Below are listed some problems that may occur when attempting a login, and suggestions for solving them.
- java.lang.SecurityException at javax.security.auth.login.Configuration.getConfiguration
Cause: There was a problem processing the JAAS login configuration file, possibly due to a syntax error in the file.
Solution: Check the configuration file carefully for errors. See JAAS Login Configuration File for information about the syntax required in the login configuration file.
- javax.security.auth.login.LoginException: KrbException:: Pre-authentication information was invalid (24) - Preauthentication failed
Cause 1: The password entered is incorrect.
Solution 1: Verify the password.
Cause 2: If you are using the keytab to get the key (e.g., by setting the
useKeyTab
option totrue
in the Krb5LoginModule entry in the JAAS login configuration file), then the key might have changed since you updated the keytab.Solution 2: Consult your Kerberos documentation to generate a new keytab and use that keytab.
Cause 3: Clock skew - If the time on the KDC and on the client differ significanlty (typically 5 minutes), this error can be returned.
Solution 3: Synchronize the clocks (or have a system administrator do so).
- GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null)) . . . Caused by: javax.security.auth.login.LoginException: Clock skew too great
Cause: Kerberos requires the time on the KDC and on the client to be loosely synchronized. (The default is within 5 minutes.) If that's not the case, you will get this error.
Solution: Synchronize the clocks (or have a system administrator do so).
- javax.security.auth.login.LoginException: KrbException: Null realm name (601) - default realm not specified
Cause: The default realm is not specified in the Kerberos configuration file
krb5.conf
(if used), provided as a part of the user name, or specified via thejava.security.krb5.realm
system property.Solution: Verify that your Kerberos configuration file (if used) contains an entry specifying the default realm, or directly specify it by setting the value of the
java.security.krb5.realm
system property and/or including it in your user name when authenticating using Kerberos.
- javax.security.auth.login.LoginException: java.net.SocketTimeoutException: Receive timed out
Solution: Verify that the Kerberos KDC is up and running.
- GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Ticket)
Cause: This may occur if no valid Kerberos credentials are obtained. In particular, this occurs if you want the underlying mechanism to obtain credentials but you forgot to indicate this by setting the
useSubjectCredsOnly
system property value tofalse
(for example via-DuseSubjectCredsOnly=false
in your execution command).Solution: Be sure to set the
useSubjectCredsOnly
system property value tofalse
if you want the underlying mechanism to obtain credentials, rather than your application or a wrapper program (such as the Login utility used by some of the tutorials) performing authentication using JAAS.
- javax.security.auth.login.LoginException: Could not load configuration file <krb5.conf> (No such file or directory)
Cause: The tutorials' sample execution commands specify the default Kerberos realm and KDC by setting values for the
java.security.krb5.realm
andjava.security.krb5.kdc
system properties. If you like, you can instead have akrb5.conf
Kerberos configuration file used. Such a file includes information about what the default realm and KDC are. To use akrb5.conf
file, you either set the system propertyjava.security.krb5.conf
(instead of therealm
andkdc
properties) to specify the location of the file or you don't set any of these properties and therefore an attempt is made to locate thekrb5.conf
file in a default location. You will get the error "Could not load configuration file <krb5.conf> (No such file or directory)" if the file could not be found.Solution: Verify that the Kerberos configuration file
krb5.conf
is available and readable. Check Kerberos Requirements for information about how to specify the location of thekrb5.conf
file and where such a file is searched for by default if you don't explicitly indicate the location.
- javax.security.auth.login.LoginException: KrbException: KDC has no support for encryption type (14) - KDC has no support for encryption type
Cause: Your KDC does not support the encryption type requested. (Typically, the encryption type is specified in the
krb5.conf
Kerberos configuration file.)Solution: Please choose an encryption type that is supported by the KDC you are using. The encryption types supported by the Kerberos implementation from Sun Microsystems are DES_CBC_MD5,DES_CBC_CRC,and DES_CBC_MD4.
- KDC reply did not match expectations
Cause: The KDC sent a response that cannot be understood by the client.
Solution: Verify that you have set correctly all the
krb5.conf
file configuration parameters and consult your KDC vendor's guide.
Note: A debugging mode can be enabled by setting the system property
sun.security.krb5.debug
to "true". This will allow you to follow the program's execution of the Kerberos V5 protocol. If you are sending feedback regarding a problem you are facing, we would appreciate your including the complete debugging output.