Integrity check on decrypted field failed (31)

During the configuration of a SSO server for Windows Native Authentication i was faced a very ugly error.
Here is the output found in $ORACLE_HOME/opmn/log/OC4J~OC4J_SECURITY~default_island~1 on the SSO server.


08/10/21 15:23:55 Browser is IE
08/10/21 15:23:55 IE browser version = 7.0
08/10/21 15:23:55 Browser supports Kerberos WNA.
08/10/21 15:23:55 Doing SPNEGO negotiation with the browser ...
08/10/21 15:23:55 Authorization header was not sent from the browser.
08/10/21 15:23:55 Sending WWW-Authenticate request ...
08/10/21 15:23:55 Sending SPNEGO request.
08/10/21 15:23:55 Browser type: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; MS-RTC LM 8)
08/10/21 15:23:55 Browser OS supports Kerberos WNA.
08/10/21 15:23:55 Browser is IE
08/10/21 15:23:55 IE browser version = 7.0
08/10/21 15:23:55 Browser supports Kerberos WNA.
08/10/21 15:23:55 Doing SPNEGO negotiation with the browser ...
08/10/21 15:23:55 Authorization header sent from the browser: Negotiate
08/10/21 15:23:55 Fallback Authentication enabled. Retrieving basic auth header.
08/10/21 15:23:55 Entered Krb5Context.acceptSecContext with state=STATE_NEW
08/10/21 15:23:55 >>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
08/10/21 15:23:55 GSSException raised: Failure unspecified at GSS-API level (Mechanism level: Integrity check on decrypted field failed (31))
08/10/21 15:23:55 GSSException: Failure unspecified at GSS-API level (Mechanism level: Integrity check on decrypted field failed (31))
08/10/21 15:23:55 at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:734)...
08/10/21 15:23:55 at java.lang.Thread.run(Thread.java:534)
08/10/21 15:23:55 KerberosAuthenticator:reject Sending authentication failed message to the user.


This error indicated that there is some KDC/SUN GSS configuration/compatibility issue.
To try to pinpoint this problem we manually try to request a ticket using kinit.


D:\oracle\product\101\idm\jdk\bin>kinit HTTP/xxx.yyy.com
Password for HTTP/xxx.yyy.com@YYY.COM: welcome
Exception: krb_error 31 Integrity check on decrypted field failed (31) Integrity check on decrypted field failed
KrbException: Integrity check on decrypted field failed (31)
at sun.security.krb5.internal.crypto.u.b(DashoA12275:156)
at sun.security.krb5.internal.crypto.u.b(DashoA12275:126)
at sun.security.krb5.EncryptedData.decrypt(DashoA12275:123)
at sun.security.krb5.KrbAsRep.(DashoA12275:80)
at sun.security.krb5.KrbAsReq.getReply(DashoA12275:437)
at sun.security.krb5.KrbAsReq.getReply(DashoA12275:398)
at sun.security.krb5.internal.tools.Kinit.a(DashoA12275:328)
at sun.security.krb5.internal.tools.Kinit.(DashoA12275:258)
at sun.security.krb5.internal.tools.Kinit.main(DashoA12275:109)


The fact that we get “krb_error 31 Integrity check on decrypted field failed (31) Integrity check on decrypted field failed” with kinit,
would indicate a kerberos / sun problem , not a Oracle product related problem.

Things we tried :
- regenerate keytab file ( pay attention to the case which is used , kerberos is case-sensitive)
- recreate Active Directory account
- DNS / hosts file double checked on resolving issues
- change password of the AD user account
- jdk upgrade ( 1.4.2_14 -> 17 -> 18 ) metalink note 469747.1

All these actions did not provide us with a solution.

The problem was solved when uninstalling the “Network Monitor Driver” from the network configuration on the xxx server.
How weird this might sound, this is what helped us solve the krb_error 31 error.