Announcement Announcement Module
Collapse
No announcement yet.
spring secutiry cant read any principal from any keytab? Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • spring secutiry cant read any principal from any keytab?

    I have a keytab with one principal in it:

    Code:
    ktutil:  rkt http-web.keytab
    ktutil:  l
    slot KVNO Principal
    ---- ---- ---------------------------------------------------------------------
       1    3 HTTP/[email protected]
    This keytab was generated on a the win 2k8 domain controller with this command:

    Code:
     ktpass /out http-web.keytab /mapuser [email protected] /princ HTTP/[email protected] /pass *
    which was coppied over the the test web server used in spnego.xml:

    Code:
    <bean
        class="org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator">
       <property name="servicePrincipal"
                     value="HTTP/[email protected]" />
      <property name="keyTabLocation" value="/WEB-INF/http-web.keytab" />
      <property name="debug" value="true" />
    </bean>
    but fails to find the principal:
    Code:
    Key for the principal HTTP/[email protected] not available in jndi:/localhost/spring-security-kerberos-sample-1
    .0.0.CI-SNAPSHOT/WEB-INF/http-web.keytab
                    [Krb5LoginModule] authentication failed 
    Unable to obtain password from user
    I have tried joining the web server (Centos 5.5, tomcat6) to the AD WAD.ENG.HYTRUST.COM and can login using AD credentials and then using a principal from /etc/krb5.keytab just to see if it can be read... same response. I also tried lots of variants on uppercase and lowercaseing the names.

    ps checked it out from git this morning.
    Last edited by Arthur Ulfeldt; May 26th, 2011, 05:53 PM.

  • #2
    I don't think this will work:
    Code:
    <property name="keyTabLocation" value="/WEB-INF/http-web.keytab" />
    My recollection is that you need to use a classpath: or file: resource locator. Did you try that? e.g.:
    Code:
    <property name="keyTabLocation"  value="classpath:http-web.keytab" />
    Obviously you would need to move it from WEB-INF to WEB-INF/classes for this to work.

    You don't post the rest of your configuration, so we can't verify you have everything else right. What build of the SPNEGO extension are you using?

    Comment


    • #3
      Thanks for responding, I really appreciate the help on this

      the keytab location seems to need to be relative to the root of the web app. if i set it to anything else or try to use a classpath relative path it cant find the file. I'm sure it is finding the file though i have to assume that it is actually reading the keytab file.

      im using verision:
      spring-security-kerberos-sample-1.0.0.CI-SNAPSHOT
      spring-security-kerberos-core-1.0.0.CI-SNAPSHOT
      checked out of git yesterday morning.

      I'll dump the whole spnego.xml in the hope you will see something:

      Code:
      <?xml version="1.0" encoding="UTF-8"?>
      <beans xmlns="http://www.springframework.org/schema/beans"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sec="http://www.springframework.org/schema/security"
              xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.\
      xsd
                      http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd\
      ">
      
              <!-- This configuration uses SPNEGO by default, but one could also use a form if he directly goes to /login.html -->
              <sec:http entry-point-ref="spnegoEntryPoint">
                      <sec:intercept-url pattern="/secure/**" access="IS_AUTHENTICATED_FULLY" />
                      <sec:custom-filter ref="spnegoAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER" />
                      <sec:form-login login-page="/login.html" default-target-url="/secure/index.jsp"/>
              </sec:http>
      
              <bean id="spnegoEntryPoint"
                      class="org.springframework.security.extensions.kerberos.web.SpnegoEntryPoint" />
      
              <bean id="spnegoAuthenticationProcessingFilter"
                      class="org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter">
                      <property name="authenticationManager" ref="authenticationManager" />
              </bean>
      
              <sec:authentication-manager alias="authenticationManager">
                      <sec:authentication-provider ref="kerberosServiceAuthenticationProvider" /> <!-- Used with SPNEGO -->
                      <sec:authentication-provider ref="kerberosAuthenticationProvider"/> <!-- Used with form login -->
              </sec:authentication-manager>
      
              <bean id="kerberosAuthenticationProvider"
                      class="org.springframework.security.extensions.kerberos.KerberosAuthenticationProvider">
                      <property name="kerberosClient">
                              <bean class="org.springframework.security.extensions.kerberos.SunJaasKerberosClient">
                                      <property name="debug" value="true"/>
                              </bean>
                      </property>
                      <property name="userDetailsService" ref="dummyUserDetailsService"/>
              </bean>
      
              <bean id="kerberosServiceAuthenticationProvider"
                      class="org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider">
                      <property name="ticketValidator">
                              <bean
                                      class="org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator">
                                      <property name="servicePrincipal" value="HTTP/[email protected]\
      T.COM" />
                                      <!-- Setting keyTabLocation to a classpath resource will most likely not work in a Java EE applicatio\
      n Server -->
                                      <!-- See the Javadoc for more information on that -->
                                      <property name="keyTabLocation" value="/WEB-INF/http-web.keytab" />
                                      <property name="debug" value="true" />
                              </bean>
                      </property>
                      <property name="userDetailsService" ref="dummyUserDetailsService" />
              </bean>
      
              <bean
                      class="org.springframework.security.extensions.kerberos.GlobalSunJaasKerberosConfig">
                      <property name="debug" value="true" />
                      <!-- You can point to a different kerberos config location here, if you don't want the default one -->
                      <property name="krbConfLocation" value="/etc/krb5.conf"/>
              </bean>
      
              <!--
                      Just returns the User authenticated by Kerberos and gives him the
                      ROLE_USER
              -->
              <bean id="dummyUserDetailsService"
                      class="org.springframework.security.extensions.kerberos.sample.DummyUserDetailsService" />
      
      </beans>
      im using a different account today from the example posted yesterday. today the ad account is [email protected] and the SPI is HTTP/[email protected]

      ps im using tomcat6 on Centos5.5
      Last edited by Arthur Ulfeldt; May 27th, 2011, 05:14 PM. Reason: sp33lng

      Comment


      • #4
        Are you able to use kinit with the keytab file you generated to actually log in to kerberos? Can you post the contents of the /etc/krb5.conf file?

        Comment


        • #5
          obviously the keytabLocaction is wrong.
          <property name="keyTabLocation" value="/WEB-INF/http-web.keytab" />

          You may reference the file using the Spring standard file: syntax

          Comment


          • #6
            I've got the same issue as Arthur. I have a keytab file with one entry, and I'm trying a simple app deployed to JBoss.

            My c:/windows/krb5.ini file looks like this
            [libdefaults]
            default_realm = IFDSGROUP.CO.UK
            default_tkt_enctypes = des-cbc-md5 ; or des-cbc-crc
            default_tgs_enctypes = des-cbc-md5 ; or des-cbc-crc

            [realms]
            IFDSGROUP.CO.UK = {
            kdc = ifpdc03
            }

            [domain_realm]
            ; Convert host names to realm names. Individual host names may be
            ; specified. Domain suffixes may be specified with a leading period
            ; and will apply to all host names ending in that suffix.


            I can list my keytabs contents like this:
            > klist -k http-IFDS11812.keytab

            Key tab: http-IFDS11812.keytab, 1 entry found.

            [1] Service principal: HTTP/[email protected]
            KVNO: 3


            I can also use kinit like this:
            > kinit -k http/IFDS11812 -t http-IFDS11812.keytab
            New ticket is stored in cache file C:\Documents and Settings\rsams\krb5cc_rsams


            However, when I run my app in JBoss I get this:

            .....
            2011-06-15 12:17:18,467 WARN [org.springframework.security.extensions.kerberos.S unJaasKerberosTicketValidator] (main) Your keytab is in the classpath. This file needs special protection and shouldn't be in the classpath. JAAS may also not be able to load this file from classpath.
            2011-06-15 12:17:18,483 INFO [STDOUT] (main) Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is vfsfile:/C:/jboss-5.1.0.GA/server/JSF2/conf/http-IFDS11812.keytab refreshKrb5Config is false principal is HTTP/[email protected] tryFirstPass is false useFirstPass is false storePass is false clearPass is false
            2011-06-15 12:17:18,483 INFO [STDOUT] (main) Key for the principal HTTP/[email protected] not available in vfsfile:/C:/jboss-5.1.0.GA/server/JSF2/conf/http-IFDS11812.keytab
            2011-06-15 12:17:18,498 INFO [STDOUT] (main) [Krb5LoginModule] authentication failed
            Unable to obtain password from user
            ....

            This is not really relevant, but I could not find "org.springframework.security.extensions.kerberos. sample.DummyUserDetailsService", so wrote a similar class myself.
            My xml file is very similar to Arthurs (copied from http://blog.springsource.com/2009/09...rity-kerberos/)

            <?xml version="1.0" encoding="UTF-8"?>
            <beans xmlns="http://www.springframework.org/schema/beans"
            xmlns:sec="http://www.springframework.org/schema/security"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            xsi:schemaLocation="http://www.springframework.org/schema/beans
            http://www.springframework.org/schem...-beans-3.0.xsd
            http://www.springframework.org/schema/security
            http://www.springframework.org/schema/security/spring-security-3.0.xsd">

            <sec:http entry-point-ref="spnegoEntryPoint">
            <sec:intercept-url pattern="/pages/**" access="IS_AUTHENTICATED_FULLY" />
            <sec:custom-filter ref="spnegoAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER" />
            </sec:http>

            <bean id="spnegoEntryPoint"
            class="org.springframework.security.extensions.ker beros.web.SpnegoEntryPoint" />

            <bean id="spnegoAuthenticationProcessingFilter"
            class="org.springframework.security.extensions.ker beros.web.SpnegoAuthenticationProcessingFilter">
            <property name="authenticationManager" ref="authenticationManager" />
            </bean>

            <sec:authentication-manager alias="authenticationManager">
            <sec:authentication-provider ref="kerberosServiceAuthenticationProvider" />
            </sec:authentication-manager>

            <!-- HTTP/web.springsource.com -->
            <bean id="kerberosServiceAuthenticationProvider"
            class="org.springframework.security.extensions.ker beros.KerberosServiceAuthenticationProvider">
            <property name="ticketValidator">
            <bean
            class="org.springframework.security.extensions.ker beros.SunJaasKerberosTicketValidator">
            <property name="servicePrincipal" value="HTTP/[email protected]" />
            <property name="keyTabLocation" value="classpath:http-IFDS11812.keytab" />
            <property name="debug" value="true" />
            </bean>
            </property>
            <property name="userDetailsService" ref="dummyUserDetailsService" />
            </bean>

            <bean
            class="org.springframework.security.extensions.ker beros.GlobalSunJaasKerberosConfig">
            <property name="debug" value="true" />
            </bean>

            <bean id="dummyUserDetailsService"
            class="uk.co.ifdsgroup.security.KerberosUserDetail sService" />

            <!-- deal with credentials events -->
            <bean id="authenticationListener"
            class="uk.co.ifdsgroup.security.CredentialsListene r">
            </bean>

            </beans>


            Any help would be greatly appreciated !

            PS This may sound dumb, but once I get through this, it means the webapp is authenticated, but what about when users access it via a browser - how are they authenticated?

            Comment


            • #7
              Got past this by putting the keytab file in another location (NOT in the JBoss conf dir).
              Now it all seems to work, but when I first point a browser at the webapp, it fails kerberos validation thus:

              >> DEBUG [org.springframework.security.web.access.ExceptionT ranslationFilter] (http-0.0.0.0-8280-1) Access is denied (user is anonymous); redirecting to authentication entry point
              org.springframework.security.access.AccessDeniedEx ception: Access is denied
              at org.springframework.security.access.vote.Affirmati veBased.decide(AffirmativeBased.java:71)
              at org.springframework.security.access.intercept.Abst ractSecurityInterceptor.beforeInvocation(AbstractS ecurityInterceptor.java:203)
              ...
              >> DEBUG [org.springframework.beans.factory.support.DefaultL istableBeanFactory] (http-0.0.0.0-8280-1) Returning cached instance of singleton bean 'authenticationListener'
              >> INFO [STDOUT] (http-0.0.0.0-8280-1) bad login for
              >> WARN [org.springframework.security.extensions.kerberos.w eb.SpnegoAuthenticationProcessingFilter] (http-0.0.0.0-8280-1) Negotiate Header was invalid: Negotiate TlRMTVNTUAABAAAAB7IIogoACgAxAAAACQAJACgAAAAFASgKAA AAD0lGRFMxMTgxMkVGRFNET01BSU4=
              org.springframework.security.authentication.BadCre dentialsException: Kerberos validation not succesfull
              at org.springframework.security.extensions.kerberos.S unJaasKerberosTicketValidator.validateTicket(SunJa asKerberosTicketValidator.java:69)
              ...
              at org.apache.tomcat.util.net.JIoEndpoint$Worker.run( JIoEndpoint.java:447)
              at java.lang.Thread.run(Thread.java:619)
              Caused by: java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
              at java.security.AccessController.doPrivileged(Native Method)
              at javax.security.auth.Subject.doAs(Subject.java:396)
              at org.springframework.security.extensions.kerberos.S unJaasKerberosTicketValidator.validateTicket(SunJa asKerberosTicketValidator.java:67)
              ... 30 more
              Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
              at sun.security.jgss.GSSHeader.<init>(GSSHeader.java: 80)
              at sun.security.jgss.GSSContextImpl.acceptSecContext( GSSContextImpl.java:287)
              at sun.security.jgss.GSSContextImpl.acceptSecContext( GSSContextImpl.java:267)
              at org.springframework.security.extensions.kerberos.S unJaasKerberosTicketValidator$KerberosValidateActi on.run(SunJaasKerberosTicketValidator.java:146)
              at org.springframework.security.extensions.kerberos.S unJaasKerberosTicketValidator$KerberosValidateActi on.run(SunJaasKerberosTicketValidator.java:136)
              ... 33 more


              Near the top of this output, the line "bad login for " is because I have an authentication listener which outputs:
              System.out.println("bad login for " + username) on a AuthenticationFailureBadCredentialsEvent.
              This looks like Spring has no knowledge of the user accessing the web page.
              Last edited by vantager; Jun 15th, 2011, 10:15 AM.

              Comment


              • #8
                make sure you using the browser from different machine with the server.
                you need to follow http://blog.springsource.com/2009/09...rity-kerberos/ exactly. I got it work both in windows and solaris env.

                from the value for Negotiate, it is not kerberos ticket, which shall be much longer.

                Comment


                • #9
                  Thanks. I now run my webapp host IFDS11812 and the browser on host ifdevarc1.
                  The webapp still starts up and goes through kerberos authentication fine, but when accessed via a browser, now fails in a different way.
                  I think this may be to do with the keytab file. I dont really understand how the keytab file holds authentication details for just the webapp,
                  but then many different users can be authenticated via a browser (how does this happen?)

                  The new error is
                  2011-06-16 09:03:41,560 INFO [STDOUT] (http-0.0.0.0-8280-1) Found key for HTTP/[email protected](3)
                  2011-06-16 09:03:44,591 INFO [STDOUT] (http-0.0.0.0-8280-1) Entered Krb5Context.acceptSecContext with state=STATE_NEW
                  2011-06-16 09:03:44,591 INFO [STDOUT] (http-0.0.0.0-8280-1) bad login for
                  2011-06-16 09:03:44,591 WARN [org.springframework.security.extensions.kerberos.w eb.SpnegoAuthenticationProcessingFilter] (http-0.0.0.0-8280-1)
                  Negotiate Header was invalid: Negotiate YIIHawYGKwYBBQUCoIIHXzCCB1ugJDAiBgkqhkiC9xIBAgIGCS qGSIb3EgECAgYKKwYBBAGCNwICCqKCBzEEggctYIIHKQYJKoZI hvcSAQICAQBuggcYMIIHFKADAgEFoQMCAQ6iBwMFACAAAACjgg Y9YYIGOTCCBjWgAwIBBaERGw9JRkRTR1JPVVAuQ08uVUuiLDAq oAMCAQKhIzAhGwRIVFRQGxlpZmRldmFyYzEuaWZkc2dyb3VwLm NvLnVro4IF6zCCBeegAwIBF6EDAgFMooIF2QSCBdVSoRJuI4aM lWSc5ITYUhKxDVWJ74b010DgjSAq8P91F9y7Fs9XUEb65c/WsIIDhwsP5TM3eDPngVJCPiethZ5vVkxJmo2RaxaW+2cv5GPVI SF/M1pDoFewloD5wlvFxF6++0Ksap3vhlFSQq5ut0cBOlr3RUQblN +KG8YXFYFCK7BdB2/TM+8fIsLt1DxcMmZX+zhdYQbytHL1MIXAbhxEy4YCG5Ein9G/LbrXmoQ5XZrceeRRO8DwM0RmNW/K69/9ACoIcL/IalUmlc04W24okFASnwH+U3Hql2zVmmE4Znm4+nuR+e9EnqO0X xmYDQ795tQfj6XNVusBhxaqMMi+Wl7b/tAaS299Mf3NWoIonzg3FYrqscs6VJ5xq48CXrOuKMp9FQYc72i KTIh27WqM5c7dFniqfhsaddqksnMQJ2biAO7Ize9nhRfPwBoJQ bwDbVRTOKS1GaMj9FSIOZwkAiQHUqHgauH1MCaBr8NEP/Vn2tJ6v9CurojLuJuJjiLSQcZ9qeiTDjRZXAzTibfqQ0P0ZlFA 6D7jfK4zzwPmEYkiGoEe7bj05VAPU6b9zc32/Qufm5QxRUJyz6x3XxA9ro6e7OKFQAthrXkQKVaJgFmlSPGLLZ9 Q+Jp76zHVMlqRBJVOB+ixXhrqVUpfBKHyZMQpJ6qafcOGpQass 4wlI/URk1vgOj2f5lV6g6ZnGXeHqfeP0x6fMf6CoHngKFPSZwqC7gwT lJd/LE5w826oSorAdjanDiTqwx+Qc81QD86FolbS0yljZMCrt0n0Au I9ZsrASXlY+UOsKC5HZ+Aq9R+nH16g8o0qKq0gdj48lJz+xAXO yEFkXVulHnrJJBuzlanpwhMVfnvEFEDTWtjI+0v5YqP9nP53GJ yRDkb7RW1aI6za7Ff1cKgAybQz+fRA+JJSln5pymsoRaDJYENW XrfMR/jEwlz+Osl3M/TOK1lPT0Bok0UQJ5E++fUuSA+GWscvvY+dUIL6ZTCVlv9Lalx4 m4HfC9oibmZyMibGvzC1p0aarr1HjO/XZXpPW93zRPFvq89koHWGhZ9YGrYNaZqGvaLRkhg6ufEimWlv4 RnijugDA1DtXbPQtiW1Ep/0miGyWlsJvWGCKHNE0N2W8Kd3tTuTiOXKHVZk5H9puqYO08SPQ XJEpuCKYrpFdJVk/m18jHMryh9PBL7HT31k723tUpre/Tm0ql5gnobwLeS7zjv6JY8+2GnSioeTaEi82v6QU8HZJ8feIDh x9KFS1my48B95ydTaPn4pJEVdlLQoR3vZAfyd/LKO6l5BT2pU8AI14pxzGfxDOeIkwd560rrg7GsMStNR42thRMQ gotrkxPxH+ioQrJBTXEP7hr1iMSlUkQJdF/+313dQtrph0GVfH9ijfEnMEGwKzXTSHF7WZ4k6tqlIxAMgyZ+6 rfck6/fDiMFZ9Gq5gjT+3EkVEd9w8MLmULP1tuqM6q8NhcyxXtGca/5Kz6gSqwAHvjJcnro7AnspF5Yvm4KkgZCOSnntEj5JBz2uaDj2 ev1ywMonG6SCfy7brqYmTUKJ1JvcXVZfJy1rRwXg4P3rR7eu0J h01/6cGMKyVyHPNiMHb9qgefAxSXZb5gUzhFgJKXKen2GaQjBc2CZT bjqizNALSzMyH3jds7XrAdnVz7DG0B3pGk50CcXQCgF4aiatQ7 agPEHKBI2zXIVpN60Ker2mzT509FiXn0lM94ejv2YjDgm0MlPW Trfp5UIbFyTLoOS46NZBYvqA83fpHA0rMJs2MV6FSSlLeHkVUF hXBZ/GyI0wOh3je9QUs3Sa4BZH7Rozo/939a+O5jSuDN37rM0PjTjGBSeBciWfwSpcxtHm+iFLxi3rKE43 fmpNBPAfMdpJwW+X4Php06nYRZH2XEZpooowMC1FN6X8vKDjw1 DnIlKHv91x1Zi2OTTFEpGoBs2OqZcmgqzsGMR4OZYZvvl5VMdM qFbH04NeQim5nUhPdnLhbjiulaSBvTCBuqADAgEXooGyBIGvAz rOYhg4IEseNL0vgdLRo/41z2HnPgKH90esMiAlypSFaqtirN2Un1WlXdFXMWU71fC/MAo0kM1DoSJXxHqE1RQ4OKVhoQoUwa4CybHq9ZqdtU3FPZzEPY Gm9KF5VtXLlQBzWnQn6ShUCqCnRqs9hJ1zA0n+NrpIlWTCacYx KnetrEHqxK5qV8sLftEs9Esc1Dr9lZ+J0IgvKVidoorr90suoN VzFdMxnkdydm8Nhw==
                  org.springframework.security.authentication.BadCre dentialsException: Kerberos validation not succesfull
                  at org.springframework.security.extensions.kerberos.S unJaasKerberosTicketValidator.validateTicket(SunJa asKerberosTicketValidator.java:69)
                  at org.springframework.security.extensions.kerberos.K erberosServiceAuthenticationProvider.authenticate( KerberosServiceAuthenticationProvider.java:86)
                  at org.springframework.security.authentication.Provid erManager.doAuthentication(ProviderManager.java:13 0)
                  at org.springframework.security.authentication.Abstra ctAuthenticationManager.authenticate(AbstractAuthe nticationManager.java:48)
                  ...
                  Caused by: java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
                  at java.security.AccessController.doPrivileged(Native Method)
                  at javax.security.auth.Subject.doAs(Subject.java:396)
                  at org.springframework.security.extensions.kerberos.S unJaasKerberosTicketValidator.validateTicket(SunJa asKerberosTicketValidator.java:67)
                  ... 30 more
                  Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
                  at sun.security.jgss.krb5.Krb5Context.acceptSecContex t(Krb5Context.java:741)
                  at sun.security.jgss.GSSContextImpl.acceptSecContext( GSSContextImpl.java:323)
                  at sun.security.jgss.GSSContextImpl.acceptSecContext( GSSContextImpl.java:267)
                  at sun.security.jgss.spnego.SpNegoContext.GSS_acceptS ecContext(SpNegoContext.java:874)
                  at sun.security.jgss.spnego.SpNegoContext.acceptSecCo ntext(SpNegoContext.java:541)
                  at sun.security.jgss.GSSContextImpl.acceptSecContext( GSSContextImpl.java:323)
                  at sun.security.jgss.GSSContextImpl.acceptSecContext( GSSContextImpl.java:267)
                  at org.springframework.security.extensions.kerberos.S unJaasKerberosTicketValidator$KerberosValidateActi on.run(SunJaasKerberosTicketValidator.java:146)
                  at org.springframework.security.extensions.kerberos.S unJaasKerberosTicketValidator$KerberosValidateActi on.run(SunJaasKerberosTicketValidator.java:136)
                  ... 33 more
                  Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC
                  at sun.security.krb5.KrbApReq.authenticate(KrbApReq.j ava:262)
                  at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:13 4)
                  at sun.security.jgss.krb5.InitSecContextToken.<init>( InitSecContextToken.java:79)
                  at sun.security.jgss.krb5.Krb5Context.acceptSecContex t(Krb5Context.java:724)
                  ... 41 more
                  Last edited by vantager; Jun 16th, 2011, 07:18 AM.

                  Comment


                  • #10
                    Other info -
                    java -version = 1.6.0_18 (as I read RC4 support came back with Java 6)
                    jrb5.ini file changed to
                    default_tkt_enctypes = aes128-cts des-cbc-md5 des-cbc-crc rc4-hmac des3-cbc-sha1
                    default_tgs_enctypes = aes128-cts des-cbc-md5 des-cbc-crc rc4-hmac des3-cbc-sha1
                    permitted_enctypes = aes128-cts des-cbc-md5 des-cbc-crc rc4-hmac des3-cbc-sha1

                    Comment


                    • #11
                      can you show how to generate the keytab file?
                      and you also can use ktutil to list the entry. check if the algothrim is matched, and better to use zero(0) as value for KVNO. It seems like Sun JDK has some problem with KVNO.

                      Comment


                      • #12
                        How the keytab file is generated

                        Originally posted by lipman View Post
                        can you show how to generate the keytab file?
                        and you also can use ktutil to list the entry. check if the algothrim is matched, and better to use zero(0) as value for KVNO. It seems like Sun JDK has some problem with KVNO.
                        Spoke with our admin guys and they said exactly as per http://blog.springsource.com/2009/09...rity-kerberos/, so that should be (on Microsoft)

                        ktpass /out http-web.keytab /mapuser [email protected] /princ HTTP/web.springsou[email protected] /pass *

                        EXCEPT the user was HTTP-IFDS11812

                        PART 2 (about the keytab file)
                        Usage: klist [[-c] [-f] [-e]] [-k [-t] [-K]] [name]
                        name name of credentials cache or keytab with the prefix. File-based cache or ke
                        -c specifes that credential cache is to be listed
                        -k specifies that key tab is to be listed
                        options for credentials caches:
                        -f shows credentials flags
                        -e shows the encryption type
                        options for keytabs:
                        -t shows keytab entry timestamps
                        -K shows keytab entry key value
                        -e shows keytab entry key type

                        Usage: java sun.security.krb5.tools.Klist -help for help.

                        C:\WINDOWS>klist -e -t -k http-IFDS11812.keytab

                        Key tab: http-IFDS11812.keytab, 1 entry found.

                        [1] Service principal: HTTP/[email protected]
                        KVNO: 3
                        Key type: 3
                        Time stamp: Jan 01, 1970 01:00

                        C:\WINDOWS>

                        Comment

                        Working...
                        X