Overview of Kerberos logs

Purpose

The purpose of this overview is to help you understand the Kerberos protocol workflow, as evidenced by Kerberos logs, so that you may better troubleshoot your Kerberos configuration.

Overview of the Kerberos protocol workflow

Authentication request with no pre-authentication payload and subsequent denial by the KDC's Authentication Service.
Re-issuance of authentication request with pre-authentication payload.
Validation of pre-authentication by the KDC's Authentication Service using regular password or HOTP value.
Ticket grant by the KDC's Ticket Granting Service.

Basic authentication request by password.

bash-2.05b# kinit -f hnelson@EXAMPLE.COM

Here I am using 'kinit' to authenticate my principal. Note that I am requesting a FORWARDABLE ticket using the '-f' option and that option shows up in the request's KDC Options. Further note that the 'hnelson' principal does not have a SAM Type configured. This means 'hnelson' is a regular password user, as opposed to a Single-use Authentication Mechanism (SAM) user. Opps! I typed in my password wrong, so my authentication was denied with error "Integrity check on decrypted field failed."

3970583 [DatagramAcceptor-0] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler  - null CREATED
3970627 [IoThreadPool-3] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler  - /127.0.0.1:33053 RCVD: org.apache.kerberos.messages.KdcRequest@395aaf
3970627 [IoThreadPool-3] DEBUG org.apache.kerberos.kdc.AuthenticationService  - Responding to authentication request:
        realm:                 EXAMPLE.COM
        serverPrincipal:       krbtgt/EXAMPLE.COM@EXAMPLE.COM
        clientPrincipal:       hnelson@EXAMPLE.COM
        hostAddresses:         org.apache.kerberos.messages.value.HostAddresses@170b819
        encryptionType:        [Lorg.apache.kerberos.crypto.encryption.EncryptionType;@146ad8b
        from krb time:         null
        realm krb time:        null
        kdcOptions:            FORWARDABLE
        messageType:           initial authentication request (10)
        nonce:                 1122249836
        protocolVersionNumber: 5
        till:                  org.apache.kerberos.messages.value.KerberosTime@12b9f14
3970637 [IoThreadPool-3] DEBUG org.apache.kerberos.kdc.AuthenticationService  - entry for client principal hnelson@EXAMPLE.COM has no SAM type: proceeding with standard pre-authentication
3970665 [IoThreadPool-3] ERROR org.apache.kerberos.protocol.KerberosProtocolHandler  - Returning error message:  Integrity check on decrypted field failed
org.apache.kerberos.exceptions.KerberosException: Integrity check on decrypted field failed
        at org.apache.kerberos.kdc.AuthenticationService.verifyPreAuthentication(AuthenticationService.java:160)
        at org.apache.kerberos.kdc.AuthenticationService.getReplyFor(AuthenticationService.java:101)
        at org.apache.kerberos.protocol.KerberosProtocolHandler.messageReceived(KerberosProtocolHandler.java:115)
        at org.apache.mina.protocol.AbstractProtocolFilterChain$2.messageReceived(AbstractProtocolFilterChain.java:149)
        ...
3970680 [IoThreadPool-3] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler  - /127.0.0.1:33053 SENT: org.apache.kerberos.messages.ErrorMessage@9db0e2

OK, I tried 'kinit' again and this time got my password correct.

4012903 [DatagramAcceptor-0] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler  - null CREATED
4012904 [IoThreadPool-9] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler  - /127.0.0.1:33053 RCVD: org.apache.kerberos.messages.KdcRequest@7ae747
4012904 [IoThreadPool-9] DEBUG org.apache.kerberos.kdc.AuthenticationService  - Responding to authentication request:
        realm:                 EXAMPLE.COM
        serverPrincipal:       krbtgt/EXAMPLE.COM@EXAMPLE.COM
        clientPrincipal:       hnelson@EXAMPLE.COM
        hostAddresses:         org.apache.kerberos.messages.value.HostAddresses@2573a8
        encryptionType:        [Lorg.apache.kerberos.crypto.encryption.EncryptionType;@cc5002
        from krb time:         null
        realm krb time:        null
        kdcOptions:            FORWARDABLE
        messageType:           initial authentication request (10)
        nonce:                 1122249879
        protocolVersionNumber: 5
        till:                  org.apache.kerberos.messages.value.KerberosTime@198ee2f
4012911 [IoThreadPool-9] DEBUG org.apache.kerberos.kdc.AuthenticationService  - entry for client principal hnelson@EXAMPLE.COM has no SAM type: proceeding with standard pre-authentication
4012914 [IoThreadPool-9] DEBUG org.apache.kerberos.kdc.AuthenticationService  - Ticket will be issued to client hnelson@EXAMPLE.COM.
4012944 [IoThreadPool-9] DEBUG org.apache.kerberos.kdc.AuthenticationService  - Ticket will be issued for access to krbtgt/EXAMPLE.COM@EXAMPLE.COM.
4012962 [IoThreadPool-9] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler  - /127.0.0.1:33053 SENT: org.apache.kerberos.messages.AuthenticationReply@44b7f7

Now I will try 'kinit' again with the 'cbuckley' user, which does have a SAM Type configured.

43147696 [DatagramAcceptor-0] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler  - null CREATED
43147697 [IoThreadPool-3] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler  - /127.0.0.1:33235 RCVD: org.apache.kerberos.messages.KdcRequest@20d10a
43147697 [IoThreadPool-3] DEBUG org.apache.kerberos.kdc.AuthenticationService  - Responding to authentication request:
        realm:                 EXAMPLE.COM
        serverPrincipal:       krbtgt/EXAMPLE.COM@EXAMPLE.COM
        clientPrincipal:       cbuckley@EXAMPLE.COM
        hostAddresses:         org.apache.kerberos.messages.value.HostAddresses@7c15c0
        encryptionType:        [Lorg.apache.kerberos.crypto.encryption.EncryptionType;@7800e9
        from krb time:         null
        realm krb time:        null
        kdcOptions:            FORWARDABLE
        messageType:           initial authentication request (10)
        nonce:                 1122289013
        protocolVersionNumber: 5
        till:                  org.apache.kerberos.messages.value.KerberosTime@83dae1
43147706 [IoThreadPool-3] DEBUG org.apache.kerberos.kdc.AuthenticationService  - entry for client principal cbuckley@EXAMPLE.COM has a valid SAM type: invoking SAM subsystem for pre-authentication
43147745 [IoThreadPool-3] DEBUG org.apache.kerberos.kdc.AuthenticationService  - Ticket will be issued to client cbuckley@EXAMPLE.COM.
43147750 [IoThreadPool-3] DEBUG org.apache.kerberos.kdc.AuthenticationService  - Ticket will be issued for access to krbtgt/EXAMPLE.COM@EXAMPLE.COM.
43147752 [IoThreadPool-3] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler  - /127.0.0.1:33235 SENT: org.apache.kerberos.messages.AuthenticationReply@94cc7

I try 'cbuckley' again to test that HOTP values are properly incrementing.

43162271 [DatagramAcceptor-0] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler  - null CREATED
43162272 [IoThreadPool-13] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler  - /127.0.0.1:33235 RCVD: org.apache.kerberos.messages.KdcRequest@3449a8
43162272 [IoThreadPool-13] DEBUG org.apache.kerberos.kdc.AuthenticationService  - Responding to authentication request:
        realm:                 EXAMPLE.COM
        serverPrincipal:       krbtgt/EXAMPLE.COM@EXAMPLE.COM
        clientPrincipal:       cbuckley@EXAMPLE.COM
        hostAddresses:         org.apache.kerberos.messages.value.HostAddresses@51b0af
        encryptionType:        [Lorg.apache.kerberos.crypto.encryption.EncryptionType;@126ecd2
        from krb time:         null
        realm krb time:        null
        kdcOptions:            FORWARDABLE
        messageType:           initial authentication request (10)
        nonce:                 1122289028
        protocolVersionNumber: 5
        till:                  org.apache.kerberos.messages.value.KerberosTime@85def8
43162276 [IoThreadPool-13] DEBUG org.apache.kerberos.kdc.AuthenticationService  - entry for client principal cbuckley@EXAMPLE.COM has a valid SAM type: invoking SAM subsystem for pre-authentication
43162301 [IoThreadPool-13] DEBUG org.apache.kerberos.kdc.AuthenticationService  - Ticket will be issued to client cbuckley@EXAMPLE.COM.
43162306 [IoThreadPool-13] DEBUG org.apache.kerberos.kdc.AuthenticationService  - Ticket will be issued for access to krbtgt/EXAMPLE.COM@EXAMPLE.COM.
43162312 [IoThreadPool-13] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler  - /127.0.0.1:33235 SENT: org.apache.kerberos.messages.AuthenticationReply@4065c4

Now I move over to my properly configured Windows 2003 machine. Note that the standard Kerberos workflow is to attempt authentication without using pre-authentication. This will happen with Windows and Linux login attempts. Since this KDC is configured to REQUIRE pre-authentication, I am denied with error "Additional pre-authentication required."

47490344 [DatagramAcceptor-0] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler  - null CREATED
47490345 [IoThreadPool-3] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler  - /192.168.0.3:1030 RCVD: org.apache.kerberos.messages.KdcRequest@160ce61
47490345 [IoThreadPool-3] DEBUG org.apache.kerberos.kdc.AuthenticationService  - Responding to authentication request:
        realm:                 EXAMPLE.COM
        serverPrincipal:       krbtgt/EXAMPLE.COM@EXAMPLE.COM
        clientPrincipal:       hnelson@EXAMPLE.COM
        hostAddresses:         null
        encryptionType:        [Lorg.apache.kerberos.crypto.encryption.EncryptionType;@8d63cf
        from krb time:         null
        realm krb time:        org.apache.kerberos.messages.value.KerberosTime@93c911
        kdcOptions:            FORWARDABLE RENEWABLE RENEWABLE_OK
        messageType:           initial authentication request (10)
        nonce:                 1004686579
        protocolVersionNumber: 5
        till:                  org.apache.kerberos.messages.value.KerberosTime@7587b2
47490351 [IoThreadPool-3] DEBUG org.apache.kerberos.kdc.AuthenticationService  - entry for client principal hnelson@EXAMPLE.COM has no SAM type: proceeding with standard pre-authentication
47490354 [IoThreadPool-3] ERROR org.apache.kerberos.protocol.KerberosProtocolHandler  - Returning error message:  Additional pre-authentication required
47490355 [IoThreadPool-19] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler  - /192.168.0.3:1030 SENT: org.apache.kerberos.messages.ErrorMessage@b612f8

Pre-authentication payload will be added to the authentication request by the client, in this case the Windows login service, and automatically re-tried. I am then authenticated.

47490367 [DatagramAcceptor-0] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler  - null CREATED
47490368 [IoThreadPool-3] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler  - /192.168.0.3:1031 RCVD: org.apache.kerberos.messages.KdcRequest@8e68bd
47490368 [IoThreadPool-3] DEBUG org.apache.kerberos.kdc.AuthenticationService  - Responding to authentication request:
        realm:                 EXAMPLE.COM
        serverPrincipal:       krbtgt/EXAMPLE.COM@EXAMPLE.COM
        clientPrincipal:       hnelson@EXAMPLE.COM
        hostAddresses:         null
        encryptionType:        [Lorg.apache.kerberos.crypto.encryption.EncryptionType;@17e9134
        from krb time:         null
        realm krb time:        org.apache.kerberos.messages.value.KerberosTime@6f0962
        kdcOptions:            FORWARDABLE RENEWABLE RENEWABLE_OK
        messageType:           initial authentication request (10)
        nonce:                 1004686579
        protocolVersionNumber: 5
        till:                  org.apache.kerberos.messages.value.KerberosTime@1d12d43
47490371 [IoThreadPool-3] DEBUG org.apache.kerberos.kdc.AuthenticationService  - entry for client principal hnelson@EXAMPLE.COM has no SAM type: proceeding with standard pre-authentication
47490371 [IoThreadPool-3] DEBUG org.apache.kerberos.kdc.AuthenticationService  - Ticket will be issued to client hnelson@EXAMPLE.COM.
47490377 [IoThreadPool-3] DEBUG org.apache.kerberos.kdc.AuthenticationService  - Ticket will be issued for access to krbtgt/EXAMPLE.COM@EXAMPLE.COM.
47490380 [IoThreadPool-19] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler  - /192.168.0.3:1031 SENT: org.apache.kerberos.messages.AuthenticationReply@1e6612c

The Windows login service is now able to request a ticket for my principal for the login service. Note that in this particular case, two requests were sent, so one is flagged as a replay and ignored. Kerberos requests are by default sent as UDP datagrams, so during server or network latency, requests may be sent more than once. This is somewhat normal, though if it occurs a lot it is an indication of poor server or network capacity.

47490382 [DatagramAcceptor-0] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler  - null CREATED
47495375 [DatagramAcceptor-0] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler  - null CREATED
47495835 [IoThreadPool-3] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler  - /192.168.0.3:1032 RCVD: org.apache.kerberos.messages.KdcRequest@16218f9
47495836 [IoThreadPool-3] DEBUG org.apache.kerberos.kdc.TicketGrantingService  - Responding to authentication request:
        realm:                 EXAMPLE.COM
        serverPrincipal:       host/www.example.com@EXAMPLE.COM
        clientPrincipal:       null
        hostAddresses:         null
        encryptionType:        [Lorg.apache.kerberos.crypto.encryption.EncryptionType;@155aa19
        from krb time:         null
        realm krb time:        null
        kdcOptions:            FORWARDABLE RENEWABLE
        messageType:           request for authentication based on TGT (12)
        nonce:                 1005116086
        protocolVersionNumber: 5
        till:                  org.apache.kerberos.messages.value.KerberosTime@1125a40
47495844 [IoThreadPool-19] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler  - /192.168.0.3:1032 RCVD: org.apache.kerberos.messages.KdcRequest@1df3255
47495845 [IoThreadPool-19] DEBUG org.apache.kerberos.kdc.TicketGrantingService  - Responding to authentication request:
        realm:                 EXAMPLE.COM
        serverPrincipal:       host/www.example.com@EXAMPLE.COM
        clientPrincipal:       null
        hostAddresses:         null
        encryptionType:        [Lorg.apache.kerberos.crypto.encryption.EncryptionType;@618821
        from krb time:         null
        realm krb time:        null
        kdcOptions:            FORWARDABLE RENEWABLE
        messageType:           request for authentication based on TGT (12)
        nonce:                 1005116086
        protocolVersionNumber: 5
        till:                  org.apache.kerberos.messages.value.KerberosTime@130661d
47495886 [IoThreadPool-3] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler  - /192.168.0.3:1032 SENT: org.apache.kerberos.messages.TicketGrantReply@22e3ac
47495887 [IoThreadPool-19] ERROR org.apache.kerberos.protocol.KerberosProtocolHandler  - Returning error message:  Request is a replay
org.apache.kerberos.exceptions.KerberosException: Request is a replay
        at org.apache.kerberos.service.KerberosService.verifyAuthHeader(KerberosService.java:252)
        at org.apache.kerberos.kdc.TicketGrantingService.getReplyFor(TicketGrantingService.java:93)
        at org.apache.kerberos.protocol.KerberosProtocolHandler.messageReceived(KerberosProtocolHandler.java:120)
        at org.apache.mina.protocol.AbstractProtocolFilterChain$2.messageReceived(AbstractProtocolFilterChain.java:149)
        ...
47495888 [IoThreadPool-19] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler  - /192.168.0.3:1032 SENT: org.apache.kerberos.messages.ErrorMessage@f55759

I now test with the 'cbuckley' account, which is configured for HOTP. There are three requests here: authentication with no pre-authentication and denial, authentication with pre-authentication, and then a ticket grant.

47660732 [DatagramAcceptor-0] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler  - null CREATED
47660736 [IoThreadPool-21] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler  - /192.168.0.3:1034 RCVD: org.apache.kerberos.messages.KdcRequest@1187d2f
47660736 [IoThreadPool-21] DEBUG org.apache.kerberos.kdc.AuthenticationService  - Responding to authentication request:
        realm:                 EXAMPLE.COM
        serverPrincipal:       krbtgt/EXAMPLE.COM@EXAMPLE.COM
        clientPrincipal:       cbuckley@EXAMPLE.COM
        hostAddresses:         null
        encryptionType:        [Lorg.apache.kerberos.crypto.encryption.EncryptionType;@16cacdd
        from krb time:         null
        realm krb time:        org.apache.kerberos.messages.value.KerberosTime@1c8e80d
        kdcOptions:            FORWARDABLE RENEWABLE RENEWABLE_OK
        messageType:           initial authentication request (10)
        nonce:                 510706200
        protocolVersionNumber: 5
        till:                  org.apache.kerberos.messages.value.KerberosTime@fadb88
47660739 [IoThreadPool-21] DEBUG org.apache.kerberos.kdc.AuthenticationService  - entry for client principal cbuckley@EXAMPLE.COM has a valid SAM type: invoking SAM subsystem for pre-authentication
47660739 [IoThreadPool-21] ERROR org.apache.kerberos.protocol.KerberosProtocolHandler  - Returning error message:  Additional pre-authentication required
org.apache.kerberos.exceptions.KerberosException: Additional pre-authentication required
        at org.apache.kerberos.kdc.AuthenticationService.verifyPreAuthentication(AuthenticationService.java:200)
        at org.apache.kerberos.kdc.AuthenticationService.getReplyFor(AuthenticationService.java:101)
        at org.apache.kerberos.protocol.KerberosProtocolHandler.messageReceived(KerberosProtocolHandler.java:115)
        at org.apache.mina.protocol.AbstractProtocolFilterChain$2.messageReceived(AbstractProtocolFilterChain.java:149)
        ...
47660740 [IoThreadPool-23] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler  - /192.168.0.3:1034 SENT: org.apache.kerberos.messages.ErrorMessage@35b5e8
47660741 [DatagramAcceptor-0] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler  - null CREATED
47660742 [IoThreadPool-21] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler  - /192.168.0.3:1035 RCVD: org.apache.kerberos.messages.KdcRequest@4dd413
47660742 [IoThreadPool-21] DEBUG org.apache.kerberos.kdc.AuthenticationService  - Responding to authentication request:
        realm:                 EXAMPLE.COM
        serverPrincipal:       krbtgt/EXAMPLE.COM@EXAMPLE.COM
        clientPrincipal:       cbuckley@EXAMPLE.COM
        hostAddresses:         null
        encryptionType:        [Lorg.apache.kerberos.crypto.encryption.EncryptionType;@19e421e
        from krb time:         null
        realm krb time:        org.apache.kerberos.messages.value.KerberosTime@106d4ea
        kdcOptions:            FORWARDABLE RENEWABLE RENEWABLE_OK
        messageType:           initial authentication request (10)
        nonce:                 510706200
        protocolVersionNumber: 5
        till:                  org.apache.kerberos.messages.value.KerberosTime@1847a42
47660745 [IoThreadPool-21] DEBUG org.apache.kerberos.kdc.AuthenticationService  - entry for client principal cbuckley@EXAMPLE.COM has a valid SAM type: invoking SAM subsystem for pre-authentication
47660759 [IoThreadPool-21] DEBUG org.apache.kerberos.kdc.AuthenticationService  - Ticket will be issued to client cbuckley@EXAMPLE.COM.
47660765 [IoThreadPool-21] DEBUG org.apache.kerberos.kdc.AuthenticationService  - Ticket will be issued for access to krbtgt/EXAMPLE.COM@EXAMPLE.COM.
47660767 [IoThreadPool-23] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler  - /192.168.0.3:1035 SENT: org.apache.kerberos.messages.AuthenticationReply@18b429b
47660769 [DatagramAcceptor-0] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler  - null CREATED
47660770 [IoThreadPool-21] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler  - /192.168.0.3:1036 RCVD: org.apache.kerberos.messages.KdcRequest@1c0d0a8
47660770 [IoThreadPool-21] DEBUG org.apache.kerberos.kdc.TicketGrantingService  - Responding to authentication request:
        realm:                 EXAMPLE.COM
        serverPrincipal:       host/www.example.com@EXAMPLE.COM
        clientPrincipal:       null
        hostAddresses:         null
        encryptionType:        [Lorg.apache.kerberos.crypto.encryption.EncryptionType;@1c2fff0
        from krb time:         null
        realm krb time:        null
        kdcOptions:            FORWARDABLE RENEWABLE
        messageType:           request for authentication based on TGT (12)
        nonce:                 511288584
        protocolVersionNumber: 5
        till:                  org.apache.kerberos.messages.value.KerberosTime@130fafb
47660780 [IoThreadPool-23] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler  - /192.168.0.3:1036 SENT: org.apache.kerberos.messages.TicketGrantReply@12a585c

I then try to login again, but using the same HOTP value. I am denied since the HOTP value has incremented.

47681499 [DatagramAcceptor-0] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler  - null CREATED
47681501 [IoThreadPool-21] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler  - /127.0.0.1:33251 RCVD: org.apache.kerberos.messages.KdcRequest@dfbabd
47681501 [IoThreadPool-21] DEBUG org.apache.kerberos.kdc.AuthenticationService  - Responding to authentication request:
        realm:                 EXAMPLE.COM
        serverPrincipal:       krbtgt/EXAMPLE.COM@EXAMPLE.COM
        clientPrincipal:       cbuckley@EXAMPLE.COM
        hostAddresses:         org.apache.kerberos.messages.value.HostAddresses@5cd7f9
        encryptionType:        [Lorg.apache.kerberos.crypto.encryption.EncryptionType;@1672c01
        from krb time:         null
        realm krb time:        null
        kdcOptions:            FORWARDABLE
        messageType:           initial authentication request (10)
        nonce:                 1122293547
        protocolVersionNumber: 5
        till:                  org.apache.kerberos.messages.value.KerberosTime@7a279c
47681504 [IoThreadPool-21] DEBUG org.apache.kerberos.kdc.AuthenticationService  - entry for client principal cbuckley@EXAMPLE.COM has a valid SAM type: invoking SAM subsystem for pre-authentication
47681540 [IoThreadPool-21] ERROR org.apache.kerberos.protocol.KerberosProtocolHandler  - Returning error message:  HOTP-3: Preauth failed!
org.apache.kerberos.exceptions.KerberosException: HOTP-3: Preauth failed!
        at org.apache.kerberos.kdc.AuthenticationService.verifyPreAuthentication(AuthenticationService.java:216)
        at org.apache.kerberos.kdc.AuthenticationService.getReplyFor(AuthenticationService.java:101)
        at org.apache.kerberos.protocol.KerberosProtocolHandler.messageReceived(KerberosProtocolHandler.java:115)
        at org.apache.mina.protocol.AbstractProtocolFilterChain$2.messageReceived(AbstractProtocolFilterChain.java:149)
        ...
47681541 [IoThreadPool-21] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler  - /127.0.0.1:33251 SENT: org.apache.kerberos.messages.ErrorMessage@166faac

I then try the next HOTP value and login just fine.

47693594 [DatagramAcceptor-0] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler  - null CREATED
47693595 [IoThreadPool-23] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler  - /127.0.0.1:33251 RCVD: org.apache.kerberos.messages.KdcRequest@1db8f3a
47693595 [IoThreadPool-23] DEBUG org.apache.kerberos.kdc.AuthenticationService  - Responding to authentication request:
        realm:                 EXAMPLE.COM
        serverPrincipal:       krbtgt/EXAMPLE.COM@EXAMPLE.COM
        clientPrincipal:       cbuckley@EXAMPLE.COM
        hostAddresses:         org.apache.kerberos.messages.value.HostAddresses@1984161
        encryptionType:        [Lorg.apache.kerberos.crypto.encryption.EncryptionType;@ec849e
        from krb time:         null
        realm krb time:        null
        kdcOptions:            FORWARDABLE
        messageType:           initial authentication request (10)
        nonce:                 1122293559
        protocolVersionNumber: 5
        till:                  org.apache.kerberos.messages.value.KerberosTime@1f6b81c
47693598 [IoThreadPool-23] DEBUG org.apache.kerberos.kdc.AuthenticationService  - entry for client principal cbuckley@EXAMPLE.COM has a valid SAM type: invoking SAM subsystem for pre-authentication
47693611 [IoThreadPool-23] DEBUG org.apache.kerberos.kdc.AuthenticationService  - Ticket will be issued to client cbuckley@EXAMPLE.COM.
47693616 [IoThreadPool-23] DEBUG org.apache.kerberos.kdc.AuthenticationService  - Ticket will be issued for access to krbtgt/EXAMPLE.COM@EXAMPLE.COM.
47693618 [IoThreadPool-23] DEBUG org.apache.kerberos.protocol.KerberosProtocolHandler  - /127.0.0.1:33251 SENT: org.apache.kerberos.messages.AuthenticationReply@7a6c34

Child pages

Overview of Kerberos logs

Purpose

Overview of the Kerberos protocol workflow

Basic authentication request by password.