cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Kerberos Authentication: "Integrity check on decrypted field failed"

Former Member

on ‎01-31-2008 7:34 AM

0 Kudos

Hi,

I have configured a portal (NW 7.0 SP13) for Kerberos Authentication. I have another portal with exactly the same configuration (same MS-ADS etc, just a different user) which is working fine. But this one is giving me the error "Integrity check on decrypted field failed" (and Kerberos Auth fails).

Any ideas?? I get the same error whether I use the keytab from the SPNEGO wizard, or the keytab from "ktpass -princ host/%HOST%@%DOMAIN% -pass %PASSWORD% -out keytab -mapUser %USER% +DesOnly /crypto DES-CBC-MD5 /ptype KRB5_NT_PRINCIPAL"

The only difference I can see between the ldifde outputs of the two users (the one that works and the one that doesn't) is the one that doesn't has an extra SPN "HTTP/" - would that cause this error??

Has anyone else had this error & what causes it?

Many thanks in advance.

Regards

Jane

Full error text:

JGSS_DBG_CTX Creating context, initiator = no, input cred = not null

JGSS_DBG_CRED getCred: only one cred, returning it

JGSS_DBG_CRED getName found name: host/portal.domain.net@DOMAIN.NET, mech=1.2.840.113554.1.2.2

JGSS_DBG_CRED Krb5 name type = 0

JGSS_DBG_CTX Creating context, cred usage = 2

GSS Context created

JGSS_DBG_UNMARSH Real token len 1641

JGSS_DBG_UNMARSH Token oid 1.2.840.113554.1.2.2

JGSS_DBG_UNMARSH inner token len 1630

JGSS_DBG_PROV getFactory: index = 0 found factory

JGSS_DBG_PROV getMechs: Mechanism(s) supported by provider IBMJGSSProvider

JGSS_DBG_PROV 1.2.840.113554.1.2.2

JGSS_DBG_PROV getMechs: 1 unique mechanism(s) found

JGSS_DBG_PROV [0]: 1.2.840.113554.1.2.2

JGSS_DBG_CTX Default list of negotiable mechs:

1.2.840.113554.1.2.2

JGSS_DBG_CTX ticket enc type = des-cbc-md5

com.ibm.security.krb5.internal.KrbException, status code: 31

message: Integrity check on decrypted field failed

at com.ibm.security.krb5.internal.crypto.n.decrypt(n.java:31)

at com.ibm.security.krb5.internal.crypto.n.decrypt(n.java:15)

at com.ibm.security.krb5.internal.crypto.n.decrypt(n.java:32)

at com.ibm.security.krb5.EncryptedData.decrypt(EncryptedData.java:106)

at com.ibm.security.jgss.mech.krb5.k.a(k.java:248)

at com.ibm.security.jgss.mech.krb5.k.b(k.java:188)

at com.ibm.security.jgss.mech.krb5.k.acceptSecContext(k.java:533)

at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:155)

at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:153)

at com.sap.security.core.server.jaas.SPNegoLoginModule.doHandshake(SPNegoLoginModule.java:738)

at com.sap.security.core.server.jaas.SPNegoLoginModule.login(SPNegoLoginModule.java:362)

at com.sap.engine.services.security.login.LoginModuleLoggingWrapperImpl.login(LoginModuleLoggingWrapperImpl.java:185)

at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:70)

at java.security.AccessController.doPrivileged(AccessController.java:242)

at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)

at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:85)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:58)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:60)

at java.lang.reflect.Method.invoke(Method.java:391)

at javax.security.auth.login.LoginContext.invoke(LoginContext.java:699)

at javax.security.auth.login.LoginContext.access$000(LoginContext.java:151)

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:634)

at java.security.AccessController.doPrivileged(AccessController.java:242)

at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:631)

at javax.security.auth.login.LoginContext.login(LoginContext.java:557)

at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.getLoggedInUser(SAPJ2EEAuthenticator.java:146)

at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.getLoggedInUser(AuthenticationService.java:303)

at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:96)

at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)

at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:524)

at java.security.AccessController.doPrivileged(AccessController.java:242)

at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:407)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:321)

at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:377)

at com.sap.portal.navigation.Gateway.service(Gateway.java:126)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)

at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)

at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)

at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:387)

at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:365)

at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:944)

at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:266)

at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)

at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)

at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)

at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)

at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)

at java.security.AccessController.doPrivileged(AccessController.java:215)

at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)

com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)

JGSS_DBG_CTX Error authenticating request. Reporting to client

Major code = 11, Minor code = 31

org.ietf.jgss.GSSException, major code: 11, minor code: 31

major string: General failure, unspecified at GSSAPI level

minor string: Kerberos error while decoding and verifying token: com.ibm.security.krb5.internal.KrbException, status code: 31

message: Integrity check on decrypted field failed

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

desiree_matas
Contributor
‎01-31-2008 2:24 PM
0 Kudos

Hello Jane

This is typically an encryption-related error.

Have you set "Use DES encryption" to your service user?

Greetings,

Désiré

Show replies
Show replies
Former Member
‎01-31-2008 10:23 PM
0 Kudos

Hi Désirée,

Yes the service user has "Use DES encryption" set.

In the end, it was resolved by changing the password and running the SPNEGO wizard again to generate a new keytab with the new password.

Regards

Jane

Ask a Question