User Identities of Domain Users Authenticated with Active Directory are Case-Sensitive, Causing Unexpected Login Failures to Virtual Desktop Infrastructure & Secure Global Desktop

(Doc ID 1562141.1)

Last updated on AUGUST 02, 2017

Applies to:

Oracle Virtual Desktop Infrastructure - Version 3.5 to 3.5.3 [Release 3.0]
Oracle Secure Global Desktop - Version 4.71 to 5.3 [Release 4.0 to 5.0]
Information in this document applies to any platform.

Symptoms

Users logging into an Oracle Virtual Desktop Infrastructure (VDI) or Oracle Secure Global Desktop (SGD) deployment configured with domain-user authentication via kerberos to an Active Directory (AD) Server may find that they need to provide username credentials exactly as they are defined within Active Directory.  (Specifically:  TEST, Test, and test would all be considered independent users.)

The following exception is an example entry recorded upon the submission of 'test', in lieu of "TEST".

Jun 10, 2013 5:03:04 PM com.sun.sgd.directoryservices.core.connect.KerberizedConnection handleLoginException
FINE: thr#23:"pool-6-thread-1" Kerberos authentication of test@DOMAIN.COM failed : Authentication of 'test@DOMAIN.COM' failed [com.sun.directoryservices.auth.AuthenticationException: Failed to connect, invalid authentication credentials [Root exception is javax.security.auth.login.LoginException: Integrity check on decrypted field failed (31)] [local: Failed to connect, invalid authentication credentials, response: DirectoryResponse(code=117,message='Failed to connect, invalid authentication credentials')]]

Jun 10, 2013 5:03:04 PM com.sun.sgd.directoryservices.core.connect.KerberizedConnection handleLoginException
FINER: thr#23:"pool-6-thread-1" THROW
Authentication of 'test@DOMAIN.COM' failed [com.sun.directoryservices.auth.AuthenticationException: Failed to connect, invalid authentication credentials [Root exception is javax.security.auth.login.LoginException: Integrity check on decrypted field failed (31)] [local: Failed to connect, invalid authentication credentials, response: DirectoryResponse(code=117,message='Failed to connect, invalid authentication credentials')]]
  at com.sun.sgd.directoryservices.core.connect.KerberizedConnection.handleLoginException(KerberizedConnection.java:212)
  at com.sun.sgd.directoryservices.core.connect.KerberizedConnection.createConnectionContext(KerberizedConnection.java:129)
  at com.sun.sgd.directoryservices.core.connect.Connection.connect(Connection.java:105)
  at com.sun.sgd.directoryservices.core.auth.KerberosAuthAgent.authenticate(KerberosAuthAgent.java:66)
  at com.sun.sgd.directoryservices.core.auth.managers.UserManager.authenticate(UserManager.java:208)
  at com.sun.sgd.directoryservices.core.auth.managers.ActiveDirectoryUserManager.authenticate(ActiveDirectoryUserManager.java:184)
  at com.sun.sgd.directoryservices.core.service.GenericDirectoryService.authenticate(GenericDirectoryService.java:312)
  at com.sun.sgd.directoryservices.core.service.ADForestService.authenticate(ADForestService.java:149)
  at com.sun.sgd.directoryservices.core.DirectoryServiceContext.authenticate(DirectoryServiceContext.java:92)
  at com.sun.directoryservices.auth.LoginHelper.authenticate(LoginHelper.java:218)
  at com.sun.vda.service.userdir.assistants.ClientAssistant$AuthenticationOperation.execute(ClientAssistant.java:412)
  at com.sun.vda.service.userdir.assistants.ClientAssistant.execute(ClientAssistant.java:302)
  at com.sun.vda.service.userdir.assistants.ClientAssistant.authenticate(ClientAssistant.java:273)
  at com.sun.vda.service.core.UserDirectory.authenticate(UserDirectory.java:362)
  at com.sun.vda.service.userdir.client.Client.login(Client.java:97)
  at com.sun.vda.service.client.ClientRequestWorker.authenticate(ClientRequestWorker.java:158)
  at com.sun.vda.service.client.ClientRequestWorker.execute(ClientRequestWorker.java:133)
  at com.sun.vda.service.client.ClientRequestWorker.run(ClientRequestWorker.java:67)
  at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
  at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
  at java.lang.Thread.run(Unknown Source)
Caused by: javax.security.auth.login.LoginException: Integrity check on decrypted field failed (31)
  at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)
  at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
  at java.lang.reflect.Method.invoke(Unknown Source)
  at javax.security.auth.login.LoginContext.invoke(Unknown Source)
  at javax.security.auth.login.LoginContext.access$000(Unknown Source)
  at javax.security.auth.login.LoginContext$5.run(Unknown Source)
  at java.security.AccessController.doPrivileged(Native Method)
  at javax.security.auth.login.LoginContext.invokeCreatorPriv(Unknown Source)
  at javax.security.auth.login.LoginContext.login(Unknown Source)
  at com.sun.sgd.directoryservices.core.connect.KerberizedConnection.login(KerberizedConnection.java:196)
  at com.sun.sgd.directoryservices.core.connect.KerberizedConnection.createConnectionContext(KerberizedConnection.java:127)
  ... 19 more
Caused by: KrbException: Integrity check on decrypted field failed (31)
  at sun.security.krb5.internal.crypto.DesCbcEType.decrypt(Unknown Source)
  at sun.security.krb5.internal.crypto.DesCbcMd5EType.decrypt(Unknown Source)
  at sun.security.krb5.internal.crypto.DesCbcEType.decrypt(Unknown Source)
  at sun.security.krb5.internal.crypto.DesCbcMd5EType.decrypt(Unknown Source)
  at sun.security.krb5.EncryptedData.decrypt(Unknown Source)
  at sun.security.krb5.KrbAsRep.(Unknown Source)
  at sun.security.krb5.KrbAsReq.getReply(Unknown Source)
  at sun.security.krb5.Credentials.sendASRequest(Unknown Source)
  at sun.security.krb5.Credentials.acquireTGT(Unknown Source)
  ... 33 more

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms