User Identities of Domain Users Authenticated with Active Directory are Case-Sensitive, Causing Unexpected Login Failures to Virtual Desktop Infrastructure & Secure Global Desktop
Last updated on AUGUST 02, 2017
Applies to:
Oracle Virtual Desktop Infrastructure - Version 3.5 to 3.5.3 [Release 3.0]Oracle Secure Global Desktop - Version 4.71 to 5.3 [Release 4.0 to 5.0]
Information in this document applies to any platform.
Symptoms
Users logging into an Oracle Virtual Desktop Infrastructure (VDI) or Oracle Secure Global Desktop (SGD) deployment configured with domain-user authentication via kerberos to an Active Directory (AD) Server may find that they need to provide username credentials exactly as they are defined within Active Directory. (Specifically: TEST, Test, and test would all be considered independent users.)
The following exception is an example entry recorded upon the submission of 'test', in lieu of "TEST".
Jun 10, 2013 5:03:04 PM com.sun.sgd.directoryservices.core.connect.KerberizedConnection handleLoginException
FINE: thr#23:"pool-6-thread-1" Kerberos authentication of test@DOMAIN.COM failed : Authentication of 'test@DOMAIN.COM' failed [com.sun.directoryservices.auth.AuthenticationException: Failed to connect, invalid authentication credentials [Root exception is javax.security.auth.login.LoginException: Integrity check on decrypted field failed (31)] [local: Failed to connect, invalid authentication credentials, response: DirectoryResponse(code=117,message='Failed to connect, invalid authentication credentials')]]
Jun 10, 2013 5:03:04 PM com.sun.sgd.directoryservices.core.connect.KerberizedConnection handleLoginException
FINER: thr#23:"pool-6-thread-1" THROW
Authentication of 'test@DOMAIN.COM' failed [com.sun.directoryservices.auth.AuthenticationException: Failed to connect, invalid authentication credentials [Root exception is javax.security.auth.login.LoginException: Integrity check on decrypted field failed (31)] [local: Failed to connect, invalid authentication credentials, response: DirectoryResponse(code=117,message='Failed to connect, invalid authentication credentials')]]
at com.sun.sgd.directoryservices.core.connect.KerberizedConnection.handleLoginException(KerberizedConnection.java:212)
at com.sun.sgd.directoryservices.core.connect.KerberizedConnection.createConnectionContext(KerberizedConnection.java:129)
at com.sun.sgd.directoryservices.core.connect.Connection.connect(Connection.java:105)
at com.sun.sgd.directoryservices.core.auth.KerberosAuthAgent.authenticate(KerberosAuthAgent.java:66)
at com.sun.sgd.directoryservices.core.auth.managers.UserManager.authenticate(UserManager.java:208)
at com.sun.sgd.directoryservices.core.auth.managers.ActiveDirectoryUserManager.authenticate(ActiveDirectoryUserManager.java:184)
at com.sun.sgd.directoryservices.core.service.GenericDirectoryService.authenticate(GenericDirectoryService.java:312)
at com.sun.sgd.directoryservices.core.service.ADForestService.authenticate(ADForestService.java:149)
at com.sun.sgd.directoryservices.core.DirectoryServiceContext.authenticate(DirectoryServiceContext.java:92)
at com.sun.directoryservices.auth.LoginHelper.authenticate(LoginHelper.java:218)
at com.sun.vda.service.userdir.assistants.ClientAssistant$AuthenticationOperation.execute(ClientAssistant.java:412)
at com.sun.vda.service.userdir.assistants.ClientAssistant.execute(ClientAssistant.java:302)
at com.sun.vda.service.userdir.assistants.ClientAssistant.authenticate(ClientAssistant.java:273)
at com.sun.vda.service.core.UserDirectory.authenticate(UserDirectory.java:362)
at com.sun.vda.service.userdir.client.Client.login(Client.java:97)
at com.sun.vda.service.client.ClientRequestWorker.authenticate(ClientRequestWorker.java:158)
at com.sun.vda.service.client.ClientRequestWorker.execute(ClientRequestWorker.java:133)
at com.sun.vda.service.client.ClientRequestWorker.run(ClientRequestWorker.java:67)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.security.auth.login.LoginException: Integrity check on decrypted field failed (31)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)
at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.access$000(Unknown Source)
at javax.security.auth.login.LoginContext$5.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeCreatorPriv(Unknown Source)
at javax.security.auth.login.LoginContext.login(Unknown Source)
at com.sun.sgd.directoryservices.core.connect.KerberizedConnection.login(KerberizedConnection.java:196)
at com.sun.sgd.directoryservices.core.connect.KerberizedConnection.createConnectionContext(KerberizedConnection.java:127)
... 19 more
Caused by: KrbException: Integrity check on decrypted field failed (31)
at sun.security.krb5.internal.crypto.DesCbcEType.decrypt(Unknown Source)
at sun.security.krb5.internal.crypto.DesCbcMd5EType.decrypt(Unknown Source)
at sun.security.krb5.internal.crypto.DesCbcEType.decrypt(Unknown Source)
at sun.security.krb5.internal.crypto.DesCbcMd5EType.decrypt(Unknown Source)
at sun.security.krb5.EncryptedData.decrypt(Unknown Source)
at sun.security.krb5.KrbAsRep.(Unknown Source)
at sun.security.krb5.KrbAsReq.getReply(Unknown Source)
at sun.security.krb5.Credentials.sendASRequest(Unknown Source)
at sun.security.krb5.Credentials.acquireTGT(Unknown Source)
... 33 more
FINE: thr#23:"pool-6-thread-1" Kerberos authentication of test@DOMAIN.COM failed : Authentication of 'test@DOMAIN.COM' failed [com.sun.directoryservices.auth.AuthenticationException: Failed to connect, invalid authentication credentials [Root exception is javax.security.auth.login.LoginException: Integrity check on decrypted field failed (31)] [local: Failed to connect, invalid authentication credentials, response: DirectoryResponse(code=117,message='Failed to connect, invalid authentication credentials')]]
Jun 10, 2013 5:03:04 PM com.sun.sgd.directoryservices.core.connect.KerberizedConnection handleLoginException
FINER: thr#23:"pool-6-thread-1" THROW
Authentication of 'test@DOMAIN.COM' failed [com.sun.directoryservices.auth.AuthenticationException: Failed to connect, invalid authentication credentials [Root exception is javax.security.auth.login.LoginException: Integrity check on decrypted field failed (31)] [local: Failed to connect, invalid authentication credentials, response: DirectoryResponse(code=117,message='Failed to connect, invalid authentication credentials')]]
at com.sun.sgd.directoryservices.core.connect.KerberizedConnection.handleLoginException(KerberizedConnection.java:212)
at com.sun.sgd.directoryservices.core.connect.KerberizedConnection.createConnectionContext(KerberizedConnection.java:129)
at com.sun.sgd.directoryservices.core.connect.Connection.connect(Connection.java:105)
at com.sun.sgd.directoryservices.core.auth.KerberosAuthAgent.authenticate(KerberosAuthAgent.java:66)
at com.sun.sgd.directoryservices.core.auth.managers.UserManager.authenticate(UserManager.java:208)
at com.sun.sgd.directoryservices.core.auth.managers.ActiveDirectoryUserManager.authenticate(ActiveDirectoryUserManager.java:184)
at com.sun.sgd.directoryservices.core.service.GenericDirectoryService.authenticate(GenericDirectoryService.java:312)
at com.sun.sgd.directoryservices.core.service.ADForestService.authenticate(ADForestService.java:149)
at com.sun.sgd.directoryservices.core.DirectoryServiceContext.authenticate(DirectoryServiceContext.java:92)
at com.sun.directoryservices.auth.LoginHelper.authenticate(LoginHelper.java:218)
at com.sun.vda.service.userdir.assistants.ClientAssistant$AuthenticationOperation.execute(ClientAssistant.java:412)
at com.sun.vda.service.userdir.assistants.ClientAssistant.execute(ClientAssistant.java:302)
at com.sun.vda.service.userdir.assistants.ClientAssistant.authenticate(ClientAssistant.java:273)
at com.sun.vda.service.core.UserDirectory.authenticate(UserDirectory.java:362)
at com.sun.vda.service.userdir.client.Client.login(Client.java:97)
at com.sun.vda.service.client.ClientRequestWorker.authenticate(ClientRequestWorker.java:158)
at com.sun.vda.service.client.ClientRequestWorker.execute(ClientRequestWorker.java:133)
at com.sun.vda.service.client.ClientRequestWorker.run(ClientRequestWorker.java:67)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.security.auth.login.LoginException: Integrity check on decrypted field failed (31)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source)
at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.access$000(Unknown Source)
at javax.security.auth.login.LoginContext$5.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeCreatorPriv(Unknown Source)
at javax.security.auth.login.LoginContext.login(Unknown Source)
at com.sun.sgd.directoryservices.core.connect.KerberizedConnection.login(KerberizedConnection.java:196)
at com.sun.sgd.directoryservices.core.connect.KerberizedConnection.createConnectionContext(KerberizedConnection.java:127)
... 19 more
Caused by: KrbException: Integrity check on decrypted field failed (31)
at sun.security.krb5.internal.crypto.DesCbcEType.decrypt(Unknown Source)
at sun.security.krb5.internal.crypto.DesCbcMd5EType.decrypt(Unknown Source)
at sun.security.krb5.internal.crypto.DesCbcEType.decrypt(Unknown Source)
at sun.security.krb5.internal.crypto.DesCbcMd5EType.decrypt(Unknown Source)
at sun.security.krb5.EncryptedData.decrypt(Unknown Source)
at sun.security.krb5.KrbAsRep.(Unknown Source)
at sun.security.krb5.KrbAsReq.getReply(Unknown Source)
at sun.security.krb5.Credentials.sendASRequest(Unknown Source)
at sun.security.krb5.Credentials.acquireTGT(Unknown Source)
... 33 more
Cause
Sign In with your My Oracle Support account |
|
Don't have a My Oracle Support account? Click to get started |
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms