TDM Kerberos Auth Error: Integrated authentication failed
search cancel

TDM Kerberos Auth Error: Integrated authentication failed

book

Article ID: 438890

calendar_today

Updated On:

Products

CA Test Data Manager (Data Finder / Grid Tools)

Issue/Introduction

When attempting to create a connection profile using Kerberos authentication in CA Test Data Manager (TDM), the following error occurs:

Integrated authentication failed. ClientConnectionId:[UUID]

Internal java logs may also show: Sun.security.krb5.asn1exception: identifier doesn’t match expected value (906)

Environment

  • CA Test Data Manager (Data Finder / Grid Tools)
  • Kerberos Authentication with MS SQL Server
  • Java 21 environment (where weak crypto may be disabled by default)

Cause

This issue is typically caused by a combination of the following configuration factors:

  1. JAAS File Encoding: The jaas.conf file was not saved with UTF-8 encoding, causing parsing errors during the authentication handshake.
  2. Keytab Configuration: An outdated or incorrectly mapped client-principal keytab method was being used.
  3. Encryption Mismatch: Potential mismatch in Kerberos encryption types (e.g., KDC not supporting AES 128/256 bit encryption required by modern Java runtimes).

Resolution

To resolve this issue, perform the following steps to ensure the Kerberos configuration is correctly aligned:

1. Update the JAAS Configuration Encoding

Ensure that your jaas.conf file is saved specifically with UTF-8 encoding. If the file is saved in other formats (like ANSI or UTF-16), the driver may fail to parse the Kerberos parameters correctly.

2. Configure the JAAS File

Verify your jaas.conf contains the correct Krb5LoginModule settings. Example configuration:

java
 
SQLJDBCDriver {  com.sun.security.auth.module.Krb5LoginModule required  debug=true  doNotPrompt=false  useKeyTab=true  keyTab="C:/path/to/your/client_keytab.keytab"  refreshKrb5Config=true  principal="[email protected]";};

3. Generate a New Keytab

Use the ktpass command to generate an updated keytab file using AES256 encryption. Replace the placeholders with your environment-specific values:

ktpass -princ [email protected] -mapuser [email protected] -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -out C:\path\to\client_keytab.keytab

4. Verify Principal Names

Ensure the principal name used in the connection profile matches the Service Principal Name (SPN) on the database server (e.g., starting with MSSQLSvc/).

5. Check Encryption Support

If using Java 21 or higher, ensure that the Key Distribution Center (KDC) supports Kerberos AES 128/256 bit encryption, as older weak crypto types may be disabled by the Java runtime.

Powered by Wolken Software