Unable to obtain password from user error when Kerberos authentication fails in AM (All versions)
The purpose of this article is to provide assistance if you receive a "javax.security.auth.login.LoginException: Unable to obtain password from user" error when attempting to log into AM using the Kerberos authentication node or the Windows Desktop SSO (WDSSO) authentication module.
1 reader recommends this article
Symptoms
Kerberos node
The following error is shown in the debug logs when Kerberos authentication fails:
amAuthREST:04/27/2021 11:42:32:667 AM GMT: Thread[https-jsse-nio-198.51.100.0-443-exec-3,5,main]: TransactionId[40cf32b6-0dd4-4223-9b38-9db9426bf1c6-497] WARNING: Authentication encountered an error: org.forgerock.openam.core.rest.authn.exceptions.RestAuthException: Login failure at org.forgerock.openam.core.rest.authn.trees.FailureProcessTreeResult.authFailureException(FailureProcessTreeResult.java:92) at org.forgerock.openam.core.rest.authn.trees.AuthTrees.processTree(AuthTrees.java:424) at org.forgerock.openam.core.rest.authn.trees.AuthTrees.evaluateTreeAndProcessResult(AuthTrees.java:261) at org.forgerock.openam.core.rest.authn.trees.AuthTrees.lambda$evaluateTreeAndProcessResult$1(AuthTrees.java:280) ... Caused by: org.forgerock.openam.auth.node.api.NodeProcessException: javax.security.auth.login.LoginException: Unable to obtain password from user at org.forgerock.openam.auth.nodes.WindowsDesktopSSONode.serviceLogin(WindowsDesktopSSONode.java:443) at org.forgerock.openam.auth.nodes.WindowsDesktopSSONode.process(WindowsDesktopSSONode.java:174) at org.forgerock.openam.auth.trees.engine.AuthTreeExecutor.process(AuthTreeExecutor.java:105) at org.forgerock.openam.core.rest.authn.trees.AuthTrees.processTree(AuthTrees.java:421) ... 98 more Caused by: javax.security.auth.login.LoginException: Unable to obtain password from user
WDSSO module
The following error is shown in the Authentication log when WDSSO authentication fails:
amAuthWindowsDesktopSSO:04/27/2021 16:43:11:135 PM GMT: Thread[http-bio-12023-exec-4,5,main] WindowsDesktopSSO params: principal: HTTPS/am.forgerock.com@WINDOWS.EXAMPLE.COM keytab file: /etc/am.HTTP.keytab realm : WINDOWS.EXAMPLE.COM kdc server: windows.example.com domain principal: false Lookup user in realm:false Accepted Kerberos realms: [] auth level: 0 amAuthWindowsDesktopSSO:04/27/2021 16:43:11:135 PM GMT: Thread[http-bio-12023-exec-4,5,main] Init WindowsDesktopSSO. This should not happen often. amAuth:04/27/2021 16:43:11:135 PM GMT: Thread[http-bio-12023-exec-4,5,main] spi authLevel :0 amAuth:04/27/2021 16:43:11:135 PM GMT: Thread[http-bio-12023-exec-4,5,main] module configuration authLevel :0 amAuth:04/27/2021 16:43:11:135 PM GMT: Thread[http-bio-12023-exec-4,5,main] levelSet :false amAuthWindowsDesktopSSO:04/27/2021 16:43:11:135 PM GMT: Thread[http-bio-12023-exec-4,5,main] New Service Login ... amAuthWindowsDesktopSSO:04/27/2021 16:43:11:136 PM GMT: Thread[http-bio-12023-exec-4,5,main] ERROR: Service Login Error: amAuthWindowsDesktopSSO:04/27/2021 16:43:11:136 PM GMT: Thread[http-bio-12023-exec-4,5,main] Stack trace: javax.security.auth.login.LoginException: Unable to obtain password from user at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:856) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:719) at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:584) ...You will also see a similar error in the amAuthWindowsDesktopSSO debug log:
04/27/2021 16:43:11:135 PM GMT: Thread[service-j2ee,5,main] ERROR: Service Login Error: 04/27/2021 16:43:11:135 PM GMT: Thread[service-j2ee,5,main] Stack trace: javax.security.auth.login.LoginException: Unable to obtain password from user at com.sun.security.auth.module. Krb5LoginModule.promptForPass(Krb5LoginModule.java:745) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication (Kr b5LoginModule.java:624) at com.sun.security.auth.module. Krb5LoginModule.login(Krb5LoginModule.java:512) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ...Recent Changes
Configured the Kerberos node.
Configured the WDSSO module.
Updated your keytab file.
Causes
There is an issue with your keytab file and/or the configured service principal. Alternatively, this can be caused by an incorrect version of Java® being used for your AM version.
Solution
You should use the Klist utility from Microsoft® to display details about your keytab file.
This is an example output from the Klist utility:
Server: HTTP/am.example.com @ WINDOWS.EXAMPLE.COM KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize Start Time: 3/17/2021 11:33:06 (local) End Time: 3/17/2021 21:31:54 (local) Renew Time: 3/24/2021 11:31:54 (local) Session Key Type: RSADSI RC4-HMAC(NT) Cache Flags: 0 Kdc Called: SVR1You can then check the following and resolve as applicable:
- Check you have used an appropriate encryption type (KerbTicket Encryption Type in example Klist output) when generating the keytab file and that you have updated the user account properties in Active Directory® to match. The corresponding encryption type should be selected in the user account properties.
- Check the configured service principal in AM matches the one in the keytab file (Server in example Klist output). You can check the configured service principal in the AM admin UI by navigating to Realms > [Realm Name] > Authentication > Modules > [Module Name] > Service Principal and update if it does not match the value in the keytab file.
If this fails to resolve your issue, you should check you are using an appropriate Java® version for your AM version. Supported Java versions can be found in the release notes applicable to your AM version, for example, the latest supported Java versions can be found here: Java requirements.
See Also
Configuring and troubleshooting Kerberos and WDSSO in AM
Related Training
N/A
Related Issue Tracker IDs
N/A