OpenWebStart Application Login with Kerberos - Checksum failed

Question

I try to run OpenWebStart application which displays Login-Dialog und does Login on Kerberos. I get "Checksum failed" Exception (see below). I'm running KDC in VM (Centos7) and in Kerberos Log I see that TGT was successfuly created:

Kerberos.kalna.ch krb5kdc[1132](Information): AS_REQ (6 etypes {18 17 16 23 1 3} 192.168.56.1: ISSUE authtime 1583736176 , etypes {rep=18 tkt=18 ses=18}, kada@KALNA.CH for krbtgt/KALNA.CH@KALNA.CH

Kerberos configuration is following (kdc.conf):

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 KALNA.CH = {
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }

and on the client is following configuration (krb5.conf):

[libdefaults]
forwardable = true
default_realm = KALNA.CH
udp_preference_limit = 1
kdc_timeout = 2000
allow_weak_crypto = true

[realms]
KALNA.CH = {
    kdc = Kerberos.kalna.ch
    default_domain = kalna.ch
}

[domain_realm]
 .kalna.ch = KALNA.CH
 kalna.ch = KALNA.CH

By Debugging I can see that TGT ist well received, but then is Checksum performed and fails. I have tried to use Unlimited strength Policy, but that did not help. Any idea why is Checksum failing?

Any help is much appreciated. Below is OpenWebStart Log:

Debug is  true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is true principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false Refreshing Kerberos configuration 
    ... 30 more 
    at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:100) 
    at sun.security.krb5.internal.crypto.Aes256.decrypt(Aes256.java:76) 
    at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:272) 
    at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:451) 
Caused by: java.security.GeneralSecurityException: Checksum failed 
    ... 23 more 
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:770) 
    at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:447) 
    at sun.security.krb5.KrbAsReqBuilder.resolve(KrbAsReqBuilder.java:310) 
    at sun.security.krb5.KrbAsRep.decryptUsingPassword(KrbAsRep.java:139) 
    at sun.security.krb5.KrbAsRep.decrypt(KrbAsRep.java:150) 
    at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:175) 
    at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:94) 
    at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:102) 
Caused by: KrbException: Checksum failed 
    at net.sourceforge.jnlp.Launcher$TgThread.run(Launcher.java:650) 
    at net.sourceforge.jnlp.Launcher.access$200(Launcher.java:69) 
    at net.sourceforge.jnlp.Launcher.launchApplication(Launcher.java:400) 
    at java.lang.reflect.Method.invoke(Method.java:498) 
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) 
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
    at javax.security.auth.login.LoginContext.login(LoginContext.java:587) 
    at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) 
    at java.security.AccessController.doPrivileged(Native Method) 
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) 
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) 
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) 
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) 
    at java.lang.reflect.Method.invoke(Method.java:498) 
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) 
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
    at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:618) 
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:808) 
javax.security.auth.login.LoginException: Checksum failed 
        [Krb5LoginModule] authentication failed Checksum failed 
Mon Mar 09 07:42:56 CET 2020 [DEBUG  ] com.openwebstart.proxy.direct.DirectProxyProvider: Using NO_PROXY 

        [Krb5LoginModule] user entered username: kada@KALNA.CH

I have just used simplest possible code to login in using Kerberos from JAAS Documentation hier https://docs.oracle.com/javase/10/security/source-code-jaas-and-java-gss-api-tutorials.htm#JSSEC-GUID-09D4192C-D855-49D6-BC62-E08F49ADB4F8 by executing: java -cp Login.jar;Sample.jar -Djava.security.manager -Djava.security.krb5.realm=KALNA.CH -Djava.security.krb5.kdc=kerberos.kalna.ch -Djava.security.policy=sample.policy -Djava.security.auth.login.config=sample.conf Login Sample I get same exception: javax.security.auth.login.LoginException: Checksum failed — dkalna, Mar 09 '20 at 11:19
You said you were running a KDC in a VM. What virtualization software and version is hosting the VM? I have seen something similar in the recent past. — T-Heron, Mar 09 '20 at 17:47
The underlying issue is that the KDC used a salt when it issued a ticket and the server doesn't have that salt to derive the right key. The stack trace on it's own doesn't exactly explain why, but following it through it's expecting the KDC to provide it in then the AS-REP: https://github.com/openjdk-mirror/jdk7u-jdk/blob/master/src/share/classes/sun/security/krb5/KrbAsRep.java#L138. I recommend taking a look at a network trace between the server and KDC to see if it is including salt info in the AS-REP. — Steve, Mar 09 '20 at 18:34
hi there, i'm using Oracle VM VirtualBox, v6.1.4. Is it then possible to force KDC not to use salt? Or what would be right way to go? — dkalna, Mar 10 '20 at 07:33

score 0 · Answer 1 · answered Mar 10 '20 at 09:28

I have debugged KrbAsRep.java and you were right, KDC sends following pAData. From those is then Salt computed. But I do not see reason, why whoud that fail.

0 = {PAData@4691} ">>>Pre-Authentication Data:\n\t PA-DATA type = 19\n\t PA-ETYPE-INFO2 etype = 23, salt = KALNA.CHkada, s2kparams = null\n"
1 = {PAData@4692} ">>>Pre-Authentication Data:\n\t PA-DATA type = 3\n"
2 = {PAData@4693} ">>>Pre-Authentication Data:\n\t PA-DATA type = 11\n\t PA-ETYPE-INFO etype = 23, salt = KALNA.CHkada\n"

OpenWebStart Application Login with Kerberos - Checksum failed

1 Answers1