Reputation: 53
GSSException when running SPNEGO Kerberos with Integrated Windows Authentication
I am trying to setup Kerberos Integrated Windows Authentication using spnego and tomcat.
This is first time I am doing this and have not seen a real enviornment so relying on online documentation mostly the spnego site. I am getting below error:
GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid Argument (400) Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
Catalina log shows:
Jan 30, 2017 10:12:37 AM net.sourceforge.spnego.SpnegoHttpFilter doFilter
SEVERE: HTTP Authorization Header=Negotiate <edited - actual had a big key>
Jan 30, 2017 10:41:24 AM org.apache.coyote.AbstractProtocol pause
INFO: Pausing ProtocolHandler ["http-bio-8443"]
Jan 30, 2017 10:41:24 AM org.apache.coyote.AbstractProtocol pause
Attaching my krb5 and login.conf.
KLIST command gives 2 keys:
CLIENT: B1GYZDM @ test.win.org
Server: krbtgt/test.win.org @ test.win.org
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
CLIENT: B1GYZDM @ test.win.org
Server: krbtgt/test.win.org @ test.win.org
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Tomcat is running as local-service. And keytab supports 128 & 256 encryption.
Can you please help me resolve the issue?
KRB5.conf:
[libdefaults]
default_tkt_enctypes = aes128-cts aes256-cts
default_tgs_enctypes = aes128-cts aes256-cts
permitted_enctypes = aes128-cts aes256-cts
[realms]
test.win.org = {
kdc = test.win.org
default_domain = test.win.org
}
[domain_realm]
test.win.org = test.win.org
login.conf:
spnego-client {
com.sun.security.auth.module.Krb5LoginModule required;
};
spnego-server {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
keyTab="file:///E:/Apps/apache-tomcat-7.0.40/bin/test.keytab"
isInitiator=false;
};
custom-client {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
keyTab="file:///E:/Apps/apache-tomcat-7.0.40/bin/test.keytab"
principal=B1ADPST000;
};
Upvotes: 1
Views: 1325
Answers (1)
Reputation: 2744
I guess you get the error when you access the webapp..
Most likely the keytab file does not have a matching key entry.
You should use '/crypto all' when creating the keytab file.
You may run 'klist' on client side, not server side and check the service ticket the client obtained from the KDC for the service (host where the WebApp is deployed), not the 'ticket granting ticket (TGT)'
Upvotes: 0
Related Questions
- Exception - Client not found in Kerberos database (6) with spnego-Kerberos IWA
- Optional SPNEGO Kerberos authentication
- keycloak spnego authentication fails with "The underlying mechanism context has not been initialized", "result = ACCEPT_INCOMPLETE"
- Generate SPNEGO Token Failured
- Java Kerberos authentication seems to work, still gets rejected
- Spnego Kerberos Authentication gives "Request is a replay (34)" error for Windows 7 users
- Login Error when authenticating with Kerberos
- SPNEGO authentication issue with password
- Unable to compile Secure Authentication Using SPNEGO Java GSS Mechanism
- SPNEGO Kerberos Single Sign On does not work in AD domain for tomcat server