Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

Unable to obtain password from user error when Kerberos authentication fails in AM (All versions)

Last updated Jun 2, 2021

The purpose of this article is to provide assistance if you receive a "javax.security.auth.login.LoginException: Unable to obtain password from user" error when attempting to log into AM using the Kerberos authentication node or the Windows Desktop SSO (WDSSO) authentication module.


1 reader recommends this article

Symptoms

Kerberos node

The following error is shown in the debug logs when Kerberos authentication fails:

amAuthREST:09/06/2021 11:42:32:667 AM BST: Thread[https-jsse-nio-10.48.132.46-443-exec-3,5,main]: TransactionId[40cf32b6-0dd4-4223-9b38-9db9426bf1c6-497] WARNING: Authentication encountered an error: org.forgerock.openam.core.rest.authn.exceptions.RestAuthException: Login failure    at org.forgerock.openam.core.rest.authn.trees.FailureProcessTreeResult.authFailureException(FailureProcessTreeResult.java:92)    at org.forgerock.openam.core.rest.authn.trees.AuthTrees.processTree(AuthTrees.java:424)    at org.forgerock.openam.core.rest.authn.trees.AuthTrees.evaluateTreeAndProcessResult(AuthTrees.java:261)    at org.forgerock.openam.core.rest.authn.trees.AuthTrees.lambda$evaluateTreeAndProcessResult$1(AuthTrees.java:280) ... Caused by: org.forgerock.openam.auth.node.api.NodeProcessException: javax.security.auth.login.LoginException: Unable to obtain password from user    at org.forgerock.openam.auth.nodes.WindowsDesktopSSONode.serviceLogin(WindowsDesktopSSONode.java:443)    at org.forgerock.openam.auth.nodes.WindowsDesktopSSONode.process(WindowsDesktopSSONode.java:174)    at org.forgerock.openam.auth.trees.engine.AuthTreeExecutor.process(AuthTreeExecutor.java:105)    at org.forgerock.openam.core.rest.authn.trees.AuthTrees.processTree(AuthTrees.java:421)    ... 98 more Caused by: javax.security.auth.login.LoginException: Unable to obtain password from user

WDSSO module

The following error is shown in the Authentication log when WDSSO authentication fails:

amAuthWindowsDesktopSSO:04/10/2016 16:43:11:135 PM PDT: Thread[http-bio-12023-exec-4,5,main] WindowsDesktopSSO params: principal: HTTP/host1.forgerock.com@WINDOWS.EXAMPLE.COM keytab file: /etc/openam.HTTP.keytab realm : WINDOWS.EXAMPLE.COM kdc server: windows.example.com domain principal: false Lookup user in realm:false Accepted Kerberos realms: [] auth level: 0 amAuthWindowsDesktopSSO:04/10/2016 16:43:11:135 PM PDT: Thread[http-bio-12023-exec-4,5,main] Init WindowsDesktopSSO. This should not happen often. amAuth:04/10/2016 16:43:11:135 PM PDT: Thread[http-bio-12023-exec-4,5,main] spi authLevel :0 amAuth:04/10/2016 16:43:11:135 PM PDT: Thread[http-bio-12023-exec-4,5,main] module configuration authLevel :0 amAuth:04/10/2016 16:43:11:135 PM PDT: Thread[http-bio-12023-exec-4,5,main] levelSet :false amAuthWindowsDesktopSSO:04/10/2016 16:43:11:135 PM PDT: Thread[http-bio-12023-exec-4,5,main] New Service Login ... amAuthWindowsDesktopSSO:04/10/2016 16:43:11:136 PM PDT: Thread[http-bio-12023-exec-4,5,main] ERROR: Service Login Error: amAuthWindowsDesktopSSO:04/10/2016 16:43:11:136 PM PDT: Thread[http-bio-12023-exec-4,5,main] Stack trace: javax.security.auth.login.LoginException: Unable to obtain password from user     at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:856)      at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:719)      at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:584) ...

You will also see a similar error in the amAuthWindowsDesktopSSO debug log:

04/10/2016 16:43:11:135 PM PDT: Thread[service-j2ee,5,main] ERROR: Service Login  Error: 04/10/2016 16:43:11:135 PM PDT: Thread[service-j2ee,5,main]  Stack trace: javax.security.auth.login.LoginException:  Unable to obtain password from user at com.sun.security.auth.module. Krb5LoginModule.promptForPass(Krb5LoginModule.java:745)       at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication (Kr b5LoginModule.java:624) at com.sun.security.auth.module. Krb5LoginModule.login(Krb5LoginModule.java:512)       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ...

Recent Changes

Configured the Kerberos node.

Configured the WDSSO module.

Updated your keytab file.

Causes

There is an issue with your keytab file and/or the configured service principal. Alternatively, this can be caused by an incorrect version of Java® being used for your AM version.

Solution

You should use the Klist utility from Microsoft® to display details about your keytab file.

This is an example output from the Klist utility:

Server: HTTP/host1.example.com @ WINDOWS.EXAMPLE.COM KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize Start Time: 3/17/2016 11:33:06 (local) End Time: 3/17/2016 21:31:54 (local) Renew Time: 3/24/2016 11:31:54 (local) Session Key Type: RSADSI RC4-HMAC(NT) Cache Flags: 0 Kdc Called: SVR1

You can then check the following and resolve as applicable:

  • Check you have used an appropriate encryption type (KerbTicket Encryption Type in example Klist output) when generating the keytab file and that you have updated the user account properties in Active Directory® to match. The corresponding encryption type should be selected in the user account properties.
  • Check the configured service principal in AM matches the one in the keytab file (Server in example Klist output). You can check the configured service principal in the console by navigating to Realms > [Realm Name] > Authentication > Modules > [Module Name] > Service Principal and update if it does not match the value in the keytab file.

If this fails to resolve your issue, you should check you are using an appropriate Java® version for your AM version. Supported Java versions can be found in the release notes applicable to your AM version, for example, the latest supported Java versions can be found here: Release Notes › Java Requirements.

See Also

Configuring and troubleshooting WDSSO in AM

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.