JDK-6228529 : JDK on Windows does not wait for preauthorizaion record from Kerberos and causes an error
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 1.4.0,1.4.1_03
  • Priority: P4
  • Status: Resolved
  • Resolution: Fixed
  • OS: solaris_8,windows_2000
  • CPU: generic,x86
  • Submitted: 2005-02-11
  • Updated: 2010-12-07
  • Resolved: 2005-08-19
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
Other JDK 6
1.4.2_14Fixed 6 betaFixed
Related Reports
Duplicate :  
JDK-4460767 - GSS-Krb5 mechananism should support KRB-ERROR token encapsulation
Relates :  
JDK-2134681 - krb5 shouldn't use an empty salt field in KRB_ERROR
Description
JDK on Windows 2003 passes value to Kerberos and does not wait for Kerberos to return a "salt" value.  As a result, the following error is generated:
KrbException: Pre-authentication information was invalid (24)
        at sun.security.krb5.KrbAsRep.<init>(DashoA6275:62)
        at sun.security.krb5.KrbAsReq.getReply(DashoA6275:308)
        at sun.security.krb5.KrbAsReq.getReply(DashoA6275:271)
        at sun.security.krb5.internal.tools.Kinit.<init>(DashoA6275:264)
        at sun.security.krb5.internal.tools.Kinit.main(DashoA6275:104)
Caused by: KrbException: Identifier doesn't match expected value (906)
        at sun.security.krb5.internal.af.a(DashoA6275:129)
        at sun.security.krb5.internal.au.a(DashoA6275:58)
        at sun.security.krb5.internal.au.<init>(DashoA6275:53)
        at sun.security.krb5.KrbAsRep.<init>(DashoA6275:48)
        ... 4 more

This is because Windows is a case insensitive platform.  This does not happen on Solaris.  There are two defects "around" this issue, which basically have been "documented out" in J2SE 1.5x (4946917, 4963731).  The customer sees this with the kinit example and with their own code.
###@###.### 2005-2-11 23:07:53 GMT
Comments
WORK AROUND NOTE: If you use the Kerberos principal name as specified in the Active Directory account setting, it should all work correctly. ###@###.### 2005-2-18 19:52:32 GMT
18-02-2005
EVALUATION This is a known issue. By convention Kerberos principal names are case-sensitive. However, on Windows, due to issue of case-insensitivity, mix-in Kerberos principal names are not accepted by the Active Diretory. Latest Kerberos specifications have defined new preauthention types to better handle the mix-in Kerberos principal names. Currently Java GSS/Kerberos does not support these new preauth types, hence the error. NOTE: However if you use the Kerberos principal name as specified in the Active Directory account setting, it should all work correctly. Support for these new preauth types is in the works, and will be available soon. ###@###.### 2005-2-18 19:52:31 GMT I have added support for the new Pre-authentication types, as per the latest Kerberos specification. This resolves the reported issue when using Windows KDC, and allows user to use mixed-case Kerberos Principal names.
18-02-2005