The following is displayed in the server-side debug log amAuth:
09/14/2005 05:41:58:182 PM SGT: Thread[service-j2ee-3,5,main]Exception com.sun.identity.authentication.spi.AuthLoginException(1):null com.sun.identity.authentication.spi.AuthLoginException(2):null java.security.PrivilegedActionException(3):null java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Integrity check on decrypted field failed(31)) at java.security.AccessController.doPrivileged(NativeMethod) at javax.security.auth.Subject.doAs(Subject.java:396) at com.sun.identity.authentication.modules.windowsdesktopsso.WindowsDesktopSSO.process (WindowsDesktopSSO.java:156) at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess (AMLoginModule.java:723) at com.sun.identity.authentication.spi.AMLoginModule.login(AMLoginModule.java:871) at sun.reflect.NativeMethodAccessorImpl.invoke0(NativeMethod) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at com.sun.identity.authentication.jaas.LoginContext.invoke(LoginContext.java:215) |
JDK1.5_08 and higher support RC4-HMAC, and earlier JDK versions support 3DES and DES enctypes only. Be sure to select +DesOnly encryption for mapping the account with the service principal in the Windows Kerberos Domain Controller. Also, be sure to use DES-CBC-CRC or DES-CBC-MD5 for cryptosystem when generating the service principal keytab file
Be sure the appropriate crypto system is used for generating keytab file. Be sure the appropriate version of Java is configured for OpenSSO Server.