cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

krb_error 24 Pre-authentication information was invalid (24)

Former Member

on ‎03-24-2015 7:57 AM

0 Kudos

Before rejecting, I have already searched through SAP Notes and Forum's. Sharing my findings below


BI 4.1 SP 4.4 + Explorer 4.1 SP 4.4 + Design Studio

Windows 2012 server with SQL 2012 repository

Issue has been seen on BI 4.1 SP 2.3 + Explorer 4.1 SP 2.3

Issue is not specific to any single server or clustered environment. Service account password doesn't have special character in it.

C:\Windows\system32>"F:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win64_x64\sapjvm\bin\kinit.exe" -k -t c:\windows\host.keytab Service_Account@DOMAIN.COM

Exception: krb_error 24 Pre-authentication information was invalid (24) Pre-authentication information was invalid

KrbException: Pre-authentication information was invalid (24)

at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:66)

at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:446)

at sun.security.krb5.internal.tools.Kinit.sendASRequest(Kinit.java:306)

at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:257)

at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:107)

Caused by: KrbException: Identifier doesn't match expected value (906)

at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)

at sun.security.krb5.internal.ASRep.init(ASRep.java:58)

at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53)

at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50)

... 4 more

KDC has the correct domain controller name.


No duplicate SPN's for the service account.

Have already tried the kinit command with a differrent JDK version

Password doesn't have any special character.

The same service account if used with a Windows 2008 server works fine.

No issues with any 3.1 environment.


We have also raised an SAP ticket on this, but no help is able to resolve the issue.

Any inputs on the issue?

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎03-31-2015 5:23 AM
0 Kudos

Hi All,

Thank you for your valuable inputs. We are using McAfee as the Antivirus.

It gets very hard to turn it off as it goes through a lot of process.

One observation:

> If we turn off the AV scan for 10 minutes, create the keytab, turn the scan back on, then kinit commands works smoothly with the new Keytab file even when AV scan is still running.

> But the issue still exist if the keytab is created with the AV scan running.

Turning off the scan is not always an option, but not sure what part of the scan is interfering with the keytab creation.

Will try with the crypto ALL parameter once, but any thoughts on McAfee AV scan.

Something changed in last couple of months in AV which might be causing the issue.

Any help is appreciated to identify this.

Thanks,

Pallab

Show replies
Show replies
Henry_Banks
Product and Topic Expert
Product and Topic Expert
‎03-24-2015 8:09 AM
0 Kudos

Hi,

it's not exactly clear to me When the user / administrator experiences this error. 

Please could you clarify :  What is the workflow that leads to this?

What tool is being used, or service being configured, when this error is thrown?

regards,
H

Show replies
Show replies
Former Member
‎03-24-2015 8:19 AM
0 Kudos

We are trying to configure AD SSO. Manual AD authentication works okay.

Even when we do the kinit on the service account, that generates the tkt.

The keytab used to respond earlier in Win2012, but now every new keytab that we create, gives the error while testing.

SSO dooesn't work as well with the keytab.

We have tried this in an already configure environment where SSO was working earlier.

We are still using the same command as before, when it worked ealier.

Workflow:

> Use ktpass command to generate the keytab:

   ktpass out C:/windows/host.keytab princ Service_Account@DOMAIN.COM pass **** kvno 255 ptype KRB5_NT_PRINCIPAL crypto RC4-HMAC-NT

> From SAPJVM> BIN ... run kinit command to test the keytab.

former_member926196
Active Participant
‎03-24-2015 9:02 AM
0 Kudos

Hi Pallab,


Exception: krb_error 24 Pre-authentication information was invalid (24) Pre-authentication information was invalid

KrbException: Pre-authentication information was invalid (24)


Caused by: KrbException: Identifier doesn't match expected value (906)


The above error is generally seen when the password used for the service account mentioned in the ktpass command is incorrect.


Are you able to AD SSO when the password is hardcoded in Java options?


-Ambarish-

Former Member
‎03-24-2015 9:08 AM
0 Kudos

Hi Ambarish,

Yes, if the password is hard coded in the Tomcat Java Options, then it works fine.

However, that is not an option since we have a large number of environments, and the security team wont allow cleartext entry of the password anywhere.

Pallab

former_member189884
Contributor
‎03-30-2015 6:53 PM
0 Kudos

You could try to create the keytab using the 'crypto ALL' parameter to rule out the encryption type

Ask a Question