Announcement Announcement Module
No announcement yet.
Kerberos Extension - Cannot find key of appropriate type to decrypt AP REP - RC4 with Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Kerberos Extension - Cannot find key of appropriate type to decrypt AP REP - RC4 with


    i am ausing Spring Kerberos Extension M2 and ran into a problem. My configuration is really similar to the sample application. I will post the relevant parts of my configuration below. I will obscure my real host and domain a bit, lets say they are MYHOST and MY.DOMAIN.

    I verified like 10 times that the serviceprincipalname HTTP/MYHOST is correctly set. I generated the keytab file like this:
    ktpass /out MYHOST.keytab /princ HTTP/[email protected] /ptype KRB5_NT_PRINCIPAL /kvno 0.

    I also tried with crypto /All, same result. I also tried like 20 crypto-types in my krb5.conf, still no change.

    The tomcat seems to start ok, see part of the output:
    Using builtin default etypes for default_tkt_enctypes
    default etypes for default_tkt_enctypes: 23 23 17 16 3 1 17.
    Commit Succeeded
    But when i navigate to my application (from another machine of course), i get the Error:
    Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC

    Any Idea?
    <beans:bean id="kerberosServiceAuthenticationProvider" class="">
    		<beans:property name="ticketValidator">
    			<beans:bean class="">
    				<beans:property name="servicePrincipal" value="HTTP/MYHOST" />
    				<beans:property name="keyTabLocation" value="/config/MYHOST.keytab" />
    				<beans:property name="debug" value="true" />
    		<beans:property name="userDetailsService" ref="userDetailsService" />
    	<beans:bean class="">
    		<beans:property name="debug" value="true" />
    		<beans:property name="krbConfLocation" value="C:/data/kerb/krb5.conf" />
    Last edited by Matrium; Mar 16th, 2012, 05:49 AM.

  • #2

    i now swapped keytab file and serviceprincipal with that of an existing application (where SPNEGO is used) and deployed the test-application on that server and it is working.

    so the problem has obviously something to do with the way the keytab file is created. I did not follow the blog in that case, because our admin already created a serviceprincipalname for that user. So i just tried to create a keytab-file without the mapping part. Could that be the problem?