Purpose
The purpose of this overview is to help you understand the Kerberos protocol workflow, as evidenced by Kerberos logs, so that you may better troubleshoot your Kerberos configuration.
Overview of the Kerberos protocol workflow
- Authentication request with no pre-authentication payload and subsequent denial by the KDC's Authentication Service.
- Re-issuance of authentication request with pre-authentication payload.
- Validation of pre-authentication by the KDC's Authentication Service using regular password or HOTP value.
- Ticket grant by the KDC's Ticket Granting Service.
Basic authentication request by password.
bash-2.05b# kinit -f hnelson@EXAMPLE.COM
Here I am using 'kinit' to authenticate my principal. Note that I am requesting a FORWARDABLE ticket using the '-f' option and that option shows up in the request's KDC Options. Further note that the 'hnelson' principal does not have a SAM Type configured. This means 'hnelson' is a regular password user, as opposed to a Single-use Authentication Mechanism (SAM) user. Opps! I typed in my password wrong, so my authentication was denied with error "Integrity check on decrypted field failed."
3970583 [DatagramAcceptor-0] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - null CREATED 3970627 [IoThreadPool-3] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /127.0.0.1:33053 RCVD: org.apache.kerberos.messages.KdcRequest@395aaf 3970627 [IoThreadPool-3] DEBUG org.apache.kerberos.kdc.AuthenticationService - Responding to authentication request: realm: EXAMPLE.COM serverPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM clientPrincipal: hnelson@EXAMPLE.COM hostAddresses: org.apache.kerberos.messages.value.HostAddresses@170b819 encryptionType: [Lorg.apache.kerberos.crypto.encryption.EncryptionType;@146ad8b from krb time: null realm krb time: null kdcOptions: FORWARDABLE messageType: initial authentication request (10) nonce: 1122249836 protocolVersionNumber: 5 till: org.apache.kerberos.messages.value.KerberosTime@12b9f14 3970637 [IoThreadPool-3] DEBUG org.apache.kerberos.kdc.AuthenticationService - entry for client principal hnelson@EXAMPLE.COM has no SAM type: proceeding with standard pre-authentication 3970665 [IoThreadPool-3] ERROR org.apache.kerberos.protocol.KerberosProtocolHandler - Returning error message: Integrity check on decrypted field failed org.apache.kerberos.exceptions.KerberosException: Integrity check on decrypted field failed at org.apache.kerberos.kdc.AuthenticationService.verifyPreAuthentication(AuthenticationService.java:160) at org.apache.kerberos.kdc.AuthenticationService.getReplyFor(AuthenticationService.java:101) at org.apache.kerberos.protocol.KerberosProtocolHandler.messageReceived(KerberosProtocolHandler.java:115) at org.apache.mina.protocol.AbstractProtocolFilterChain$2.messageReceived(AbstractProtocolFilterChain.java:149) ... 3970680 [IoThreadPool-3] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /127.0.0.1:33053 SENT: org.apache.kerberos.messages.ErrorMessage@9db0e2
OK, I tried 'kinit' again and this time got my password correct.
4012903 [DatagramAcceptor-0] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - null CREATED 4012904 [IoThreadPool-9] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /127.0.0.1:33053 RCVD: org.apache.kerberos.messages.KdcRequest@7ae747 4012904 [IoThreadPool-9] DEBUG org.apache.kerberos.kdc.AuthenticationService - Responding to authentication request: realm: EXAMPLE.COM serverPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM clientPrincipal: hnelson@EXAMPLE.COM hostAddresses: org.apache.kerberos.messages.value.HostAddresses@2573a8 encryptionType: [Lorg.apache.kerberos.crypto.encryption.EncryptionType;@cc5002 from krb time: null realm krb time: null kdcOptions: FORWARDABLE messageType: initial authentication request (10) nonce: 1122249879 protocolVersionNumber: 5 till: org.apache.kerberos.messages.value.KerberosTime@198ee2f 4012911 [IoThreadPool-9] DEBUG org.apache.kerberos.kdc.AuthenticationService - entry for client principal hnelson@EXAMPLE.COM has no SAM type: proceeding with standard pre-authentication 4012914 [IoThreadPool-9] DEBUG org.apache.kerberos.kdc.AuthenticationService - Ticket will be issued to client hnelson@EXAMPLE.COM. 4012944 [IoThreadPool-9] DEBUG org.apache.kerberos.kdc.AuthenticationService - Ticket will be issued for access to krbtgt/EXAMPLE.COM@EXAMPLE.COM. 4012962 [IoThreadPool-9] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /127.0.0.1:33053 SENT: org.apache.kerberos.messages.AuthenticationReply@44b7f7
Now I will try 'kinit' again with the 'codehaus' user, which does have a SAM Type configured.
43147696 [DatagramAcceptor-0] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - null CREATED 43147697 [IoThreadPool-3] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /127.0.0.1:33235 RCVD: org.apache.kerberos.messages.KdcRequest@20d10a 43147697 [IoThreadPool-3] DEBUG org.apache.kerberos.kdc.AuthenticationService - Responding to authentication request: realm: EXAMPLE.COM serverPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM clientPrincipal: codehaus@EXAMPLE.COM hostAddresses: org.apache.kerberos.messages.value.HostAddresses@7c15c0 encryptionType: [Lorg.apache.kerberos.crypto.encryption.EncryptionType;@7800e9 from krb time: null realm krb time: null kdcOptions: FORWARDABLE messageType: initial authentication request (10) nonce: 1122289013 protocolVersionNumber: 5 till: org.apache.kerberos.messages.value.KerberosTime@83dae1 43147706 [IoThreadPool-3] DEBUG org.apache.kerberos.kdc.AuthenticationService - entry for client principal codehaus@EXAMPLE.COM has a valid SAM type: invoking SAM subsystem for pre-authentication 43147745 [IoThreadPool-3] DEBUG org.apache.kerberos.kdc.AuthenticationService - Ticket will be issued to client codehaus@EXAMPLE.COM. 43147750 [IoThreadPool-3] DEBUG org.apache.kerberos.kdc.AuthenticationService - Ticket will be issued for access to krbtgt/EXAMPLE.COM@EXAMPLE.COM. 43147752 [IoThreadPool-3] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /127.0.0.1:33235 SENT: org.apache.kerberos.messages.AuthenticationReply@94cc7
I try 'codehaus' again to test that HOTP values are properly incrementing.
43162271 [DatagramAcceptor-0] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - null CREATED 43162272 [IoThreadPool-13] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /127.0.0.1:33235 RCVD: org.apache.kerberos.messages.KdcRequest@3449a8 43162272 [IoThreadPool-13] DEBUG org.apache.kerberos.kdc.AuthenticationService - Responding to authentication request: realm: EXAMPLE.COM serverPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM clientPrincipal: codehaus@EXAMPLE.COM hostAddresses: org.apache.kerberos.messages.value.HostAddresses@51b0af encryptionType: [Lorg.apache.kerberos.crypto.encryption.EncryptionType;@126ecd2 from krb time: null realm krb time: null kdcOptions: FORWARDABLE messageType: initial authentication request (10) nonce: 1122289028 protocolVersionNumber: 5 till: org.apache.kerberos.messages.value.KerberosTime@85def8 43162276 [IoThreadPool-13] DEBUG org.apache.kerberos.kdc.AuthenticationService - entry for client principal codehaus@EXAMPLE.COM has a valid SAM type: invoking SAM subsystem for pre-authentication 43162301 [IoThreadPool-13] DEBUG org.apache.kerberos.kdc.AuthenticationService - Ticket will be issued to client codehaus@EXAMPLE.COM. 43162306 [IoThreadPool-13] DEBUG org.apache.kerberos.kdc.AuthenticationService - Ticket will be issued for access to krbtgt/EXAMPLE.COM@EXAMPLE.COM. 43162312 [IoThreadPool-13] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /127.0.0.1:33235 SENT: org.apache.kerberos.messages.AuthenticationReply@4065c4
Now I move over to my properly configured Windows 2003 machine. Note that the standard Kerberos workflow is to attempt authentication without using pre-authentication. This will happen with Windows and Linux login attempts. Since this KDC is configured to REQUIRE pre-authentication, I am denied with error "Additional pre-authentication required."
47490344 [DatagramAcceptor-0] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - null CREATED 47490345 [IoThreadPool-3] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /192.168.0.3:1030 RCVD: org.apache.kerberos.messages.KdcRequest@160ce61 47490345 [IoThreadPool-3] DEBUG org.apache.kerberos.kdc.AuthenticationService - Responding to authentication request: realm: EXAMPLE.COM serverPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM clientPrincipal: hnelson@EXAMPLE.COM hostAddresses: null encryptionType: [Lorg.apache.kerberos.crypto.encryption.EncryptionType;@8d63cf from krb time: null realm krb time: org.apache.kerberos.messages.value.KerberosTime@93c911 kdcOptions: FORWARDABLE RENEWABLE RENEWABLE_OK messageType: initial authentication request (10) nonce: 1004686579 protocolVersionNumber: 5 till: org.apache.kerberos.messages.value.KerberosTime@7587b2 47490351 [IoThreadPool-3] DEBUG org.apache.kerberos.kdc.AuthenticationService - entry for client principal hnelson@EXAMPLE.COM has no SAM type: proceeding with standard pre-authentication 47490354 [IoThreadPool-3] ERROR org.apache.kerberos.protocol.KerberosProtocolHandler - Returning error message: Additional pre-authentication required 47490355 [IoThreadPool-19] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /192.168.0.3:1030 SENT: org.apache.kerberos.messages.ErrorMessage@b612f8
Pre-authentication payload will be added to the authentication request by the client, in this case the Windows login service, and automatically re-tried. I am then authenticated.
47490367 [DatagramAcceptor-0] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - null CREATED 47490368 [IoThreadPool-3] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /192.168.0.3:1031 RCVD: org.apache.kerberos.messages.KdcRequest@8e68bd 47490368 [IoThreadPool-3] DEBUG org.apache.kerberos.kdc.AuthenticationService - Responding to authentication request: realm: EXAMPLE.COM serverPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM clientPrincipal: hnelson@EXAMPLE.COM hostAddresses: null encryptionType: [Lorg.apache.kerberos.crypto.encryption.EncryptionType;@17e9134 from krb time: null realm krb time: org.apache.kerberos.messages.value.KerberosTime@6f0962 kdcOptions: FORWARDABLE RENEWABLE RENEWABLE_OK messageType: initial authentication request (10) nonce: 1004686579 protocolVersionNumber: 5 till: org.apache.kerberos.messages.value.KerberosTime@1d12d43 47490371 [IoThreadPool-3] DEBUG org.apache.kerberos.kdc.AuthenticationService - entry for client principal hnelson@EXAMPLE.COM has no SAM type: proceeding with standard pre-authentication 47490371 [IoThreadPool-3] DEBUG org.apache.kerberos.kdc.AuthenticationService - Ticket will be issued to client hnelson@EXAMPLE.COM. 47490377 [IoThreadPool-3] DEBUG org.apache.kerberos.kdc.AuthenticationService - Ticket will be issued for access to krbtgt/EXAMPLE.COM@EXAMPLE.COM. 47490380 [IoThreadPool-19] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /192.168.0.3:1031 SENT: org.apache.kerberos.messages.AuthenticationReply@1e6612c
The Windows login service is now able to request a ticket for my principal for the login service. Note that in this particular case, two requests were sent, so one is flagged as a replay and ignored. Kerberos requests are by default sent as UDP datagrams, so during server or network latency, requests may be sent more than once. This is somewhat normal, though if it occurs a lot it is an indication of poor server or network capacity.
47490382 [DatagramAcceptor-0] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - null CREATED 47495375 [DatagramAcceptor-0] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - null CREATED 47495835 [IoThreadPool-3] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /192.168.0.3:1032 RCVD: org.apache.kerberos.messages.KdcRequest@16218f9 47495836 [IoThreadPool-3] DEBUG org.apache.kerberos.kdc.TicketGrantingService - Responding to authentication request: realm: EXAMPLE.COM serverPrincipal: host/www.example.com@EXAMPLE.COM clientPrincipal: null hostAddresses: null encryptionType: [Lorg.apache.kerberos.crypto.encryption.EncryptionType;@155aa19 from krb time: null realm krb time: null kdcOptions: FORWARDABLE RENEWABLE messageType: request for authentication based on TGT (12) nonce: 1005116086 protocolVersionNumber: 5 till: org.apache.kerberos.messages.value.KerberosTime@1125a40 47495844 [IoThreadPool-19] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /192.168.0.3:1032 RCVD: org.apache.kerberos.messages.KdcRequest@1df3255 47495845 [IoThreadPool-19] DEBUG org.apache.kerberos.kdc.TicketGrantingService - Responding to authentication request: realm: EXAMPLE.COM serverPrincipal: host/www.example.com@EXAMPLE.COM clientPrincipal: null hostAddresses: null encryptionType: [Lorg.apache.kerberos.crypto.encryption.EncryptionType;@618821 from krb time: null realm krb time: null kdcOptions: FORWARDABLE RENEWABLE messageType: request for authentication based on TGT (12) nonce: 1005116086 protocolVersionNumber: 5 till: org.apache.kerberos.messages.value.KerberosTime@130661d 47495886 [IoThreadPool-3] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /192.168.0.3:1032 SENT: org.apache.kerberos.messages.TicketGrantReply@22e3ac 47495887 [IoThreadPool-19] ERROR org.apache.kerberos.protocol.KerberosProtocolHandler - Returning error message: Request is a replay org.apache.kerberos.exceptions.KerberosException: Request is a replay at org.apache.kerberos.service.KerberosService.verifyAuthHeader(KerberosService.java:252) at org.apache.kerberos.kdc.TicketGrantingService.getReplyFor(TicketGrantingService.java:93) at org.apache.kerberos.protocol.KerberosProtocolHandler.messageReceived(KerberosProtocolHandler.java:120) at org.apache.mina.protocol.AbstractProtocolFilterChain$2.messageReceived(AbstractProtocolFilterChain.java:149) ... 47495888 [IoThreadPool-19] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /192.168.0.3:1032 SENT: org.apache.kerberos.messages.ErrorMessage@f55759
I now test with the 'codehaus' account, which is configured for HOTP. There are three requests here: authentication with no pre-authentication and denial, authentication with pre-authentication, and then a ticket grant.
47660732 [DatagramAcceptor-0] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - null CREATED 47660736 [IoThreadPool-21] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /192.168.0.3:1034 RCVD: org.apache.kerberos.messages.KdcRequest@1187d2f 47660736 [IoThreadPool-21] DEBUG org.apache.kerberos.kdc.AuthenticationService - Responding to authentication request: realm: EXAMPLE.COM serverPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM clientPrincipal: codehaus@EXAMPLE.COM hostAddresses: null encryptionType: [Lorg.apache.kerberos.crypto.encryption.EncryptionType;@16cacdd from krb time: null realm krb time: org.apache.kerberos.messages.value.KerberosTime@1c8e80d kdcOptions: FORWARDABLE RENEWABLE RENEWABLE_OK messageType: initial authentication request (10) nonce: 510706200 protocolVersionNumber: 5 till: org.apache.kerberos.messages.value.KerberosTime@fadb88 47660739 [IoThreadPool-21] DEBUG org.apache.kerberos.kdc.AuthenticationService - entry for client principal codehaus@EXAMPLE.COM has a valid SAM type: invoking SAM subsystem for pre-authentication 47660739 [IoThreadPool-21] ERROR org.apache.kerberos.protocol.KerberosProtocolHandler - Returning error message: Additional pre-authentication required org.apache.kerberos.exceptions.KerberosException: Additional pre-authentication required at org.apache.kerberos.kdc.AuthenticationService.verifyPreAuthentication(AuthenticationService.java:200) at org.apache.kerberos.kdc.AuthenticationService.getReplyFor(AuthenticationService.java:101) at org.apache.kerberos.protocol.KerberosProtocolHandler.messageReceived(KerberosProtocolHandler.java:115) at org.apache.mina.protocol.AbstractProtocolFilterChain$2.messageReceived(AbstractProtocolFilterChain.java:149) ... 47660740 [IoThreadPool-23] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /192.168.0.3:1034 SENT: org.apache.kerberos.messages.ErrorMessage@35b5e8 47660741 [DatagramAcceptor-0] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - null CREATED 47660742 [IoThreadPool-21] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /192.168.0.3:1035 RCVD: org.apache.kerberos.messages.KdcRequest@4dd413 47660742 [IoThreadPool-21] DEBUG org.apache.kerberos.kdc.AuthenticationService - Responding to authentication request: realm: EXAMPLE.COM serverPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM clientPrincipal: codehaus@EXAMPLE.COM hostAddresses: null encryptionType: [Lorg.apache.kerberos.crypto.encryption.EncryptionType;@19e421e from krb time: null realm krb time: org.apache.kerberos.messages.value.KerberosTime@106d4ea kdcOptions: FORWARDABLE RENEWABLE RENEWABLE_OK messageType: initial authentication request (10) nonce: 510706200 protocolVersionNumber: 5 till: org.apache.kerberos.messages.value.KerberosTime@1847a42 47660745 [IoThreadPool-21] DEBUG org.apache.kerberos.kdc.AuthenticationService - entry for client principal codehaus@EXAMPLE.COM has a valid SAM type: invoking SAM subsystem for pre-authentication 47660759 [IoThreadPool-21] DEBUG org.apache.kerberos.kdc.AuthenticationService - Ticket will be issued to client codehaus@EXAMPLE.COM. 47660765 [IoThreadPool-21] DEBUG org.apache.kerberos.kdc.AuthenticationService - Ticket will be issued for access to krbtgt/EXAMPLE.COM@EXAMPLE.COM. 47660767 [IoThreadPool-23] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /192.168.0.3:1035 SENT: org.apache.kerberos.messages.AuthenticationReply@18b429b 47660769 [DatagramAcceptor-0] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - null CREATED 47660770 [IoThreadPool-21] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /192.168.0.3:1036 RCVD: org.apache.kerberos.messages.KdcRequest@1c0d0a8 47660770 [IoThreadPool-21] DEBUG org.apache.kerberos.kdc.TicketGrantingService - Responding to authentication request: realm: EXAMPLE.COM serverPrincipal: host/www.example.com@EXAMPLE.COM clientPrincipal: null hostAddresses: null encryptionType: [Lorg.apache.kerberos.crypto.encryption.EncryptionType;@1c2fff0 from krb time: null realm krb time: null kdcOptions: FORWARDABLE RENEWABLE messageType: request for authentication based on TGT (12) nonce: 511288584 protocolVersionNumber: 5 till: org.apache.kerberos.messages.value.KerberosTime@130fafb 47660780 [IoThreadPool-23] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /192.168.0.3:1036 SENT: org.apache.kerberos.messages.TicketGrantReply@12a585c
I then try to login again, but using the same HOTP value. I am denied since the HOTP value has incremented.
47681499 [DatagramAcceptor-0] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - null CREATED 47681501 [IoThreadPool-21] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /127.0.0.1:33251 RCVD: org.apache.kerberos.messages.KdcRequest@dfbabd 47681501 [IoThreadPool-21] DEBUG org.apache.kerberos.kdc.AuthenticationService - Responding to authentication request: realm: EXAMPLE.COM serverPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM clientPrincipal: codehaus@EXAMPLE.COM hostAddresses: org.apache.kerberos.messages.value.HostAddresses@5cd7f9 encryptionType: [Lorg.apache.kerberos.crypto.encryption.EncryptionType;@1672c01 from krb time: null realm krb time: null kdcOptions: FORWARDABLE messageType: initial authentication request (10) nonce: 1122293547 protocolVersionNumber: 5 till: org.apache.kerberos.messages.value.KerberosTime@7a279c 47681504 [IoThreadPool-21] DEBUG org.apache.kerberos.kdc.AuthenticationService - entry for client principal codehaus@EXAMPLE.COM has a valid SAM type: invoking SAM subsystem for pre-authentication 47681540 [IoThreadPool-21] ERROR org.apache.kerberos.protocol.KerberosProtocolHandler - Returning error message: HOTP-3: Preauth failed! org.apache.kerberos.exceptions.KerberosException: HOTP-3: Preauth failed! at org.apache.kerberos.kdc.AuthenticationService.verifyPreAuthentication(AuthenticationService.java:216) at org.apache.kerberos.kdc.AuthenticationService.getReplyFor(AuthenticationService.java:101) at org.apache.kerberos.protocol.KerberosProtocolHandler.messageReceived(KerberosProtocolHandler.java:115) at org.apache.mina.protocol.AbstractProtocolFilterChain$2.messageReceived(AbstractProtocolFilterChain.java:149) ... 47681541 [IoThreadPool-21] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /127.0.0.1:33251 SENT: org.apache.kerberos.messages.ErrorMessage@166faac
I then try the next HOTP value and login just fine.
47693594 [DatagramAcceptor-0] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - null CREATED 47693595 [IoThreadPool-23] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /127.0.0.1:33251 RCVD: org.apache.kerberos.messages.KdcRequest@1db8f3a 47693595 [IoThreadPool-23] DEBUG org.apache.kerberos.kdc.AuthenticationService - Responding to authentication request: realm: EXAMPLE.COM serverPrincipal: krbtgt/EXAMPLE.COM@EXAMPLE.COM clientPrincipal: codehaus@EXAMPLE.COM hostAddresses: org.apache.kerberos.messages.value.HostAddresses@1984161 encryptionType: [Lorg.apache.kerberos.crypto.encryption.EncryptionType;@ec849e from krb time: null realm krb time: null kdcOptions: FORWARDABLE messageType: initial authentication request (10) nonce: 1122293559 protocolVersionNumber: 5 till: org.apache.kerberos.messages.value.KerberosTime@1f6b81c 47693598 [IoThreadPool-23] DEBUG org.apache.kerberos.kdc.AuthenticationService - entry for client principal codehaus@EXAMPLE.COM has a valid SAM type: invoking SAM subsystem for pre-authentication 47693611 [IoThreadPool-23] DEBUG org.apache.kerberos.kdc.AuthenticationService - Ticket will be issued to client codehaus@EXAMPLE.COM. 47693616 [IoThreadPool-23] DEBUG org.apache.kerberos.kdc.AuthenticationService - Ticket will be issued for access to krbtgt/EXAMPLE.COM@EXAMPLE.COM. 47693618 [IoThreadPool-23] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler - /127.0.0.1:33251 SENT: org.apache.kerberos.messages.AuthenticationReply@7a6c34