Kerberos Authentication Module Error

This topic has 2 replies, 2 voices, and was last updated 1 month, 2 weeks ago by Jatinder Singh.

  • Author
    Posts
  • #28719
     rohipati
    Participant

    Hello

    I have configures Kerberos Authentication Module with AWS Aurora Kerberos Details.
    Below are the errors from Logs.
    I have followed the this doc – https://backstage.forgerock.com/knowledge/kb/article/a62965844 but couldnt resolve after following the solutions.

    >>> KeyTabInputStream, readName(): XYZ.COM
    >>> KeyTabInputStream, readName(): HTTP
    >>> KeyTabInputStream, readName(): danvledwse01.xyz.com
    >>> KeyTab: load() entry length: 88; type: 18
    Looking for keys for: HTTP/[email protected]
    Java config name: null
    Native config name: /etc/krb5.conf
    Loaded from native config
    Added key: 18version: 0
    >>> KdcAccessibility: reset
    Looking for keys for: HTTP/[email protected]
    Added key: 18version: 0
    Using builtin default etypes for default_tkt_enctypes
    default etypes for default_tkt_enctypes: 18 17 16 23.
    >>> KrbAsReq creating message
    >>> KrbKdcReq send: kdc=xyz.com UDP:88, timeout=30000, number of retries =3, #bytes=172
    >>> KDCCommunication: kdc=xyz.com UDP:88, timeout=30000,Attempt =1, #bytes=172
    >>> KrbKdcReq send: #bytes read=190
    >>>Pre-Authentication Data:
    PA-DATA type = 19
    PA-ETYPE-INFO2 etype = 18, salt = XYZ.COMHTTPdanvledwse01.xyz.com, s2kparams = null

    >>>Pre-Authentication Data:
    PA-DATA type = 2
    PA-ENC-TIMESTAMP
    >>>Pre-Authentication Data:
    PA-DATA type = 16

    >>>Pre-Authentication Data:
    PA-DATA type = 15

    >>> KdcAccessibility: remove xyz.com
    >>> KDCRep: init() encoding tag is 126 req type is 11
    >>>KRBError:
    sTime is Thu Oct 14 17:56:04 UTC 2021 1634234164000
    suSec is 659797
    error code is 25
    error Message is Additional pre-authentication required
    sname is krbtgt/[email protected]
    eData provided.
    msgType is 30
    >>>Pre-Authentication Data:
    PA-DATA type = 19
    PA-ETYPE-INFO2 etype = 18, salt = XYZ.COMHTTPdanvledwse01.xyz.com, s2kparams = null

    >>>Pre-Authentication Data:
    PA-DATA type = 2
    PA-ENC-TIMESTAMP
    >>>Pre-Authentication Data:
    PA-DATA type = 16

    >>>Pre-Authentication Data:
    PA-DATA type = 15

    KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
    Using builtin default etypes for default_tkt_enctypes
    default etypes for default_tkt_enctypes: 18 17 16 23.
    Looking for keys for: HTTP/[email protected]
    Added key: 18version: 0
    Looking for keys for: HTTP/[email protected]
    Added key: 18version: 0
    Using builtin default etypes for default_tkt_enctypes
    default etypes for default_tkt_enctypes: 18 17 16 23.
    >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
    >>> KrbAsReq creating message
    >>> KrbKdcReq send: kdc=xyz.com UDP:88, timeout=30000, number of retries =3, #bytes=260
    >>> KDCCommunication: kdc=xyz.com UDP:88, timeout=30000,Attempt =1, #bytes=260
    >>> KrbKdcReq send: #bytes read=90
    >>> KrbKdcReq send: kdc=xyz.com TCP:88, timeout=30000, number of retries =3, #bytes=260
    >>> KDCCommunication: kdc=xyz.com TCP:88, timeout=30000,Attempt =1, #bytes=260
    >>>DEBUG: TCPClient reading 1615 bytes
    >>> KrbKdcReq send: #bytes read=1615
    >>> KdcAccessibility: remove xyz.com
    Looking for keys for: HTTP/[email protected]
    Added key: 18version: 0
    >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
    >>> KrbAsRep cons in KrbAsReq.getReply HTTP/danvledwse01.xyz.com

    #28721
     Jatinder Singh
    Participant

    Could you please share AM’s debug logs on this transaction?

    #28722
     Jatinder Singh
    Participant

    And I would suggest to also check the connection as discussed at the bottom of this article:

    https://backstage.forgerock.com/knowledge/kb/article/a14556843

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?