Kinit Is Returning krb_error 24 Pre-authentication Information Was Invalid (24) (Doc ID 466288.1)

Last updated on JULY 01, 2016

Applies to:

Oracle Application Server Single Sign-On - Version 10.1.2 and later
Information in this document applies to any platform.
This problem can occur on any platform.

Symptoms

-- Problem Statement:
When using kinit to get a ticket for SSO, getting error:

krb_error 24 Pre-authentication information was invalid (24)

ldapbind to Active Directory (AD) is successful.

Creating new keytab file does not help.

e.g.,

/data/oracle/ias_10.1.2/jdk/bin/kinit -k -t sso.keytab HTTP/sso.uk.oracle.com

ERROR
krb_error 24 Pre-authentication information was invalid (24)


-- Steps To Reproduce:
Use the kinit utility to get a ticket for the SSO.

e.g.,

kinit -k -t sso.keytab HTTP/sso.uk.oracle.com
HTTP/wfconttest.prov.bzException: krb_error 24 Pre-authentication information was invalid (24)
Pre-authentication information was invalid
KrbException: Pre-authentication information was invalid (24)
at sun.security.krb5.KrbAsRep.<init>(DashoA12275:67)
at sun.security.krb5.KrbAsReq.getReply(DashoA12275:315)
at sun.security.krb5.internal.tools.Kinit.<init>(DashoA12275:269)
at sun.security.krb5.internal.tools.Kinit.main(DashoA12275:109)
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.af.a(DashoA12275:134)
at sun.security.krb5.internal.at.a(DashoA12275:63)
at sun.security.krb5.internal.at.<init>(DashoA12275:58)
at sun.security.krb5.KrbAsRep.<init>(DashoA12275:53)

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms