1 2 Previous Next 19 Replies Latest reply on Aug 25, 2015 8:34 AM by Todd Sheehan

    AD Authentication errors popping up

    Matt Kreger

      We are recently running into authentication problems with Domain authentication.  This has been set up and working fine for more than a year.  Recently though, we'll start getting authentication failures {KDC has no support for encryption type (14)} when nothing has changed as far as accounts or BladeLogic settings goes.  This is failure for all AD accounts.  First it happened last Monday, AD groups swears nothing was changed, but when we put a different server at the top of the list in the blappserv_krb5.conf file the problem went away.  Happened again this Monday.  Again, no one believes anything was changed.  It was working fine before lunch, but after lunch no one can login.  Put the original DC back at the top of the list, still have the same issue, put a third DC at the top of the list, viola - authentication working again. 

       

      This is in a lab with 2003 and 2008R2 domain controllers so domain is in mixed mode.  In production environment, all 2003 domain controllers have been decommissioned and the AD group is planning to switch to native 2008 mode.  Authentication is working there now, but I'm concerned this may have something to do with 2008 and I'm going to be out of business all of a sudden when they make the switch.

       

      In the lab, no one can seem to figure out whats different between DCs that will work with BladeLogic and DCs that won't.  And I'm going to run out soon if I have to point to a new DC every week. It seems that since when it breaks, it breaks for all accounts, it's not account related. And since it's a week before the same issue crops up on a different DC it's not likely any AD configuration setting that would be replicated.  Any ideas would be very much appreciated.

       

      From console.log where debug=true. messages from a failed login attempt, and then messages when successful after changing the DC in blappserv_krb5.conf.

       

      ------------------- failure ------------------------

      [14 Mar 2011 16:03:50,943] [main] [INFO] [::] [] Accepting requests...

      [14 Mar 2011 16:03:50,944] [main] [INFO] [::] [] Ready.

      Debug is  true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null ref

      reshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false

                      [Krb5LoginModule] user entered username: adminmkreger@CORP.CSA.IC.GOV

       

      Acquire TGT using AS Exchange

                      [Krb5LoginModule] authentication failed

      KDC has no support for encryption type (14)

      [14 Mar 2011 16:03:59,323] [Authentication-Service-Thread-0] [WARN] [::20.5.233.95] [Appserver] adminmkreger@CORP.CSA.IC.GOV cannot login, caught a login exception

      [14 Mar 2011 16:03:59,326] [Authentication-Service-Thread-0] [WARN] [::20.5.233.95] [Appserver] KDC has no support for encryption type (14)

      [14 Mar 2011 16:03:59,329] [Authentication-Service-Thread-0] [INFO] [adminmkreger@CORP.CSA.IC.GOV::20.5.233.95] [Appserver] user authentication failed: adminmkreger@CORP.CSA.IC.GOV

      [14 Mar 2011 16:03:59,329] [Authentication-Service-Thread-0] [INFO] [adminmkreger@CORP.CSA.IC.GOV::20.5.233.95] [Appserver] Authentication Connection closed

      [14 Mar 2011 16:04:48,610] [Scheduled-System-Tasks-Thread-4] [INFO] [System:System:] [Memory Monitor] Total JVM (B): 250675200,Free JVM (B): 129856600,Used JVM (B): 120818600,VSize (B): 7131602944,RSS (B): 406593536,Used File Descriptors: 264

      ----------------------------------------------------

       

      ------------------- success --------------------------

      [14 Mar 2011 16:15:23,338] [main] [INFO] [::] [] Ready.

      Debug is  true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null ref

      reshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false

                      [Krb5LoginModule] user entered username: adminmkreger@CORP.CSA.IC.GOV

       

      Acquire TGT using AS Exchange

      principal is adminmkreger@CORP.CSA.IC.GOV

      EncryptionKey: keyType=3 keyBytes (hex dump)=0000: 83 7F D3 9E 68 68 BC EA

      Commit Succeeded

       

                      [Krb5LoginModule]: Entering logout

                      [Krb5LoginModule]: logged out Subject

      [14 Mar 2011 16:15:40,762] [Authentication-Service-Thread-0] [INFO] [adminmkreger@CORP.CSA.IC.GOV::20.5.233.95] [Appserver] user authentication successful: adminmkreger@CORP.CSA.IC.GOV

      [14 Mar 2011 16:15:41,207] [Authentication-Service-Thread-0] [INFO] [adminmkreger@CORP.CSA.IC.GOV::20.5.233.95] [Appserver] Authentication Connection closed

      [14 Mar 2011 16:15:43,654] [Client-Connections-Thread-0] [INFO] [adminmkreger@CORP.CSA.IC.GOV:BLAdmins:20.5.233.95] [Client] User 'adminmkreger@CORP.CSA.IC.GOV' assumed the role 'BLAdmins'

      [14 Mar 2011 16:15:44,866] [Client-Connections-Thread-1] [INFO] [adminmkreger@CORP.CSA.IC.GOV:BLAdmins:20.5.233.95] [Client] User 'adminmkreger@CORP.CSA.IC.GOV' assumed the role 'BLAdmins'

      [14 Mar 2011 16:15:49,403] [Client-Connections-Thread-5] [INFO] [adminmkreger@CORP.CSA.IC.GOV:BLAdmins:20.5.233.95] [Client] User 'adminmkreger@CORP.CSA.IC.GOV' assumed the role 'BLAdmins'

      [14 Mar 2011 16:16:21,905] [Scheduled-System-Tasks-Thread-5] [INFO] [System:System:] [Memory Monitor] Total JVM (B): 341114880,Free JVM (B): 119607376,Used JVM (B): 221507504,VSize (B): 7151513600,RSS (B): 494723072,Used File Descriptors: 269

      ------------------------------------------------------

        1 2 Previous Next