Kerberos pre-authentication issues - why now?

Hi all,
We recently put up a new Windows 2003 Active Directory domain controller to replace a de-commissioned Windows 2000 DC. When my VPN users try to authenticate to it using Kerberos, they are getting rejected with a pre-authentication failed error. I know that this is a common issue with the ASA, and TAC has confirmed that there's no solution for it yet. However, we have another W2K3 DC that has never had this issue. So why now? Why this new DC? What's the difference between my DCs where one can authenticate a user with pre-authentication enabled and one can't?
Any help or information that I can get would be helpful.
Thanks,
- Steve

Hi JK,
Thanks for the reply.
Right, I understand that, and TAC directed me to the same document. But we have an existing domain controller that we are currently using the authenicate against; pre-authentication is enabled, and it works fine. It's only the NEW domain controller that has this problem. So I'm trying to figure out what the difference is!
I would rather NOT disable pre-authentication for all VPN users if possible - there are a lot of them and it lessens the security of Active Directory.
Thanks,
- Steve

Similar Messages

Kerberos pre-authentication failed

Hi,
I have a customer has the below issue:
After he changed their administrator account password on domain, event ID 4771 is continuously thrown in the security log in DCs. Below is a snapshot:
Also the below email alert from ADManager:
Alert     Message:
Login failure for User 'Administrator' in server.domain.local'.     Reason: 'Bad password'.
Severity:
Attention
Event Details
Domain
  krbtgt/domain.LOCAL
Event Code
  16
SID
  %{S-1-5-21-428199501-1217283236-4064894256-500}
Client Host Name
  Server.domain.local
Event Type
  Failure
Remarks
  Kerberos pre-authentication failed.
Logon Service
  krbtgt/ domain.LOCAL
Domain Controller
  DC.domain.local
User Name
  Administrator
Client IP Address
  IP
Failure Code
  0x18
Logon Time
  Apr 09,2015 11:42 AM
Failure Reason
  Bad password
Record number
  2197037173
Event Number
  4771
They already changed the password for service accounts running using that admin account with new password. There is no issues in domain other than this, users can login and services are fine. However, account lockout policy is disabled and if it is enabled
I think they will have a huge issue due to this Kerberos authentication failure.
Please help!

Hi,
Did you confirm the time sync issue?
The error code 0x25, means Workstation’s clock too far out of sync with the DC’s , so i suggest you could check the time snyc of the computer failing pre-auth with DC firstly.
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4771
Similar threads has been discussed:
https://social.technet.microsoft.com/forums/windowsserver/en-US/245aa714-8f2f-4ea7-b2a1-dd447c02fa93/accounts-lockedout
Regards.
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

Kerberos Pre-Authentication - Security Vulnerabilities

I have an issue with some Java applets locking out AD accounts, or prompting for a password.
The solutions I have, and work, is to check the "Do not require Kerberos preauthentication" located in the user account of Active Directory Users and Computers, or to create a registry DWORD key called allowtgtsessionkey with a value of 1.
This key is located in
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters.
Can you advise by enabling this option or creating the reg key, does this open any security vulnerabilities? I have read on another forum that creating the key on a PC where a users has local admin rights, will be an issue, but was very vague.
Many thanks
Larry

Hi,
If the issue persists, please:
Find out from which machine/device bad password attempts are generated.
Locate any services/scheduled tasks/disconnected remote desktop connections/scripts/mapped drives which could be storing credentials, then clear stored credentials.
More information for you:
Troubleshooting Account Lockout
https://technet.microsoft.com/en-us/library/cc773155%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
Account getting locked out
https://social.technet.microsoft.com/Forums/en-US/92454597-b414-4840-82fd-16dd92a1706d/account-getting-locked-out
Account Locked - Event 4771 Failure Code 0x18
https://social.technet.microsoft.com/Forums/windowsserver/en-US/6187d7e2-d38a-4ecd-bf80-12ce3589c8e1/account-locked-event-4771-failure-code-0x18?forum=winserversecurity
Error for Active Directory
https://social.technet.microsoft.com/Forums/windowsserver/en-US/4923356c-1820-4626-83f2-8a57a7c48ccc/error-for-active-directory?forum=winserverDS
Best Regards,
Amy
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected]

DAG Kerberos Authentication Issue Exchange 2010 on 2008R2 Servers

I have 2 Exchange 2010 servers in a DAG. The witness server is in site A along with one the Exchange servers. The second Exchange server is in a DR site. The DAG has been functioning fine for 1.5 yrs. Last weekend after a scheduled reboot of all 3 servers
involved (2 e-mail servers and the witness server), the e-mail server in the DR site cannot gain access to the witness share directory per the failover cluster manager. It says to check to see if the witness directory is on-line, etc... Using pings and
explorer, there is no problem for the DR site e-mail server to contact the witness server and directory. Even restablished the Quorem to the same directory, no issues. Upon doing a network trace though, I am receiving KERBEROS pre-authentication errors when
you start the Cluster service on the DR site e-mail server when it tries to contact the witness server:
(1.4 is the Witness server; 6.5 is the e-mail server in the DR site)
Source Destination
192.168.1.4","192.168.6.5","KRB5","319","KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED"
192.168.6.5","192.168.1.4","TCP","54","26049 > kerberos [FIN, ACK] Seq=235 Ack=266 Win=65792 Len=0"
192.168.6.5","192.168.1.4","TCP","66","26050 > kerberos [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1"
192.168.1.4","192.168.6.5","TCP","60","kerberos > 26049 [ACK] Seq=266 Ack=236 Win=66048 Len=0"
192.168.1.4","192.168.6.5","TCP","60","kerberos > 26049 [RST, ACK] Seq=266 Ack=236 Win=0 Len=0"
192.168.1.4","192.168.6.5","TCP","66","kerberos > 26050 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1406 WS=256 SACK_PERM=1"
192.168.6.5","192.168.1.4","TCP","54","26050 > kerberos [ACK] Seq=1 Ack=1 Win=66048 Len=0"
192.168.6.5","192.168.1.4","KRB5","368","AS-REQ"
192.168.1.4","192.168.6.5","KRB5","282","KRB Error: KRB5KDC_ERR_PREAUTH_FAILED"
192.168.6.5","192.168.1.4","TCP","54","26050 > kerberos [FIN, ACK] Seq=315 Ack=229 Win=65792 Len=0"
192.168.1.4","192.168.6.5","TCP","60","kerberos > 26050 [ACK] Seq=229 Ack=316 Win=66048 Len=0"
192.168.1.4","192.168.6.5","TCP","60","kerberos > 26050 [RST, ACK] Seq=229 Ack=316 Win=0 Len=0"
Thoughts anyone?

Hi,
Unfortunately, the available information is not enough to have a clear view of the occurred behavior, it is not an efficient way to work in this community since we may need more resources, for example exchange log, detail cluster log (an application)
dump or ETL trace, which is not appropriate to handle in the community. I‘d like to suggest that you submit a service request to MS Professional tech support service so that a dedicated Support Professional can further assist with this request.
Please visit the below link to see the various paid support options that are available to better meet your needs.
http://support.microsoft.com/default.aspx?id=fh;en-us;offerprophone
Best regards,
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

RDP pre-authentication: what does it actually do?

I'm trying to integrate Forefront TMG and RDS with SecurID authentication. I believe I'm very close to having it working, but I'm hitting a brick wall.
I have "require pre-authentication" set, and "pre-authentication server name" configured, as indicated in so many forum posts and HOWTOs.
No matter what I do, clients receive the error "authentication to the firewall failed due to missing firewall credentials." This is
after they have already successfully authenticated and visited the /RDWeb pages.
Using the TMG logs, procmon, and wireshark, I am 100% certain that no network activity is occurring from the RDP client when this error occurs; this error is being generated entirely on the client side, before it attempts to connect to anything. I understand
that this is what is expected; it is checking for the existence of a cookie.
But the cookie doesn't exist. Why? Because nothing is setting one. The only cookies the client receives during the entire process (logging in to rdweb and trying to launch an app) are the SecurID domain SSO cookie I set in TMG, and the persistent authentication
cookie I also set in TMG. RDweb itself is not issuing any cookie at all.
Can anyone please explain to me, what specific cookie is the RDP client looking for when "require pre-authentication" is enabled? And which component is meant to be setting it?
Obviously I'd be very grateful if anyone can tell me "run this command and it will start working" or whatever, but I'm really hoping to gain an engineering-level understanding of how it's
meant to work ;)

Hi,
Please double check the following article:
Configuring Forefront Threat Management Gateway Integration with RD Gateway Step-by-Step Guide
http://technet.microsoft.com/en-us/library/gg589607(v=ws.10).aspx
On the Forefront TMG server apply the Filter ipv4.address==<your public IP>
When client request of remote desktop is reaching to TMG server, please check if the TMG server is forwarding the packet to RDG server.
Looking forward to your feedback.
Regards,
Dollar Wang
Forum Support
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback
here.
Technology changes life……

Pre-authentication information was invalid (24) authoriazation against AD

Hi all,
im going to be really desperate from this error message during the authentization to the Win2003 server where the Active Directory is running ... Im using Krb5LoginModule.
- Our administrator of the AD service has enabled DES encryption at the tested account.
- Im sure that entered password is correct, because im able to login via this password to our network.
- Entered Kerberos realm is in upper case...in the form (COMPANY.COM)
- Kerberos KDC contains IP adress of the Domain controller.
I really dont know why it doesnt work....:-(( Strange is that if i enable ticketCache to the ability to use the native ticket cache it works fine.....
My code is:
import javax.security.sasl.*;
import java.io.*;
import java.util.*;
import javax.security.auth.Subject;
import com.sun.security.auth.callback.TextCallbackHandler;
* This JaasAcn application attempts to authenticate a user
* and reports whether or not the authentication was successful.
public class JaasSample {
public static void main(String[] args) {
        LoginContext lc = null;
     java.util.Properties p = new java.util.Properties(System.getProperties());
       try
            lc = new LoginContext("JaasSample", new TextCallbackHandler());
       catch (LoginException le)
            System.err.println("Cannot create LoginContext. "
                 + le.getMessage());
            System.exit(-1);
       catch (SecurityException se)
            System.err.println("Cannot create LoginContext. "
                 + se.getMessage());
            System.exit(-1);
       catch (Exception e)
            System.out.println("Login failer: "+e.getMessage());
      try {
                    lc.login();
                    Subject subject = lc.getSubject();
                Iterator it = subject.getPrincipals().iterator();
                while (it.hasNext())
                    System.out.println("Authenticated: " + it.next().toString());
                it = subject.getPublicCredentials(Properties.class).iterator();
                while (it.hasNext())
                    ((Properties)it.next()).list(System.out);
                lc.logout();
      } catch (LoginException le) {
          System.err.println("Authentication failed: ");
          System.err.println(" " + le.getMessage());
          System.exit(-1);
      System.out.println("Authentication succeeded!");
}start.bat file:
"c:\Program Files\Java\jdk1.5.0_06\bin\java" -Djava.security.krb5.realm=BERIT.CZ -Djava.security.krb5.kdc=10.1.0.04 -Djava.security.krb5.debug=true -Djava.security.auth.login.config=jaas.conf JaasSample
jaas.conf file:
JaasSample {
com.sun.security.auth.module.Krb5LoginModule required useTicketCache="false" debug="true";
Output is:
c:\JAAS>"c:\Program Files\Java\jdk1.5.0_06\bin\java" -Djava.security.krb5.realm=
BERIT.CZ -Djava.security.krb5.kdc=10.1.0.04 -Djava.security.krb5.debug=true -Dja
va.security.auth.login.config=jaas.conf JaasSample
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt f
alse ticketCache is null KeyTab is null refreshKrb5Config is false principal is
null tryFirstPass is false useFirstPass is false storePass is false clearPass is
false
Kerberos username [Kloucek]: User3
Kerberos password for User3: Poiu4566
[Krb5LoginModule] user entered username: User3
principal is [email protected]
Acquire TGT using AS Exchange
EncryptionKey: keyType=3 keyBytes (hex dump)=0000: 13 A1 F4 86 B6 1C BF 85
EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 13 A1 F4 86 B6 1C BF 85
EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 01 58 6E AE EF 25 15 43 F1
2C 40 46 7A 3D 2A B0 .Xn..%.C.,@Fz=*.
0010: 1F 16 9E B6 19 8A 46 68
[Krb5LoginModule] authentication failed
Pre-authentication information was invalid (24)
Authentication failed:
Pre-authentication information was invalid (24)
I tried all tips i found at this forum and other internet resources without luck...:-(((
Please heeeeelp!!!!!!!!!!!!!!!!!

I have solve it....The reason of this problem was this:
Im accesing our network via this login properties:
login: My second name
pass: My password
Due to this fact i had entered this login properties into the Kerberos database too..., BUT KERBEROS had been expecting my fully qualified network name which is myfirstname.myseconame@KERBEROS-REALM!!!!!!!!!!!!!!!So after i had entered [email protected] instead of [email protected] it started to work!!!!! I hope this will help many other programmers....

Pre-authentication information was invalid (24)

Hi all,
im going to be really desperate from this error message during the authentization to the Win2003 server where the Active Directory is running ... Im using Krb5LoginModule.
- Our administrator of the AD service has enabled DES encryption at the tested account.
- Im sure that entered password is correct, because im able to login via this password to our network.
- Entered Kerberos realm is in upper case...in the form (COMPANY.COM)
- Kerberos KDC contains IP adress of the Domain controller.
I really dont know why it doesnt work....:-(( Strange is that if i enable ticketCache to the ability to use the native ticket cache it works fine.....
My code is:
import javax.security.sasl.*;
import java.io.*;
import java.util.*;
import javax.security.auth.Subject;
import com.sun.security.auth.callback.TextCallbackHandler;
* This JaasAcn application attempts to authenticate a user
* and reports whether or not the authentication was successful.
public class JaasSample {
public static void main(String[] args) {
        LoginContext lc = null;
     java.util.Properties p = new java.util.Properties(System.getProperties());
       try
            lc = new LoginContext("JaasSample", new TextCallbackHandler());
       catch (LoginException le)
            System.err.println("Cannot create LoginContext. "
                 + le.getMessage());
            System.exit(-1);
       catch (SecurityException se)
            System.err.println("Cannot create LoginContext. "
                 + se.getMessage());
            System.exit(-1);
       catch (Exception e)
            System.out.println("Login failer: "+e.getMessage());
      try {
                    lc.login();
                    Subject subject = lc.getSubject();
                Iterator it = subject.getPrincipals().iterator();
                while (it.hasNext())
                    System.out.println("Authenticated: " + it.next().toString());
                it = subject.getPublicCredentials(Properties.class).iterator();
                while (it.hasNext())
                    ((Properties)it.next()).list(System.out);
                lc.logout();
      } catch (LoginException le) {
          System.err.println("Authentication failed: ");
          System.err.println(" " + le.getMessage());
          System.exit(-1);
      System.out.println("Authentication succeeded!");
}start.bat file:
"c:\Program Files\Java\jdk1.5.0_06\bin\java" -Djava.security.krb5.realm=BERIT.CZ -Djava.security.krb5.kdc=10.1.0.04 -Djava.security.krb5.debug=true -Djava.security.auth.login.config=jaas.conf JaasSample
jaas.conf file:
JaasSample {
com.sun.security.auth.module.Krb5LoginModule required useTicketCache="false" debug="true";
Output is:
c:\JAAS>"c:\Program Files\Java\jdk1.5.0_06\bin\java" -Djava.security.krb5.realm=
BERIT.CZ -Djava.security.krb5.kdc=10.1.0.04 -Djava.security.krb5.debug=true -Dja
va.security.auth.login.config=jaas.conf JaasSample
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt f
alse ticketCache is null KeyTab is null refreshKrb5Config is false principal is
null tryFirstPass is false useFirstPass is false storePass is false clearPass is
false
Kerberos username [Kloucek]: User3
Kerberos password for User3: Poiu4566
[Krb5LoginModule] user entered username: User3
principal is [email protected]
Acquire TGT using AS Exchange
EncryptionKey: keyType=3 keyBytes (hex dump)=0000: 13 A1 F4 86 B6 1C BF 85
EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 13 A1 F4 86 B6 1C BF 85
EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 01 58 6E AE EF 25 15 43 F1
2C 40 46 7A 3D 2A B0 .Xn..%.C.,@Fz=*.
0010: 1F 16 9E B6 19 8A 46 68
[Krb5LoginModule] authentication failed
Pre-authentication information was invalid (24)
Authentication failed:
Pre-authentication information was invalid (24)
I tried all tips i found at this forum and other internet resources without luck...:-(((
Please heeeeelp!!!!!!!!!!!!!!!!!

Hi all,
im going to be really desperate from this error message during the authentization to the Win2003 server where the Active Directory is running ... Im using Krb5LoginModule.
- Our administrator of the AD service has enabled DES encryption at the tested account.
- Im sure that entered password is correct, because im able to login via this password to our network.
- Entered Kerberos realm is in upper case...in the form (COMPANY.COM)
- Kerberos KDC contains IP adress of the Domain controller.
I really dont know why it doesnt work....:-(( Strange is that if i enable ticketCache to the ability to use the native ticket cache it works fine.....
My code is:
import javax.security.sasl.*;
import java.io.*;
import java.util.*;
import javax.security.auth.Subject;
import com.sun.security.auth.callback.TextCallbackHandler;
* This JaasAcn application attempts to authenticate a user
* and reports whether or not the authentication was successful.
public class JaasSample {
public static void main(String[] args) {
        LoginContext lc = null;
     java.util.Properties p = new java.util.Properties(System.getProperties());
       try
            lc = new LoginContext("JaasSample", new TextCallbackHandler());
       catch (LoginException le)
            System.err.println("Cannot create LoginContext. "
                 + le.getMessage());
            System.exit(-1);
       catch (SecurityException se)
            System.err.println("Cannot create LoginContext. "
                 + se.getMessage());
            System.exit(-1);
       catch (Exception e)
            System.out.println("Login failer: "+e.getMessage());
      try {
                    lc.login();
                    Subject subject = lc.getSubject();
                Iterator it = subject.getPrincipals().iterator();
                while (it.hasNext())
                    System.out.println("Authenticated: " + it.next().toString());
                it = subject.getPublicCredentials(Properties.class).iterator();
                while (it.hasNext())
                    ((Properties)it.next()).list(System.out);
                lc.logout();
      } catch (LoginException le) {
          System.err.println("Authentication failed: ");
          System.err.println(" " + le.getMessage());
          System.exit(-1);
      System.out.println("Authentication succeeded!");
start.bat file:
"c:\Program Files\Java\jdk1.5.0_06\bin\java" -Djava.security.krb5.realm=BERIT.CZ -Djava.security.krb5.kdc=10.1.0.04 -Djava.security.krb5.debug=true -Djava.security.auth.login.config=jaas.conf JaasSample
jaas.conf file:
JaasSample {
com.sun.security.auth.module.Krb5LoginModule required useTicketCache="false" debug="true";
Output is:
c:\JAAS>"c:\Program Files\Java\jdk1.5.0_06\bin\java" -Djava.security.krb5.realm=
BERIT.CZ -Djava.security.krb5.kdc=10.1.0.04 -Djava.security.krb5.debug=true -Dja
va.security.auth.login.config=jaas.conf JaasSample
Debug is true storeKey false useTicketCache false useKeyTab false doNotPrompt f
alse ticketCache is null KeyTab is null refreshKrb5Config is false principal is
null tryFirstPass is false useFirstPass is false storePass is false clearPass is
false
Kerberos username [Kloucek]: User3
Kerberos password for User3: Poiu4566
[Krb5LoginModule] user entered username: User3
principal is [email protected]
Acquire TGT using AS Exchange
EncryptionKey: keyType=3 keyBytes (hex dump)=0000: 13 A1 F4 86 B6 1C BF 85
EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 13 A1 F4 86 B6 1C BF 85
EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 01 58 6E AE EF 25 15 43 F1
2C 40 46 7A 3D 2A B0 .Xn..%.C.,@Fz=*.
0010: 1F 16 9E B6 19 8A 46 68
[Krb5LoginModule] authentication failed
Pre-authentication information was invalid (24)
Authentication failed:
Pre-authentication information was invalid (24)I tried all tips i found at this forum and other internet resources without luck...:-(((
Please heeeeelp!!!!!!!!!!!!!!!!!

JAAS, AD, Pre-authentication information was invalid (24)

Our application is java based, and we use JAAS to allow authentication for the users though Active Directory.
In particular we alwyas encourage our prospect clients to use Krb5LoginModule.
We would
1. add new user to AD , set DES for the account, reset the password
2.
setspn -A host/newUser.DOMAIN.COM newUser
setspn -A HTTP/newUser.DOMAIN.COM newUser
run ktpass
pass the keytab to the server where the server application will be running from and setup there
-Djava.security.auth.login.config=c:\config\config.conf
-Djava.security.realm=DOMANNAME
-Djava.security.kdc=<Ip address of kdc>
where config.conf file would have line
Krb5LoginModule tryFirstPass=true storePass=true storeKey=true useKeyTab=true keyTab="c:\keytab.key";
and it works...
However, I have encountered a situation where the above would return
Pre-authentication information was invalid (24) error.
We have reset the password, re-generate the keytab, it is the same time zone ... and nothing.
Then I asked to have a new user added (just to test it) - and it worked for the new user.
Now - what do I need to do to get to work for the hunders of others?
Thanks

Support for the new Kerberos preauthentication mechanisms is available in Java SE 6.
In addition, the pre-auth support has been backported to J2SE 5.0 Update 8.
Seema

Custom authentication issue

Good Afternoon,
I am trying to add some code to a custom authentication routine to allow for tracking in the APEX supplied logs. Currently the authentication code processes the Login attempt and either allows access or returns the user back to the login page with a error message in case they entered an invalid username/password.
I had added in each case the required two lines of code:
APEX_UTIL.SET_CUSTOM_AUTH_STATUS('Test Message.. Ignore Me')
APEX_UTIL.SET_AUTHENTICATION_RESULT(1) (Just as a test, will use more accurate values later)
Now when I login with a non-existent user it logs it as a successful login, with NO custom text loaded...
Can anyone suggest an idea here, other than using a custom logging table?
Thank you,
Tony Miller
Webster, TX

Hi,
I did test set item session state , and it works OK for me.
First I did forgot create that item when there was errors in my test.
Do you have some computations, validations in login page ? Any application process that might run ?
Or do you have any Page Sentry Function, Session Verify Function or Pre-Authentication Process in authentication scheme ?
What is you session not valid in authentication scheme ?
Have you tested your code on apex.oracle.com ?
Br,Jari
Edited by: jarola on Apr 16, 2010 9:25 AM
I did more test.
If you try login with some user name and password
http://apex.oracle.com/pls/otn/f?p=12444
Then you can try login with user EXPIRED and passwd test.
To see access log login with user ACTIVE and passwd test.
Then go page 10 you can see access log
http://apex.oracle.com/pls/otn/f?p=12444:10
My auth function is
create or replace
function                            custom_auth_2 (p_username in VARCHAR2, p_password in VARCHAR2)
return BOOLEAN
is
l_password varchar2(4000);
l_stored_password varchar2(4000);
l_expires_on date;
l_count number;
begin
-- First, check to see if the user is in the user table
select count(*) into l_count from demo_users where user_name = p_username;
if l_count > 0 then
-- First, we fetch the stored hashed password & expire date
select password, expires_on into l_stored_password, l_expires_on
   from demo_users where user_name = p_username;
-- Next, we check to see if the user's account is expired
-- If it is, return FALSE
if l_expires_on > sysdate or l_expires_on is null then
    -- If the account is not expired, we have to apply the custom hash
    -- function to the password
    l_password := custom_hash(p_username, p_password);
    -- Finally, we compare them to see if they are the same and return
    -- either TRUE or FALSE
    0, 'AUTH_SUCCESS',
    1, 'AUTH_UNKNOWN_USER',
    2, 'AUTH_ACCOUNT_LOCKED',
    3, 'AUTH_ACCOUNT_EXPIRED',
    4, 'AUTH_PASSWORD_INCORRECT',
    5, 'AUTH_PASSWORD_FIRST_USE',
    6, 'AUTH_ATTEMPTS_EXCEEDED',
    7, 'AUTH_INTERNAL_ERROR',
    if l_password = l_stored_password then
      APEX_UTIL.SET_CUSTOM_AUTH_STATUS('SUCCEEDED');
      APEX_UTIL.SET_AUTHENTICATION_RESULT(0);
      return true;
    else
      APEX_UTIL.SET_CUSTOM_AUTH_STATUS('WRONG_PASSWORD');
      APEX_UTIL.SET_AUTHENTICATION_RESULT(4);
       APEX_UTIL.SET_SESSION_STATE('LOGIN_MESSAGE','You have entered invalid Username or Password');
      return false;
    end if;
else
    APEX_UTIL.SET_CUSTOM_AUTH_STATUS('ACCOUNT_EXPIRED');
    APEX_UTIL.SET_AUTHENTICATION_RESULT(3);
     APEX_UTIL.SET_SESSION_STATE('LOGIN_MESSAGE','Your account has been locked');
    return false;
end if;
else
-- The username provided is not in the DEMO_USERS table
APEX_UTIL.SET_CUSTOM_AUTH_STATUS('USER_NOT_FOUND');
APEX_UTIL.SET_AUTHENTICATION_RESULT(1);
APEX_UTIL.SET_SESSION_STATE('LOGIN_MESSAGE','You have entered invalid Username or Password');
return false;
end if;
end;I have application item LOGIN_MESSAGE and in login page I did also create before header process.
APEX_APPLICATION.G_NOTIFICATION := :LOGIN_MESSAGE;
:LOGIN_MESSAGE := NULL;To show that item message in notification. It do not affect how auth work.
It seems work ok

ACS 5.2 Authentication Issue with Local & Global ADs

Hi I am facing authentication issue with ACS 5.2. Below is AAA flow (EAP-TLS),
- Wireless Users >> Cisco WLC >> ADs <-- everything OK
- Wireless Users >> Cisco WLC >> ACS 5.2 >> ADs <-- problem
Last time I tested with ACS, it worked but didn't do migration as there'll be changes from ADs.
Now my customer wants ACS migration by creating new Group in AD, I also update ACS config.
For the user from the old group, authentication is ok.
For the user from the new group, authentication fails. With subject not found error, showing the user is from the old group.
Seems like ACS is querying from old records (own cache or database). Already restared the ACS but still the same error.
Can anyone advice to troubleshoot the issue?
Note: My customer can only access their local ADs (trusted by Global ADs). Local ADs & ACS are in the same network, ACS should go to local AD first.
How can we check or make sure it?
Thanks ahead,
Ye

Hello,
There is an enhacement request open already:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCte92062
ACS should be able to query only desired DCs
Symptom:
Currently on 5.0 and 5.1, the ACS queries the DNS with the domain, in order to get a list of all the DCs in the domain and then tries to communicate with all of them.If the connection to even one DC fails, then the ACS connection to the domain is declared as failed.A lot of customers are asking for a change on this behavior.
It should be possible to define which DCs to contact and/or make ACS to interpret DNS Resource Records Registered by the Active Directory Domain Controller to facilitate the location of domain controllers. Active Directory uses service locator, or SRV, records. An SRV record is a new type of DNS record described in RFC 2782, and is used to identify services located on a Transmission Control Protocol/Internet Protocol (TCP/IP) network.
Conditions:
Domain with multiple DCs were some are not accessible from the ACS due to security/geographic constraints.
Workaround:
Make sure ALL DCs are UP and reachable from the ACS.
At the moment, we cannot determine which Domain Controller on the AD the ACS will contact. The enhacement request will include a feature on which we can specify the appropriate the Domain Controllers the ACS should contact on a AD Domain.
Hope this clarifies it.
Regards.

Wireless Client Authentication issues when roaming Access Points (Local)

I have a Cisco 5508 with Software version 7.4.121.0 and Field Recovery 7.6.101.1.
There are a handful of clients that when roaming between AP's with the same SSID that get an authentication issue and have to restart the wireless to get back on.
From Cisco ISE
Event
5400 Authentication failed
Failure Reason
11514 Unexpectedly received empty TLS message; treating as a rejection by the client
Resolution
Ensure that the client's supplicant does not have any known compatibility issues and that it is properly configured. Also ensure that the ISE server certificate is trusted by the client, by configuring the supplicant with the CA certificate that signed the ISE server certificate. It is strongly recommended to not disable the server certificate validation on the client!
Root cause
While trying to negotiate a TLS handshake with the client, ISE expected to receive a non-empty TLS message or TLS alert message, but instead received an empty TLS message. This could be due to an inconformity in the implementation of the protocol between ISE and the supplicant. For example, it is a known issue that the XP supplicant sends an empty TLS message instead of a non-empty TLS alert message. It might also involve the supplicant not trusting the ISE server certificate for some reason. ISE treated the unexpected message as a sign that the client rejected the tunnel establishment.
I am having a hard time figuring out what is causing this. My assumption is if there were a problem with the Controller or AP configurations then it would happen to everyone. My further assumption is if the client had a problem with their laptop (windows 7) then why does work at other times? So I have checked and the ISE certificate is trusted by client.
Is something happening that the previous access point is holding on to the mac and the return authentication traffic is going to the old AP instead of the new one or something like that which is corrupting the data?
I also had this from Splunk for the same client:
Mar 5 13:44:51 usstlz-piseps01 CISE_Failed_Attempts 0014809622 1 0 2015-03-05 13:44:51.952 +00:00 0865003824 5435 NOTICE RADIUS: NAS conducted several failed authentications of the same scenario
FailureReason="12929 NAS sends RADIUS accounting update messages too frequently"
Any help on this would be appreciated. These error messages give me an idea but doesn't give me the exact answer to why the problem occurred and what needs to be done to fix it.
Thanks

Further detail From ISE for the failure:
11001
Received RADIUS Access-Request
11017
RADIUS created a new session
15049
Evaluating Policy Group
15008
Evaluating Service Selection Policy
15048
Queried PIP
15048
Queried PIP
15004
Matched rule
15048
Queried PIP
15048
Queried PIP
15004
Matched rule
11507
Extracted EAP-Response/Identity
12500
Prepared EAP-Request proposing EAP-TLS with challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12301
Extracted EAP-Response/NAK requesting to use PEAP instead
12300
Prepared EAP-Request proposing PEAP with challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12302
Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318
Successfully negotiated PEAP version 0
12800
Extracted first TLS record; TLS handshake started
12805
Extracted TLS ClientHello message
12806
Prepared TLS ServerHello message
12807
Prepared TLS Certificate message
12810
Prepared TLS ServerDone message
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
11514
Unexpectedly received empty TLS message; treating as a rejection by the client
12512
Treat the unexpected TLS acknowledge message as a rejection from the client
11504
Prepared EAP-Failure
11003
Returned RADIUS Access-Reject

Error with Pre-Authentication for Windows Desktop SSO

When I try to use the windows desktop sso module created in the Access Manager I get an error in the amAuthWindowsDesktopSSO file, but I don't know what I'm doing erroneous. It's not an access manager problem, I can't get kinit to work either. I think I'm following the directions correctly from the manual.
Are these ktpass commands setup right?
The Windows AD administrator created the accounts:
C:\>ktpass -princ HOST/[email protected] -pass amdev -mapuser AD\amdev$ -out amdev.keytab
Targeting domain controller: dc2.ad.tcpip.com
Successfully mapped HOST/amdev.tcpip.com to AMDEV$.
WARNING: Account AMDEV$ is not a user account (uacflags=0x1021).
WARNING: Resetting AMDEV$'s password may cause authentication problems if AMDEV$ is being used as a server.
Reset AMDEV$'s password [y/n]? y
Key created.
Output keytab to amdev.keytab:
Keytab version: 0x502
keysize 56 HOST/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x3 (DES-CBC-MD5) keylength 8 (0x023efe
3e6846d3cd)
Account AMDEV$ has been set for DES-only encryption.
C:\>ktpass -princ HTTP/[email protected] -pass amdev -mapuser AD\amdev$ -out amdev-http.keytab
Targeting domain controller: dc2.ad.tcpip.com
Successfully mapped HTTP/amdev.tcpip.com to AMDEV$.
WARNING: Account AMDEV$ is not a user account (uacflags=0x201021).
WARNING: Resetting AMDEV$'s password may cause authentication problems if AMDEV$ is being used as a server.
Reset AMDEV$'s password [y/n]? y
Key created.
Output keytab to amdev-http.keytab:
Keytab version: 0x502
keysize 56 HTTP/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 4 etype 0x3 (DES-CBC-MD5) keylength 8 (0x45201c
f4d3ec43e6)
Account AMDEV$ has been set for DES-only encryption.
C:\>I can read the keys with ktutil.
ktutil: rkt amdev-http.keytab
ktutil: list
slot KVNO Principal
   1    4            HTTP/[email protected]
ktutil: rkt amdev.keytab
ktutil: list
slot KVNO Principal
   1    4            HTTP/[email protected]
   2    3            HOST/[email protected]
ktutil: wkt amdev2.keytabI then try to do a kinit with the principal:
kinit -k -t amdev2.keytab HTTP/[email protected]
kinit(v5): Preauthentication failed while getting initial credentialsAccess Manager reports similar problem on access:
01/17/2007 10:23:56:699 AM CST: Thread[service-j2ee-2,5,main]
Stack trace:
javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)
        at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:652)
        at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:512)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:585)
. . .

Something deep, dark, and inside Kerberos way outside of my knowledge base was the problem.
I could always get a kinit with the HTTP/amdev.tcpip.com service to work. I never got the keytabs from the output of ktpass to operate. I used ktutil to create keytab entries all in vain, kinit using the keytab always resulted in a PA error, although the time clocks are setup the same.
The AD administrator created the account, this time as a user account, not a machine account, and the keytabs from the Windows domain controller finally worked.
If anyone knows the difference between machine and user accounts are in AD, I would be obliged for his/her explanation. The UPN and SPN look the same in the directory. I'm at a loss. However, very glad to finally have this working.

Pre-authentication failed in krb

Hi All,
Wee also facing the same issue, but in a different way.
our java application accepts first 100(around) krb auth requests and the rest of the requests are droped out, during the droping it simply show the message like pre-authentication failed
What is doubt is, do we have any constraint on number of concurrent access in krb?
im using tomcat and casified sakai with apache2

Hi All,
Wee also facing the same issue, but in a different way.
our java application accepts first 100(around) krb auth requests and the rest of the requests are droped out, during the droping it simply show the message like pre-authentication failed
What is doubt is, do we have any constraint on number of concurrent access in krb?
im using tomcat and casified sakai with apache2

Pre-authentication ACL disconnects

Hi,
We have a Guest WLAN where an pre authentication ACL is configured. It works but the client gets disconnected after a while. The session time-out / idle time out etc. is configured on a higher value than the actuel disconnect (+/- 15min) takes place.
When the client is authenticated (and does not use the pre auth ACL) the client doesn't get disconnected.
It seems like the same issue as the following threads but it doesn't state a solution :
https://supportforums.cisco.com/message/3687872#3687872
https://supportforums.cisco.com/message/3424053
I'm running code 7.4.110.0
any ideas ?

Hi,
If clients are in Webauth_Reqd state, no matter if they are active or idle, the clients will get de-authenticated after a web-auth required timeout period (for example, 300 seconds and this time is non-user configurable). All traffic from the client (allowed via Pre-Auth ACL) will be disrupted. If the client associates again, it will move back to the Webauth_Reqd state.
There is an enhancement request filed esp. for your situation with Pre-auth ACL.
CSCtj32812 DHCP Option to mitigate the problem of guest client rejoining network
https://tools.cisco.com/bugsearch/bug/CSCtj32812
Regards
Dont forget to rate helpful posts

Invoking webservice-Authentication issue

Hi All,
I need a help to solve the given below issue.
Scenario is to use the Webservice concept for the integration between non SAP system ( webservice) with the non SAP System( webservice) via PI using SOAP Adapter.
I have generated the WSDL file from PI and given it to the Source System.When I tried testing with the SOAP Client (Altova XML Spy) to PI , the establishment of connection is fine for HTTP (the userID and Password is given in the prompt window of XMLSpy tool).Getting the message as "Webservice has sent an empty response".
But the problem occur when the Java Client tries to invoke the webservice from their desktop(within the network).
Error message from Java client while connecting is given below( pasted few lines):
org.apache.commons.httpclient.auth.AuthChallengeProcessor selectAuthScheme
INFO: basic authentication scheme selected
Jan 15, 2008 9:56:13 AM org.apache.commons.httpclient.HttpMethodDirector processWWWAuthChallenge
INFO: No credentials available for BASIC 'XISOAPApps'@192.85.27.136:50800
Jan 15, 2008 9:56:13 AM org.codehaus.xfire.transport.http.HttpChannel sendViaClient
I also tried giving the user ID and Password in the URL of SOAP Address .But still it did not work out.I have gone through so many blogs ( How to remove the authentication in sender SOAP Adapter).But that option is not accepted as we are changing the SAP Standard code.
I would like to know whether the user/password authentication is to be done in the visual administrator in PI or Java webclient should write any code from their side for authentication ( user Id/Password).
If the code is to be written in Java ,Can you give me the piece of code written for authentication.
Right now I am only testing the interface between the Source and the PI System.
Please provide your assistance.
Regards
B.Dheepa

The Java Cient has to provide the user name and password.
You can use the folowing snippet
connection = url.openConnection();
if( connection instanceof HttpURLConnection )
((HttpURLConnection)connection).setRequestMethod("POST");
     connection.setRequestProperty("Content-Type","text/xml");
     connection.setDoOutput(true);
     String password = User + ":" + Password ;
     String encodedPassword = new String(new BASE64Encoder().encode(password.getBytes()));
     connection.setRequestProperty ("Authorization", "Basic " + encodedPassword);
     connection.connect();
Please award points if you find the message useful
Edited by: Kanwaljit Singh on Jan 22, 2008 11:03 PM

Kerberos pre-authentication issues - why now?

Similar Messages

Maybe you are looking for