JDK-8033120 : JWS doesn't get authenticated when using kerberos
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 7u45
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2014-01-29
  • Updated: 2014-11-28
  • Resolved: 2014-09-23
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
7u76 b01Fixed
Related Reports
Blocks :  
Blocks :  
Blocks :  
From network capture, customer saw AS-REP "KRB5KDC_ERR_PREAUTH_REQUIRED" and
"KRBKDC_ERR_PREAUTH_FAILED" when allowtgtsessionkey = 0 for request
krbtgt/DOMAIN to AD server.
With kinit it seems to be working fine for the customer

with latest logs we do not see 
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ 

so the Additional pre-authentication issue is ruled out.

we see a new message :

KrbException: Message stream modified (41)

and the exception is at
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:70)

Closed | Not verified: Issue was fixed by composition of 3 others. No testcase specific to this issue provided.

The fix is based on 3 bugs : https://bugs.openjdk.java.net/browse/JDK-8028351 https://bugs.openjdk.java.net/browse/JDK-8016594 https://bugs.openjdk.java.net/browse/JDK-8031046