Confusion about Java App auth in AD based on Kerberos MSLSA ticket cache

Question

The task is to get myapp to auth in AD using Kerberos ticket cache from MSLSA with no password prompting and without keytab. Right now I'm able to get TGT cache — which is FORWARDABLE and PROXIABLE — but I'm getting this exception in LoginContext.login method.

Debug is  true storeKey true useTicketCache true useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is true principal is HTTP/myapp@TEST.MYDOMAIN.RU tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Refreshing Kerberos configuration
Java config name: C:\Users\myapp\IdeaProjects\activedirectory\data\temp\krb5.conf
Loaded from Java config
>>> KdcAccessibility: reset
>>> KdcAccessibility: reset
Acquire TGT from Cache
>>>KinitOptions cache name is C:\Users\myapp\krb5cc_myapp
>> Acquire default native Credentials
default etypes for default_tkt_enctypes: 18 18 17 17 23 16 23 23.
>>> Obtained TGT from LSA: Credentials:
      client=HTTP/myapp@TEST.MYDOMAIN.RU
      server=krbtgt/TEST.MYDOMAIN.RU@TEST.MYDOMAIN.RU
    authTime=20210519095508Z
   startTime=20210519095508Z
     endTime=20210519195508Z
   renewTill=20210526065508Z
       flags=FORWARDABLE;PROXIABLE;RENEWABLE;INITIAL;PRE-AUTHENT
EType (skey)=18
   (tkt key)=18
14:07:11.119 [00000005] INFO  c.i.s.f.s.s.SessionTimeoutNotificator:176 - ID = EmployeeAuth, timesQueue size = 0, rejectedCount = 0
Principal is HTTP/myapp@TEST.MYDOMAIN.RU
14:07:11.596 [00000004] ERROR c.i.s.a.a.c.h.k.KerberosAuthenticator:71 - Some error on ticket granting
javax.security.auth.login.LoginException: No key to store
    at com.sun.security.auth.module.Krb5LoginModule.commit(Krb5LoginModule.java:1119)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
    at javax.security.auth.login.LoginContext.login(LoginContext.java:588)
    at com.mydomain.subsystem.activedirectory.auth.controller.handler.kerberos.KerberosAuthenticator.checkSecurityToken(KerberosAuthenticator.java:42)
    at com.mydomain.subsystem.activedirectory.auth.controller.handler.kerberos.KerberosAuthenticationHandler.handleRequestToken(KerberosAuthenticationHandler.java:57)
    at com.mydomain.subsystem.activedirectory.auth.controller.ADAuthController.exec(ADAuthController.java:44)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:190)
    at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:138)
    at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:105)
    at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:878)
    at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:792)
    at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87)
    at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1040)
    at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:943)
    at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006)
    at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:898)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:645)
    at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:750)
    at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:791)
    at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1626)
    at com.mydomain.subsystem.frontend.service.spring.filter.DisallowedMethodFilter.doFilter(DisallowedMethodFilter.java:18)
    at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
    at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
    at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548)
    at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
    at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1435)
    at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
    at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501)
    at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
    at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1350)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
    at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146)
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
    at org.eclipse.jetty.server.Server.handle(Server.java:516)
    at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:388)
    at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:633)
    at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:380)
    at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:279)
    at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
    at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
    at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
    at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:882)
    at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1036)
    at java.lang.Thread.run(Thread.java:748)

The first line is Krb5LoginModule parameters. I'm able to pass through login method if storeKey false. After that I'm trying to get outToken like this:

  Subject subject = lc.getSubject();
            Principal clientPrincipal = subject.getPrincipals().iterator().next();
            final GSSManager manager = GSSManager.getInstance();
            final PrivilegedExceptionAction<GSSCredential> action = () -> manager.createCredential(
                    manager.createName(clientPrincipal.getName(), GSSName.NT_USER_NAME),
                    GSSCredential.DEFAULT_LIFETIME,
                    SUPPORTED_OIDS,
                    GSSCredential.ACCEPT_ONLY);
            try {
                byte[] ticket = Base64.getDecoder().decode(token);
                final GSSContext gssContext = manager.createContext(Subject.doAs(lc.getSubject(), action));
                byte[] outToken = gssContext.acceptSecContext(ticket, 0, ticket.length);

But I'm getting exception upon gssContext.acceptSecContext.

Debug is  true storeKey false useTicketCache true useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is true principal is HTTP/myapp@TEST.MYDOMAIN.RU tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Refreshing Kerberos configuration
Java config name: C:\Users\myapp\IdeaProjects\activedirectory\data\temp\krb5.conf
Loaded from Java config
>>> KdcAccessibility: reset
>>> KdcAccessibility: reset
Acquire TGT from Cache
>>>KinitOptions cache name is C:\Users\myapp\krb5cc_myapp
>> Acquire default native Credentials
default etypes for default_tkt_enctypes: 18 18 17 17 23 16 23 23.
>>> Obtained TGT from LSA: Credentials:
      client=HTTP/myapp@TEST.MYDOMAIN.RU
      server=krbtgt/TEST.MYDOMAIN.RU@TEST.MYDOMAIN.RU
    authTime=20210519111914Z
   startTime=20210519111914Z
     endTime=20210519211914Z
   renewTill=20210520111910Z
       flags=RENEWABLE;INITIAL;PRE-AUTHENT
EType (skey)=18
   (tkt key)=18
Principal is HTTP/myapp@TEST.MYDOMAIN.RU
Commit Succeeded 

Search Subject for SPNEGO ACCEPT cred (HTTP/myapp@TEST.MYDOMAIN.RU, sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (HTTP/myapp@TEST.MYDOMAIN.RU, sun.security.jgss.krb5.Krb5AcceptCredential)
Found ticket for HTTP/myapp@TEST.MYDOMAIN.RU to go to krbtgt/TEST.MYDOMAIN.RU@TEST.MYDOMAIN.RU expiring on Thu May 20 00:19:14 MSK 2021
Search Subject for Kerberos V5 ACCEPT cred (HTTP/myapp@TEST.MYDOMAIN.RU, sun.security.jgss.krb5.Krb5AcceptCredential)
Found ticket for HTTP/myapp@TEST.MYDOMAIN.RU to go to krbtgt/TEST.MYDOMAIN.RU@TEST.MYDOMAIN.RU expiring on Thu May 20 00:19:14 MSK 2021
Entered Krb5Context.acceptSecContext with state=STATE_NEW
14:19:36.400 [00000004] ERROR c.i.s.a.a.c.h.k.KerberosAuthenticator:71 - Some error on ticket granting
org.ietf.jgss.GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)
    at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:856)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
    at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:906)
    at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:556)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
    at com.infomaximum.subsystem.activedirectory.auth.controller.handler.kerberos.KerberosAuthenticator.checkSecurityToken(KerberosAuthenticator.java:54)
    at com.infomaximum.subsystem.activedirectory.auth.controller.handler.kerberos.KerberosAuthenticationHandler.handleRequestToken(KerberosAuthenticationHandler.java:57)
    at com.infomaximum.subsystem.activedirectory.auth.controller.ADAuthController.exec(ADAuthController.java:44)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:190)
    at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:138)
    at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:105)
    at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:878)
    at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:792)
    at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87)
    at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1040)
    at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:943)
    at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006)
    at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:898)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:645)
    at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:750)
    at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:791)
    at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1626)
    at com.infomaximum.subsystem.frontend.service.spring.filter.DisallowedMethodFilter.doFilter(DisallowedMethodFilter.java:18)
    at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
    at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
    at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548)
    at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
    at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1435)
    at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
    at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501)
    at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
    at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1350)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
    at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146)
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
    at org.eclipse.jetty.server.Server.handle(Server.java:516)
    at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:388)
    at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:633)
    at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:380)
    at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:279)
    at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
    at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
    at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.produce(EatWhatYouKill.java:135)
    at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:882)
    at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1036)
    at java.lang.Thread.run(Thread.java:748)
Caused by: sun.security.krb5.KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96
    at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:278)
    at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149)
    at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
    at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829)
    ... 56 common frames omitted

Here is kerberos conf:

[libdefaults]
        default_realm = TEST.MYDOMAIN.RU
        default_tkt_enctypes = aes256-cts aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc arcfour-hmac arcfour-hmac-md5
        default_tgt_enctypes = aes256-cts aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc arcfour-hmac arcfour-hmac-md5
        permitted_enctypes   = aes256-cts aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc arcfour-hmac arcfour-hmac-md5
        forwardable=true
[realms]
        TEST.MYDOMAIN.RU  = {
                kdc = TEST.MYDOMAIN.RU
                default_domain = TEST.MYDOMAIN.RU
        }
[domain_realm]
        test.mydomain.ru = TEST.MYDOMAIN.RU
        .test.mydomain.ru = TEST.MYDOMAIN.RU

As far as I can understand, this key being populated from Subject in either way. Shouldn't this be session key from TGT cache? If so, why it's not being populated? Or maybe I'm missing some fundamentals? If keytab is used, everything works.

AllowTGTSessionKey is 1 obviously.

Thanks in advance, I'm new to this.

EDIT: I've tried using java kinit cache, here is the Exception. Looks like LSA again for whatever reason.

Loaded from Java config
>>> KdcAccessibility: reset
>>> KdcAccessibility: reset
Acquire TGT from Cache
>>>KinitOptions cache name is C:\Users\myapp\krb5cc_myapp
>>>DEBUG <CCacheInputStream>  client principal is HTTP/myapp@TEST.MYDOMAIN.RU
>>>DEBUG <CCacheInputStream> server principal is krbtgt/TEST.MYDOMAIN.RU@TEST.MYDOMAIN.RU
>>>DEBUG <CCacheInputStream> key type: 18
>>>DEBUG <CCacheInputStream> auth time: Fri May 21 15:45:35 MSK 2021
>>>DEBUG <CCacheInputStream> start time: Fri May 21 15:45:35 MSK 2021
>>>DEBUG <CCacheInputStream> end time: Sat May 22 01:45:35 MSK 2021
>>>DEBUG <CCacheInputStream> renew_till time: null
>>> CCacheInputStream: readFlags()  FORWARDABLE; PROXIABLE; INITIAL; PRE_AUTH;
Host address is /here_is_IP
Host address is /here_is_MAC
>>> KrbCreds found the default ticket granting ticket in credential cache.
>>> Obtained TGT from LSA: Credentials:
      client=HTTP/myapp@TEST.MYDOMAIN.RU
      server=krbtgt/TEST.MYDOMAIN.RU@TEST.MYDOMAIN.RU
    authTime=20210521124535Z
   startTime=20210521124535Z
     endTime=20210521224535Z
   renewTill=null
       flags=FORWARDABLE;PROXIABLE;INITIAL;PRE-AUTHENT
EType (skey)=18
   (tkt key)=18
Principal is HTTP/myapp@TEST.MYDOMAIN.RU
Commit Succeeded 

Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)
Found ticket for HTTP/myapp@TEST.MYDOMAIN.RU to go to krbtgt/TEST.MYDOMAIN.RU@TEST.MYDOMAIN.RU expiring on Sat May 22 01:45:35 MSK 2021
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)
Found ticket for HTTP/myapp@TEST.MYDOMAIN.RU to go to krbtgt/TEST.MYDOMAIN.RU@TEST.MYDOMAIN.RU expiring on Sat May 22 01:45:35 MSK 2021
Entered Krb5Context.acceptSecContext with state=STATE_NEW
16:34:02.022 [00000004] ERROR c.i.s.a.a.c.h.k.KerberosAuthenticator:65 - Some error on ticket granting
org.ietf.jgss.GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)
    at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:856)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
    at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:906)
    at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:556)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
    at com.mydomain.subsystem.activedirectory.auth.controller.handler.kerberos.KerberosAuthenticator.checkSecurityToken(KerberosAuthenticator.java:48)
    at com.mydomain.subsystem.activedirectory.auth.controller.handler.kerberos.KerberosAuthenticationHandler.handleRequestToken(KerberosAuthenticationHandler.java:57)
    at com.mydomain.subsystem.activedirectory.auth.controller.ADAuthController.exec(ADAuthController.java:44)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:190)
    at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:138)
    at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:105)
    at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:878)
    at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:792)
    at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87)
    at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1040)
    at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:943)
    at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006)
    at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:898)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:645)
    at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:750)
    at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:791)
    at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1626)
    at com.mydomain.subsystem.frontend.service.spring.filter.DisallowedMethodFilter.doFilter(DisallowedMethodFilter.java:18)
    at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
    at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
    at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548)
    at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
    at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1435)
    at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
    at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501)
    at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
    at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1350)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
    at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146)
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
    at org.eclipse.jetty.server.Server.handle(Server.java:516)
    at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:388)
    at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:633)
    at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:380)
    at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:279)
    at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
    at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
    at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
    at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:882)
    at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1036)
    at java.lang.Thread.run(Thread.java:748)
Caused by: sun.security.krb5.KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96
    at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:278)
    at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149)
    at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
    at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829)
    ... 52 common frames omitted

EDIT: I've specified ticketCache property to use java kinit cache path, now LSA is ignored. But Exception is still the same — sun.security.krb5.KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96.

In case of any questions, what I am trying to do is to validate token from some AD user on behalf of the service account in the same AD. I'm not 100% sure that this is how it works, but with keytab everything is fine.

Answer 1

"Cannot find key of appropriate type to decrypt AP REP.."

The error usually occurs when your server is not able to decrypt the ticket. But you have already mentioned it that unlimited crypto strength is present. If possible, please post your krb5.conf file which mentions the encryption algorithms.

I believe your last line is crucial -

In case of any questions, what I am trying to do is to validate token from some AD user on behalf of the service account in the same AD. I'm not 100% sure that this is how it works, but with keytab everything is fine. It means keytab has those keys using which the token can be successfully decrypted.

Will be worth to examine following:

1. Is the keytab user and the service user same?
2. If they are different, did you attach the 'service' to the service account you are using? (setspn -s <service> <serivceUser>)
3. Please Verify following setting in windows - "Network security: Configure encryption types allowed for Kerberos"

Answer 2

Java 13 introduced built-in support in the JDK for Windows' own GSS API (SSPI).

It was backported to Java 11.0.10 - I suggest you updating your JDK.

Answer 3

Forget it, you almost never have access to the session key via Windows API these days. JGSS is unusable. You have basically two options:

• Perform a kinit from Java and use that TGT
• Use SSPI through C or JNA