Below are listed some problems that may occur when attempting a login, and suggestions for solving them.
java.security.krb5.kdx and
java.security.krb5.realm. In previous releases,
changes to the Kerberos configuration values would only take effect
when an application was restarted.refreshKrb5Config can be specified in the entry for
Krb5LoginModule in the JAAS configuration file. If
this option is set to true, the configuration values
will be refreshed before the login method of the
Krb5LoginModule is called.refreshKrb5Config should be set to
true. Failure to set this value can lead to unexpected
results.Cause: There was a problem processing the JAAS login configuration file, possibly due to a syntax error in the file.
Solution: Check the configuration file carefully for errors. See JAAS Login Configuration File for information about the syntax required in the login configuration file.
Cause 1: The password entered is incorrect.
Solution 1: Verify the password.
Cause 2: If you are using the keytab to get the key
(e.g., by setting the useKeyTab option to
true in the Krb5LoginModule entry in the JAAS login
configuration file), then the key might have changed since you
updated the keytab.
Solution 2: Consult your Kerberos documentation to generate a new keytab and use that keytab.
Cause 3: Clock skew - If the time on the KDC and on the client differ significanlty (typically 5 minutes), this error can be returned.
Solution 3: Synchronize the clocks (or have a system
administrator do so).
Cause 4: The
Kerberos realm name is not all uppercase.
Solution 4: Make the Kerberos realm name all uppercase. Note: It is recommended to have all uppercase realm names. For details, refer to the Naming Conventions for the Realm Names and Hostnames section of this tutorial.
Cause: Kerberos requires the time on the KDC and on the client to be loosely synchronized. (The default is within 5 minutes.) If that's not the case, you will get this error.
Solution: Synchronize the clocks (or have a system administrator do so).
Cause: The default realm is not specified in the Kerberos
configuration file krb5.conf (if used), provided as a
part of the user name, or specified via the
java.security.krb5.realm system property.
Solution: Verify that your Kerberos configuration file
(if used) contains an entry specifying the default realm, or
directly specify it by setting the value of the
java.security.krb5.realm system property and/or
including it in your user name when authenticating using
Kerberos.
Solution: Verify that the Kerberos KDC is up and running.
Cause: This may occur if no valid Kerberos credentials
are obtained. In particular, this occurs if you want the underlying
mechanism to obtain credentials but you forgot to indicate this by
setting the javax.security.auth.useSubjectCredsOnly
system property value to false (for example via
-Djavax.security.auth.useSubjectCredsOnly=false in
your execution command).
Solution: Be sure to set the
javax.security.auth.useSubjectCredsOnly system
property value to false if you want the underlying
mechanism to obtain credentials, rather than your application or a
wrapper program (such as the Login utility used by some of the
tutorials) performing authentication using JAAS.
Cause: The tutorials' sample execution commands specify
the default Kerberos realm and KDC by setting values for the
java.security.krb5.realm and
java.security.krb5.kdc system properties. If you like,
you can instead have a krb5.conf Kerberos
configuration file used. Such a file includes information about
what the default realm and KDC are. To use a krb5.conf
file, you either set the system property
java.security.krb5.conf (instead of the
realm and kdc properties) to specify the
location of the file or you don't set any of these properties and
therefore an attempt is made to locate the krb5.conf
file in a default location. You will get the error "Could not load
configuration file <krb5.conf> (No such file or directory)"
if the file could not be found.
Solution: Verify that the Kerberos configuration file
krb5.conf is available and readable. Check Kerberos Requirements for information about
how to specify the location of the krb5.conf file and
where such a file is searched for by default if you don't
explicitly indicate the location.
Cause 1: Your KDC does not support the encryption type requested.
Solution 1: Sun's implementation of Kerberos supports the
following encryption types: des-cbc-md5,
des-cbc-crc and des3-cbc-sha1.
Applications can select the desired encryption type by
specifying following tags in the Kerberos Configuration file
krb5.conf:
[libdefaults] default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1If not specified, the default value is:
des-cbc-md5 des-cbc-crc des3-cbc-sha1
Cause 2: This exception is thrown when using native ticket cache on some Windows platforms. Microsoft has added a new feature in which they no longer export the session keys for Ticket-Granting Tickets (TGTs). As a result, the native TGT obtained on Windows has an "empty" session key and null EType. The effected platforms include: Windows Server 2003, Windows 2000 Server Service Pack 4 (SP4) and Windows XP SP2.
Solution 2: You need to update the Windows registry to
disable this new feature. The registry key
allowtgtsessionkey should be added--and set
correctly--to allow session keys to be sent in the Kerberos
Ticket-Granting Ticket.
On the Windows Server 2003 and Windows 2000 SP4, here is the required registry setting:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters Value Name: allowtgtsessionkey Value Type: REG_DWORD Value: 0x01 ( default is 0 )By default, the value is 0; setting it to "0x01" allows a session key to be included in the TGT.
Here is the location of the registry setting on Windows XP SP2:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\ Value Name: allowtgtsessionkey Value Type: REG_DWORD Value: 0x01
Cause: The KDC sent a response that cannot be understood by the client.
Solution: Verify that you have set correctly all the
krb5.conf file configuration parameters and consult
your KDC vendor's guide.
sun.security.krb5.debug to "true". This
setting allows you to follow the program's execution of the
Kerberos V5 protocol. If you send us feedback regarding a
problem you are having, please include the complete debugging
output.