0

I am getting the following exception. When trying to do SSO with Kerberos:

GSSException: Failure unspecified at GSS-API level (Mechanism level:
Invalid argument (400) - Cannot find key of appropriate type to
decrypt AP REP - RC4 with HMAC)

I am using Ktpass to generate a key. when I use the default crypto option it works. But when I am adding '-crypto AES256-SHA1' to the Ktpass command the following exception is thrown when calling the function org.ietf.jgss.GSSContext.acceptSecContext

I am developing on apache-tomact with Java 8.

my krb5.conf is 

# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
# default_realm = EXAMPLE.COM
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
# EXAMPLE.COM = {
#  kdc = kerberos.example.com
#  admin_server = kerberos.example.com
# }

[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
Gilo
  • 640
  • 3
  • 23

1 Answers1

0

You should have the default tkt and tgs enctypes somewhere in your krb5.conf

Since your configuration seems to work but not with the crypto option = AES256-SHA1, add the following values to your krb5.conf (under [libdefaults]):

default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
Fab
  • 893
  • 1
  • 13
  • 22
  • You don't need to add encryption options to krb5.conf - the OS on each will mutually agree on the strongest possible encryption algorithm between them and negotiate accordingly. – T-Heron Nov 20 '17 at 01:21