Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

Unable to obtain password from user error when Kerberos authentication fails in AM (All versions)

Last updated Feb 7, 2022

The purpose of this article is to provide assistance if you receive a "javax.security.auth.login.LoginException: Unable to obtain password from user" error when attempting to log into AM using the Kerberos authentication node or the Windows Desktop SSO (WDSSO) authentication module.


1 reader recommends this article

Symptoms

Kerberos node

The following error is shown in the debug logs when Kerberos authentication fails:

amAuthREST:04/27/2021 11:42:32:667 AM GMT: Thread[https-jsse-nio-198.51.100.0-443-exec-3,5,main]: TransactionId[40cf32b6-0dd4-4223-9b38-9db9426bf1c6-497] WARNING: Authentication encountered an error: org.forgerock.openam.core.rest.authn.exceptions.RestAuthException: Login failure    at org.forgerock.openam.core.rest.authn.trees.FailureProcessTreeResult.authFailureException(FailureProcessTreeResult.java:92)    at org.forgerock.openam.core.rest.authn.trees.AuthTrees.processTree(AuthTrees.java:424)    at org.forgerock.openam.core.rest.authn.trees.AuthTrees.evaluateTreeAndProcessResult(AuthTrees.java:261)    at org.forgerock.openam.core.rest.authn.trees.AuthTrees.lambda$evaluateTreeAndProcessResult$1(AuthTrees.java:280) ... Caused by: org.forgerock.openam.auth.node.api.NodeProcessException: javax.security.auth.login.LoginException: Unable to obtain password from user    at org.forgerock.openam.auth.nodes.WindowsDesktopSSONode.serviceLogin(WindowsDesktopSSONode.java:443)    at org.forgerock.openam.auth.nodes.WindowsDesktopSSONode.process(WindowsDesktopSSONode.java:174)    at org.forgerock.openam.auth.trees.engine.AuthTreeExecutor.process(AuthTreeExecutor.java:105)    at org.forgerock.openam.core.rest.authn.trees.AuthTrees.processTree(AuthTrees.java:421)    ... 98 more Caused by: javax.security.auth.login.LoginException: Unable to obtain password from user

WDSSO module

The following error is shown in the Authentication log when WDSSO authentication fails:

amAuthWindowsDesktopSSO:04/27/2021 16:43:11:135 PM GMT: Thread[http-bio-12023-exec-4,5,main] WindowsDesktopSSO params: principal: HTTP/host1.forgerock.com@WINDOWS.EXAMPLE.COM keytab file: /etc/openam.HTTP.keytab realm : WINDOWS.EXAMPLE.COM kdc server: windows.example.com domain principal: false Lookup user in realm:false Accepted Kerberos realms: [] auth level: 0 amAuthWindowsDesktopSSO:04/27/2021 16:43:11:135 PM GMT: Thread[http-bio-12023-exec-4,5,main] Init WindowsDesktopSSO. This should not happen often. amAuth:04/27/2021 16:43:11:135 PM GMT: Thread[http-bio-12023-exec-4,5,main] spi authLevel :0 amAuth:04/27/2021 16:43:11:135 PM GMT: Thread[http-bio-12023-exec-4,5,main] module configuration authLevel :0 amAuth:04/27/2021 16:43:11:135 PM GMT: Thread[http-bio-12023-exec-4,5,main] levelSet :false amAuthWindowsDesktopSSO:04/27/2021 16:43:11:135 PM GMT: Thread[http-bio-12023-exec-4,5,main] New Service Login ... amAuthWindowsDesktopSSO:04/27/2021 16:43:11:136 PM GMT: Thread[http-bio-12023-exec-4,5,main] ERROR: Service Login Error: amAuthWindowsDesktopSSO:04/27/2021 16:43:11:136 PM GMT: Thread[http-bio-12023-exec-4,5,main] Stack trace: javax.security.auth.login.LoginException: Unable to obtain password from user   at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:856)    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:719)    at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:584) ...

You will also see a similar error in the amAuthWindowsDesktopSSO debug log:

04/27/2021 16:43:11:135 PM GMT: Thread[service-j2ee,5,main] ERROR: Service Login  Error: 04/27/2021 16:43:11:135 PM GMT: Thread[service-j2ee,5,main]  Stack trace: javax.security.auth.login.LoginException:  Unable to obtain password from user at com.sun.security.auth.module. Krb5LoginModule.promptForPass(Krb5LoginModule.java:745)     at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication (Kr b5LoginModule.java:624) at com.sun.security.auth.module. Krb5LoginModule.login(Krb5LoginModule.java:512)     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ...

Recent Changes

Configured the Kerberos node.

Configured the WDSSO module.

Updated your keytab file.

Causes

There is an issue with your keytab file and/or the configured service principal. Alternatively, this can be caused by an incorrect version of Java® being used for your AM version.

Solution

You should use the Klist utility from Microsoft® to display details about your keytab file.

This is an example output from the Klist utility:

Server: HTTP/host1.example.com @ WINDOWS.EXAMPLE.COM KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize Start Time: 3/17/2021 11:33:06 (local) End Time: 3/17/2021 21:31:54 (local) Renew Time: 3/24/2021 11:31:54 (local) Session Key Type: RSADSI RC4-HMAC(NT) Cache Flags: 0 Kdc Called: SVR1

You can then check the following and resolve as applicable:

  • Check you have used an appropriate encryption type (KerbTicket Encryption Type in example Klist output) when generating the keytab file and that you have updated the user account properties in Active Directory® to match. The corresponding encryption type should be selected in the user account properties.
  • Check the configured service principal in AM matches the one in the keytab file (Server in example Klist output). You can check the configured service principal in the console by navigating to Realms > [Realm Name] > Authentication > Modules > [Module Name] > Service Principal and update if it does not match the value in the keytab file.

If this fails to resolve your issue, you should check you are using an appropriate Java® version for your AM version. Supported Java versions can be found in the release notes applicable to your AM version, for example, the latest supported Java versions can be found here: Java Requirements.

See Also

Configuring and troubleshooting WDSSO in AM

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2022 ForgeRock, all rights reserved.