Solutions

WDSSO authentication fails with Pre-authentication information was invalid error in AM/OpenAM (All versions)

Last updated Jul 4, 2019

The purpose of this article is to provide assistance if Windows Desktop SSO (WDSSO) authentication fails in AM/OpenAM. You will see error messages such as: "Pre-authentication information was invalid (24)", "Identifier doesn't match expected value (906)" and "Additional pre-authentication required​​".


Symptoms

The following error is shown in the Authentication debug log when authentication fails:

ERROR: Service Login Error: 
amAuthWindowsDesktopSSO:04/10/2019 15:22:01:379 AM EDT: Thread[http-nio-8443-exec-4,5,main]: TransactionId[e4916ce9-9e2c-4cf2-b248-924a0e585c86-1360]
Stack trace: 
javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)
   at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804)
   at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
   at java.lang.reflect.Method.invoke(Method.java:497)
   at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
   at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
   at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
   at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
   at java.security.AccessController.doPrivileged(Native Method)
   at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
   at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
   at com.sun.identity.authentication.modules.windowsdesktopsso.WindowsDesktopSSO.serviceLogin(WindowsDesktopSSO.java:612)
   at com.sun.identity.authentication.modules.windowsdesktopsso.WindowsDesktopSSO.initWindowsDesktopSSOAuth(WindowsDesktopSSO.java:570)
   at com.sun.identity.authentication.modules.windowsdesktopsso.WindowsDesktopSSO.process(WindowsDesktopSSO.java:149)
   at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:1075)
   at com.sun.identity.authentication.spi.AMLoginModule.login(AMLoginModule.java:1273)
...
Caused by: KrbException: Pre-authentication information was invalid (24)
   at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
   at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
   at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
   at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:776)
   ... 102 more
Caused by: KrbException: Identifier doesn't match expected value (906)
   at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
   at sun.security.krb5.internal.ASRep.init(ASRep.java:64)
   at sun.security.krb5.internal.ASRep.<init>(ASRep.java:59)
   at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
   ... 105 more

Errors similar to the following are shown in the catalina.out log when this happens (the output has been cut down to only leave the relevant messages): 

Looking for keys for: HTTP/openam.forgerock.com@FORGEROCK.COM
Java config name: null
Native config name: /etc/krb5.conf
Loaded from native config
...
>>>KRBError:
  sTime is Wed Apr 10 15:22:01 EDT 2019 1554391078000
  suSec is 113308
  error code is 25
  error Message is Additional pre-authentication required​​
  sname is krbtgt/FORGEROCK.COM@FORGEROCK.COM
  eData provided.
  msgType is 30
...
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
...
>>>KRBError:
  sTime is Wed Apr 10 15:22:01 EDT 2019 1554391078000
  suSec is 144559
  error code is 24
  error Message is Pre-authentication information was invalid​
  sname is krbtgt/FORGEROCK.COM@FORGEROCK.COM
  eData provided.
  msgType is 30

Recent Changes

N/A

Causes

There are several known reasons that can cause this error to occur. Typically, this is seen due to a mismatch between the data in the keytab file and the Active Directory® Service account used to create the "keytab" file, such as password change to the Service account. 

Authentication will fail If the key from the keytab file cannot be used to get a valid Ticket Granting Ticket (TGT) from the KDC, which is needed by the WDSSO authentication module in order to validate the Kerberos token passed by the client browser later during the authentication process.

The following are four known reasons for "Pre-authentication information was invalid (24)" when attempting login:

  1. The password entered is incorrect.
  2. If you are using the keytab to get the key (e.g., by setting the useKeyTab option to true in the Krb5LoginModule entry in the JAAS login configuration file), then the key might have changed since you updated the keytab.
  3. Clock skew - If the time on the KDC and on the client differ significantly (typically 5 minutes), this error can be returned.
  4. The Kerberos realm name is not all uppercase.

Solution

This issue can be resolved by applying the appropriate solution depending on the cause:

  1. Verify the password. A new keytab file needs to be created each time the password is changed/updated for the Service account.
  2. Consult your Kerberos documentation to generate a new keytab, and use that keytab file.
  3. Synchronize the clocks (or have a system administrator do so).
  4. Make the Kerberos realm name all uppercase. It is recommended to have all uppercase realm names. For example, @FORGEROCK.COM. See Naming Conventions for Realm Names and Hostnames.  

As in the case with realm names, you also need to ensure that the above naming conventions are applied to the Service Principal Name (SPN). For example, HTTP/host1.example.com@FORGEROCK.COM. See How do I troubleshoot WDSSO and Kerberos issues in AM/OpenAM (All versions)? The following sections provide a worked example that shows the recommended realm and principal naming conventions and how to check the SPN.

See Also

Configuring and troubleshooting WDSSO in AM/OpenAM

How do I enable debug logging for troubleshooting WDSSO and Kerberos issues in AM/OpenAM (All versions)?

Authentication and Single Sign-On Guide › Windows Desktop SSO Authentication Module

RFC 4120 - Kerberos Network Authentication Service (V5)

Kerberos Requirements

OpenAM Windows Desktop SSO deep dive – part 1

Related Training

N/A

Related Issue Tracker IDs

N/A



Copyright and TrademarksCopyright © 2019 ForgeRock, all rights reserved.
Loading...