Announcement Announcement Module
Collapse
No announcement yet.
Kerberos Extension - Cannot find key of appropriate type to decrypt AP REP - RC4 with Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Kerberos Extension - Cannot find key of appropriate type to decrypt AP REP - RC4 with

    Hi,

    i am ausing Spring Kerberos Extension M2 and ran into a problem. My configuration is really similar to the sample application. I will post the relevant parts of my configuration below. I will obscure my real host and domain a bit, lets say they are MYHOST and MY.DOMAIN.

    I verified like 10 times that the serviceprincipalname HTTP/MYHOST is correctly set. I generated the keytab file like this:
    ktpass /out MYHOST.keytab /princ HTTP/[email protected] /ptype KRB5_NT_PRINCIPAL /kvno 0.

    I also tried with crypto /All, same result. I also tried like 20 crypto-types in my krb5.conf, still no change.

    The tomcat seems to start ok, see part of the output:
    Code:
    Using builtin default etypes for default_tkt_enctypes
    default etypes for default_tkt_enctypes: 23 23 17 16 3 1 17.
    Commit Succeeded
    But when i navigate to my application (from another machine of course), i get the Error:
    Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC

    Any Idea?
    Code:
    <beans:bean id="kerberosServiceAuthenticationProvider" class="at.verbund.datenschutzdb.security.CustomKerberosAuthenticationProvider">
    		<beans:property name="ticketValidator">
    			<beans:bean class="org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator">
    				<beans:property name="servicePrincipal" value="HTTP/MYHOST" />
    				<beans:property name="keyTabLocation" value="/config/MYHOST.keytab" />
    				<beans:property name="debug" value="true" />
    			</beans:bean>
    		</beans:property>
    		<beans:property name="userDetailsService" ref="userDetailsService" />
    	</beans:bean>
    
    	<beans:bean class="org.springframework.security.extensions.kerberos.GlobalSunJaasKerberosConfig">
    		<beans:property name="debug" value="true" />
    		<beans:property name="krbConfLocation" value="C:/data/kerb/krb5.conf" />
    	</beans:bean>
    Last edited by Matrium; Mar 16th, 2012, 04:49 AM.

  • #2
    *update

    i now swapped keytab file and serviceprincipal with that of an existing application (where SPNEGO is used) and deployed the test-application on that server and it is working.

    so the problem has obviously something to do with the way the keytab file is created. I did not follow the blog in that case, because our admin already created a serviceprincipalname for that user. So i just tried to create a keytab-file without the mapping part. Could that be the problem?

    Comment

    Working...
    X