.security.JaccContextValve.inv oke(JaccContextValve.java:92)
    at org.jboss.web.tomcat.security.SecurityContextEstab lishmentValve.process(SecurityContextEstablishment Valve.java:126)
    at org.jboss.web.tomcat.security.SecurityContextEstab lishmentValve.invoke(SecurityContextEstablishmentV alve.java:70)
    at org.apache.catalina.core.StandardHostValve.invoke( StandardHostValve.java:127)
    at org.apache.catalina.valves.ErrorReportValve.invoke (ErrorReportValve.java:102)
    at org.jboss.web.tomcat.service.jca.CachedConnectionV alve.invoke(CachedConnectionValve.java:158)
    at org.apache.catalina.core.StandardEngineValve.invok e(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.servic e(CoyoteAdapter.java:330)
    at org.apache.coyote.http11.Http11AprProcessor.proces s(Http11AprProcessor.java:905)
    at org.apache.coyote.http11.Http11AprProtocol$Http11C onnectionHandler.process(Http11AprProtocol.java:59 2)
    at org.apache.tomcat.util.net.AprEndpoint$Worker.run( AprEndpoint.java:2036)
    at java.lang.Thread.run(Thread.java:619)
    Caused by: java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Integrity check on decrypted field failed (31))
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAs(Subject.java:396)
    at org.springframework.security.extensions.kerberos.S unJaasKerberosTicketValidator.validateTicket(SunJa asKerberosTicketValidator.java:63)
    ... 30 more
    Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Integrity check on decrypted field failed (31))
    at sun.security.jgss.krb5.Krb5Context.acceptSecContex t(Krb5Context.java:741)
    at sun.security.jgss.GSSContextImpl.acceptSecContext( GSSContextImpl.java:323)
    at sun.security.jgss.GSSContextImpl.acceptSecContext( GSSContextImpl.java:267)
    at sun.security.jgss.spnego.SpNegoContext.GSS_acceptS ecContext(SpNegoContext.java:874)
    at sun.security.jgss.spnego.SpNegoContext.acceptSecCo ntext(SpNegoContext.java:541)
    at sun.security.jgss.GSSContextImpl.acceptSecContext( GSSContextImpl.java:323)
    at sun.security.jgss.GSSContextImpl.acceptSecContext( GSSContextImpl.java:267)
    at org.springframework.security.extensions.kerberos.S unJaasKerberosTicketValidator$KerberosValidateActi on.run(SunJaasKerberosTicketValidator.java:135)
    at org.springframework.security.extensions.kerberos.S unJaasKerberosTicketValidator$KerberosValidateActi on.run(SunJaasKerberosTicketValidator.java:125)
    ... 33 more
    Caused by: KrbException: Integrity check on decrypted field failed (31)
    at sun.security.krb5.internal.crypto.DesCbcEType.decr ypt(DesCbcEType.java:154)
    at sun.security.krb5.internal.crypto.DesCbcMd5EType.d ecrypt(DesCbcMd5EType.java:33)
    at sun.security.krb5.internal.crypto.DesCbcEType.decr ypt(DesCbcEType.java:125)
    at sun.security.krb5.internal.crypto.DesCbcMd5EType.d ecrypt(DesCbcMd5EType.java:33)
    at sun.security.krb5.EncryptedData.decrypt(EncryptedD ata.java:168)
    at sun.security.krb5.KrbApReq.authenticate(KrbApReq.j ava:267)
    at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:13 4)
    at sun.security.jgss.krb5.InitSecContextToken.<init>( InitSecContextToken.java:79)
    at sun.security.jgss.krb5.Krb5Context.acceptSecContex t(Krb5Context.java:724)
    ... 41 more

  • #2
    I discovered the issue was related to my SPN not matching what the client browser was reporting to Active Directory when trying to get a ticket. Fixed that in the application and it's now working.

    Comment


    • #3
      Hello,

      can you please elaborate a bit more on your workaround?

      Thanks very much,
      Savvas.

      Comment

      Working...
      X