JDK-8227381 : GSS login fails with PREAUTH_FAILED
  • Type: Bug
  • Component: security-libs
  • Sub-Component: org.ietf.jgss
  • Affected Version: 11,13
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2019-07-08
  • Updated: 2020-10-12
  • Resolved: 2019-07-10
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 13 JDK 14 JDK 8 Other
11.0.6Fixed 13 b29Fixed 14Fixed 8u270Fixed openjdk8u242Fixed
Related Reports
Relates :  
JDK-8227437 - S4U2proxy cannot continue because server's TGT cannot be found
Relates :  
JDK-8226719 - Kerberos login to Windows 2000 failed with "Inappropriate type of checksum in message"
Relates :  
JDK-8215032 - Support Kerberos cross-realm referrals (RFC 6806)
Description
KRBError received: PREAUTH_FAILED
		[Krb5LoginModule] authentication failed 
Pre-authentication information was invalid (24) - PREAUTH_FAILED
java.lang.RuntimeException: javax.security.auth.login.LoginException: Pre-authentication information was invalid (24) - PREAUTH_FAILED
	at GSSHelper.login(GSSHelper.java:770)
	at GSSHelper$Client.execute(GSSHelper.java:178)
	at GSSHelper.runImpersonateTest(GSSHelper.java:118)
	at GSSHelper.runImpersonateTest(GSSHelper.java:84)
	at GssSeamToSeamTest.main(GssSeamToSeamTest.java:26)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:567)
	at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:127)
	at java.base/java.lang.Thread.run(Thread.java:830)
Caused by: javax.security.auth.login.LoginException: Pre-authentication information was invalid (24) - PREAUTH_FAILED
	at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:781)
	at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:592)
	at java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:726)
	at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665)
	at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663)
	at java.base/java.security.AccessController.doPrivileged(AccessController.java:690)
	at java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663)
	at java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:574)
	at GSSHelper.login(GSSHelper.java:763)
	... 10 more
Caused by: KrbException: Pre-authentication information was invalid (24) - PREAUTH_FAILED
	at java.security.jgss/sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:82)
	at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:341)
	at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:443)
	at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:743)
	... 18 more
Caused by: KrbException: Identifier doesn't match expected value (906)
	at java.security.jgss/sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
	at java.security.jgss/sun.security.krb5.internal.ASRep.init(ASRep.java:64)
	at java.security.jgss/sun.security.krb5.internal.ASRep.<init>(ASRep.java:59)
	at java.security.jgss/sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
	... 21 more
Comments
Fix request (11u) 11u is affected by this bug after the backport of 8215032. I'd like to request an approval. Patch applies cleanly and the risk is minimal.
04-11-2019
URL: https://hg.openjdk.java.net/jdk/jdk13/rev/4722e5e28449 User: weijun Date: 2019-07-10 01:44:05 +0000
10-07-2019
When the client is talking to an old KDC that does not support referrals and only knows DES, it fails like this: c: PA_REQ_ENC_PA_REP s: KDC_ERR_PREAUTH_FAILED c: PA_REQ_ENC_PA_REP + PA_ENC_TIMESTAMP s: KDC_ERR_PREAUTH_FAILED c: <fallback to no referrals> PA_ENC_TIMESTAMP using aes256-cts s: KDC_ERR_PREAUTH_FAILED c: <fail because too many KDC_ERR_PREAUTH_FAILED> With this fix, whenever there is a referrals state change (fallback to no referrals, change realm), the preauth state (pakey and preAuthFailedOnce) is reset, so it will be c: PA_REQ_ENC_PA_REP s: KDC_ERR_PREAUTH_FAILED c: PA_REQ_ENC_PA_REP + PA_ENC_TIMESTAMP s: KDC_ERR_PREAUTH_FAILED c: <fallback to no referrals with no PAData> s: KDC_ERR_PREAUTH_REQUIRED suggesting des-cbc-md5 c: PA_ENC_TIMESTAMP using des-cbc-md5 s: AS-REP c: <Hooray!>
09-07-2019
The old KDC server cannot deal with PA_REQ_ENC_PA_REP and always returns PREAUTH_FAILED. The client fails twice (first with only PA_REQ_ENC_PA_REP and second with both PA_REQ_ENC_PA_REP and PA_ENC_TIMESTAMP), and then has to turn off referrals to make a last try with PA_ENC_TIMESTAMP, but the KDC is old and does not support AES-CTS etype (because it has no chance to tell the client what etype it supports) and fails again with PREAUTH_FAILED. The client is exhausted and does not try anymore.
09-07-2019