Unable to obtain password from user error when Kerberos authentication fails in AM (All versions)
The purpose of this article is to provide assistance if you receive a "javax.security.auth.login.LoginException: Unable to obtain password from user" error when attempting to log into AM using the Kerberos authentication node or the Windows Desktop SSO (WDSSO) authentication module.
1 reader recommends this article
Symptoms
The following error is shown in the debug logs when Kerberos authentication fails:
amAuthREST:09/06/2021 11:42:32:667 AM BST: Thread[https-jsse-nio-10.48.132.46-443-exec-3,5,main]: TransactionId[40cf32b6-0dd4-4223-9b38-9db9426bf1c6-497] WARNING: Authentication encountered an error: org.forgerock.openam.core.rest.authn.exceptions.RestAuthException: Login failure at org.forgerock.openam.core.rest.authn.trees.FailureProcessTreeResult.authFailureException(FailureProcessTreeResult.java:92) at org.forgerock.openam.core.rest.authn.trees.AuthTrees.processTree(AuthTrees.java:424) at org.forgerock.openam.core.rest.authn.trees.AuthTrees.evaluateTreeAndProcessResult(AuthTrees.java:261) at org.forgerock.openam.core.rest.authn.trees.AuthTrees.lambda$evaluateTreeAndProcessResult$1(AuthTrees.java:280) ... Caused by: org.forgerock.openam.auth.node.api.NodeProcessException: javax.security.auth.login.LoginException: Unable to obtain password from user at org.forgerock.openam.auth.nodes.WindowsDesktopSSONode.serviceLogin(WindowsDesktopSSONode.java:443) at org.forgerock.openam.auth.nodes.WindowsDesktopSSONode.process(WindowsDesktopSSONode.java:174) at org.forgerock.openam.auth.trees.engine.AuthTreeExecutor.process(AuthTreeExecutor.java:105) at org.forgerock.openam.core.rest.authn.trees.AuthTrees.processTree(AuthTrees.java:421) ... 98 more Caused by: javax.security.auth.login.LoginException: Unable to obtain password from user
WDSSO module
The following error is shown in the Authentication log when WDSSO authentication fails:
amAuthWindowsDesktopSSO:04/10/2016 16:43:11:135 PM PDT: Thread[http-bio-12023-exec-4,5,main] WindowsDesktopSSO params: principal: HTTP/host1.forgerock.com@WINDOWS.EXAMPLE.COM keytab file: /etc/openam.HTTP.keytab realm : WINDOWS.EXAMPLE.COM kdc server: windows.example.com domain principal: false Lookup user in realm:false Accepted Kerberos realms: [] auth level: 0 amAuthWindowsDesktopSSO:04/10/2016 16:43:11:135 PM PDT: Thread[http-bio-12023-exec-4,5,main] Init WindowsDesktopSSO. This should not happen often. amAuth:04/10/2016 16:43:11:135 PM PDT: Thread[http-bio-12023-exec-4,5,main] spi authLevel :0 amAuth:04/10/2016 16:43:11:135 PM PDT: Thread[http-bio-12023-exec-4,5,main] module configuration authLevel :0 amAuth:04/10/2016 16:43:11:135 PM PDT: Thread[http-bio-12023-exec-4,5,main] levelSet :false amAuthWindowsDesktopSSO:04/10/2016 16:43:11:135 PM PDT: Thread[http-bio-12023-exec-4,5,main] New Service Login ... amAuthWindowsDesktopSSO:04/10/2016 16:43:11:136 PM PDT: Thread[http-bio-12023-exec-4,5,main] ERROR: Service Login Error: amAuthWindowsDesktopSSO:04/10/2016 16:43:11:136 PM PDT: Thread[http-bio-12023-exec-4,5,main] Stack trace: javax.security.auth.login.LoginException: Unable to obtain password from user at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:856) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:719) at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:584) ...You will also see a similar error in the amAuthWindowsDesktopSSO debug log:
04/10/2016 16:43:11:135 PM PDT: Thread[service-j2ee,5,main] ERROR: Service Login Error: 04/10/2016 16:43:11:135 PM PDT: Thread[service-j2ee,5,main] Stack trace: javax.security.auth.login.LoginException: Unable to obtain password from user at com.sun.security.auth.module. Krb5LoginModule.promptForPass(Krb5LoginModule.java:745) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication (Kr b5LoginModule.java:624) at com.sun.security.auth.module. Krb5LoginModule.login(Krb5LoginModule.java:512) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ...Recent Changes
Configured the Kerberos node.
Configured the WDSSO module.
Updated your keytab file.
Causes
There is an issue with your keytab file and/or the configured service principal. Alternatively, this can be caused by an incorrect version of Java® being used for your AM version.
Solution
You should use the Klist
This is an example output from the Klist utility:
Server: HTTP/host1.example.com @ WINDOWS.EXAMPLE.COM KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize Start Time: 3/17/2016 11:33:06 (local) End Time: 3/17/2016 21:31:54 (local) Renew Time: 3/24/2016 11:31:54 (local) Session Key Type: RSADSI RC4-HMAC(NT) Cache Flags: 0 Kdc Called: SVR1You can then check the following and resolve as applicable:
- Check you have used an appropriate encryption type (KerbTicket Encryption Type in example Klist output) when generating the keytab file and that you have updated the user account properties in Active Directory® to match. The corresponding encryption type should be selected in the user account properties.
- Check the configured service principal in AM matches the one in the keytab file (Server in example Klist output). You can check the configured service principal in the console by navigating to Realms > [Realm Name] > Authentication > Modules > [Module Name] > Service Principal and update if it does not match the value in the keytab file.
If this fails to resolve your issue, you should check you are using an appropriate Java® version for your AM version. Supported Java versions can be found in the release notes applicable to your AM version, for example, the latest supported Java versions can be found here: Release Notes › Java Requirements.
See Also
Related Training
N/A
Related Issue Tracker IDs
N/A