ForgeRock Identity Platform
Does not apply to Identity Cloud

Kerberos authentication fails with Pre-authentication information was invalid error in AM (All versions)

Last updated Jan 16, 2023

The purpose of this article is to provide assistance if Kerberos authentication fails in AM when using the Kerberos authentication node or the Windows Desktop SSO (WDSSO) authentication module. You will see error messages such as: "Pre-authentication information was invalid (24)", "Identifier doesn't match expected value (906)" and "Additional pre-authentication required​​".


Errors similar to the following are shown in the catalina.out log when Kerberos authentication fails (the output has been cut down to only leave the relevant messages):

Looking for keys for: HTTPS/ ... >>>KRBError: sTime is Wed Jun 02 15:22:01 BST 2021 1554391078000 suSec is 113308 error code is 25 error Message is Additional pre-authentication required​​ sname is krbtgt/FORGEROCK.COM@FORGEROCK.COM eData provided. msgType is 30 ... KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ ... >>>KRBError: sTime is Wed Jun 02 15:22:01 BST 2021 1554391078000 suSec is 144559 error code is 24 error Message is Pre-authentication information was invalid​ sname is krbtgt/FORGEROCK.COM@FORGEROCK.COM eData provided. msgType is 30

Kerberos node

The following error is shown in the debug logs when this happens:

o.f.o.c.r.a.t.AuthTrees: 2021-06-02 14:26:10,790: Thread[catalina-exec-4]: TransactionId[165a569c-af36-4bcf-ad7f-a16f05746baf-6445] ERROR: Exception in processing the tree org.forgerock.openam.auth.node.api.NodeProcessException: Pre-authentication information was invalid (24) at org.forgerock.openam.auth.nodes.KerberosNode.serviceLogin( at org.forgerock.openam.auth.nodes.KerberosNode.process( at org.forgerock.openam.auth.trees.engine.AuthTreeExecutor.process( at at at$evaluateTreeAndProcessResult$1( ... Caused by: Pre-authentication information was invalid (24) at at at java.base/ at java.base/$ at java.base/$ at java.base/ Method) at java.base/ at java.base/ at org.forgerock.openam.auth.nodes.KerberosNode.serviceLogin( ... 123 common frames omitted Caused by: Pre-authentication information was invalid (24)

WDSSO module

The following error is shown in the Authentication debug log when this happens:

ERROR: Service Login Error: amAuthWindowsDesktopSSO:04/10/2019 15:22:01:379 AM EDT: Thread[http-nio-8443-exec-4,5,main]: TransactionId[e4916ce9-9e2c-4cf2-b248-924a0e585c86-1360] Stack trace: Pre-authentication information was invalid (24) at at at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke( at sun.reflect.DelegatingMethodAccessorImpl.invoke( at java.lang.reflect.Method.invoke( at at$000( at$ at$ at Method) at at at com.sun.identity.authentication.modules.windowsdesktopsso.WindowsDesktopSSO.serviceLogin( at com.sun.identity.authentication.modules.windowsdesktopsso.WindowsDesktopSSO.initWindowsDesktopSSOAuth( at com.sun.identity.authentication.modules.windowsdesktopsso.WindowsDesktopSSO.process( at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess( at com.sun.identity.authentication.spi.AMLoginModule.login( ... Caused by: KrbException: Pre-authentication information was invalid (24) at<init>( at at at ... 102 more Caused by: KrbException: Identifier doesn't match expected value (906) at at at<init>( at<init>( ... 105 more

Recent Changes



There are several known reasons that can cause this error to occur. Typically, this is seen due to a mismatch between the data in the keytab file and the Active Directory® Service account used to create the "keytab" file, such as password change to the Service account.

Authentication will fail If the key from the keytab file cannot be used to get a valid Ticket Granting Ticket (TGT) from the KDC, which is needed by the Kerberos node or WDSSO module in order to validate the Kerberos token passed by the client browser later during the authentication process.

The following are four known reasons for "Pre-authentication information was invalid (24)" when attempting login:

  1. The password entered is incorrect.
  2. If you are using the keytab to get the key (for example, by setting the useKeyTab option to true in the Krb5LoginModule entry in the JAAS login configuration file), then the key might have changed since you updated the keytab.
  3. Clock skew - If the time on the KDC and on the client differ significantly (typically 5 minutes), this error can be returned.
  4. The Kerberos realm name is not all uppercase.


This issue can be resolved by applying the appropriate solution depending on the cause:

  1. Verify the password. A new keytab file needs to be created each time the password is changed/updated for the Service account.
  2. Consult your Kerberos documentation to generate a new keytab, and use that keytab file.
  3. Synchronize the clocks (or have a system administrator do so).
  4. Make the Kerberos realm name all uppercase. It is recommended to have all uppercase realm names. For example, @FORGEROCK.COM. See Naming Conventions for Realm Names and Hostnames.

As in the case with realm names, you also need to ensure that the above naming conventions are applied to the Service Principal Name (SPN). For example, HTTPS/ See How do I troubleshoot Kerberos and WDSSO issues in AM (All versions)? The following sections provide a worked example that shows the recommended realm and principal naming conventions and how to check the SPN:

See Also

Configuring and troubleshooting Kerberos and WDSSO in AM

How do I enable debug logging for troubleshooting Kerberos and WDSSO issues in AM (All versions)?

Kerberos node

Windows Desktop SSO authentication module

RFC 4120 - Kerberos Network Authentication Service (V5)

Kerberos Requirements

OpenAM Windows Desktop SSO deep dive – part 1

Related Training


Related Issue Tracker IDs


Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.