KB Article #178347

GSSException - checksum failed seen when API Gateway acting as Kerberos service authenticates client

Problem

You see an exception like the following when the API Gateway is acting as a Kerberos service and is attempting to authenticate the client:


GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)

at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:856)

at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)

at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)

at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:906)

at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:556)

at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)

at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)

at com.vordel.circuit.gss.GssAcceptorProcessor.invoke(GssAcceptorProcessor.java:353)

at com.vordel.circuit.InvocationEngine.invokeFilter(InvocationEngine.java:151)

at com.vordel.circuit.InvocationEngine.invokeCircuit(InvocationEngine.java:43)

at com.vordel.circuit.InvocationEngine.recordCircuitInvocation(InvocationEngine.java:278)

at com.vordel.circuit.InvocationEngine.processMessage(InvocationEngine.java:241)

at com.vordel.circuit.SyntheticCircuitChainProcessor.invoke(SyntheticCircuitChainProcessor.java:65)

at com.vordel.dwe.http.HTTPPlugin.processRequest(HTTPPlugin.java:412)

at com.vordel.dwe.http.HTTPPlugin.invokeDispose(HTTPPlugin.java:431)

at com.vordel.dwe.http.HTTPPlugin.invoke(HTTPPlugin.java:143)

Caused by: KrbException: Checksum failed

at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:102)

at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:94)

at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:175)

at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:281)

at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149)

at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)

at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829)

... 15 more

Caused by: java.security.GeneralSecurityException: Checksum failed

at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:451)

at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:272)

at sun.security.krb5.internal.crypto.Aes256.decrypt(Aes256.java:76)

at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:100)


Resolution

If you have not renamed the Active Directory user used as a Kerberos service, this means that the Kerberos service is configured with an incorrect password, so the gateway will fail to decrypt the service ticket as it is using the wrong key.


However, if you have renamed the Active Directory user, you need to reset the account's password in Active Directory. This will fix the problem that renaming caused with the service ticket issued to the client. Note that this fix works even if you reset it to exactly the same password.

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.