OpenWebStart Application Login with Kerberos - Checksum failed

Question

I try to run OpenWebStart application which displays Login-Dialog und does Login on Kerberos. I get "Checksum failed" Exception (see below). I'm running KDC in VM (Centos7) and in Kerberos Log I see that TGT was successfuly created:

Kerberos.kalna.ch krb5kdc[1132](Information): AS_REQ (6 etypes {18 17 16 23 1 3} 192.168.56.1: ISSUE authtime 1583736176 , etypes {rep=18 tkt=18 ses=18}, [email protected] for krbtgt/[email protected]

Kerberos configuration is following (kdc.conf):

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 KALNA.CH = {
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }

and on the client is following configuration (krb5.conf):

[libdefaults]
forwardable = true
default_realm = KALNA.CH
udp_preference_limit = 1
kdc_timeout = 2000
allow_weak_crypto = true

[realms]
KALNA.CH = {
    kdc = Kerberos.kalna.ch
    default_domain = kalna.ch
}

[domain_realm]
 .kalna.ch = KALNA.CH
 kalna.ch = KALNA.CH

By Debugging I can see that TGT ist well received, but then is Checksum performed and fails. I have tried to use Unlimited strength Policy, but that did not help. Any idea why is Checksum failing?

Any help is much appreciated. Below is OpenWebStart Log:

Debug is  true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is true principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false Refreshing Kerberos configuration 
    ... 30 more 
    at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:100) 
    at sun.security.krb5.internal.crypto.Aes256.decrypt(Aes256.java:76) 
    at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:272) 
    at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:451) 
Caused by: java.security.GeneralSecurityException: Checksum failed 
    ... 23 more 
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:770) 
    at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:447) 
    at sun.security.krb5.KrbAsReqBuilder.resolve(KrbAsReqBuilder.java:310) 
    at sun.security.krb5.KrbAsRep.decryptUsingPassword(KrbAsRep.java:139) 
    at sun.security.krb5.KrbAsRep.decrypt(KrbAsRep.java:150) 
    at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:175) 
    at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:94) 
    at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:102) 
Caused by: KrbException: Checksum failed 
    at net.sourceforge.jnlp.Launcher$TgThread.run(Launcher.java:650) 
    at net.sourceforge.jnlp.Launcher.access$200(Launcher.java:69) 
    at net.sourceforge.jnlp.Launcher.launchApplication(Launcher.java:400) 
    at java.lang.reflect.Method.invoke(Method.java:498) 
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) 
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
    at javax.security.auth.login.LoginContext.login(LoginContext.java:587) 
    at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) 
    at java.security.AccessController.doPrivileged(Native Method) 
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) 
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) 
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) 
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) 
    at java.lang.reflect.Method.invoke(Method.java:498) 
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) 
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
    at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:618) 
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:808) 
javax.security.auth.login.LoginException: Checksum failed 
        [Krb5LoginModule] authentication failed Checksum failed 
Mon Mar 09 07:42:56 CET 2020 [DEBUG  ] com.openwebstart.proxy.direct.DirectProxyProvider: Using NO_PROXY 

        [Krb5LoginModule] user entered username: [email protected]

Answer 1

I have debugged KrbAsRep.java and you were right, KDC sends following pAData. From those is then Salt computed. But I do not see reason, why whoud that fail.

0 = {PAData@4691} ">>>Pre-Authentication Data:\n\t PA-DATA type = 19\n\t PA-ETYPE-INFO2 etype = 23, salt = KALNA.CHkada, s2kparams = null\n"
1 = {PAData@4692} ">>>Pre-Authentication Data:\n\t PA-DATA type = 3\n"
2 = {PAData@4693} ">>>Pre-Authentication Data:\n\t PA-DATA type = 11\n\t PA-ETYPE-INFO etype = 23, salt = KALNA.CHkada\n"