Spring Security Kerberos - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC

Question

I have the following error after configurating spring- kerberos

 Caused by: java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
            at java.security.AccessController.doPrivileged(Native Method)
            at javax.security.auth.Subject.doAs(Subject.java:421)
            at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:68)
            ... 38 more
    Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
            at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:788)
            at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
            at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
            at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:905)
            at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:556)
            at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
            at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
            at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:170)
            at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:153)
            ... 41 more
    Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC
            at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:270)
            at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:144)
            at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)

I verified the keytab generate with kinit kinit HTTP/httpweb.metsys.loc@METSYS.LOC@METSYS.LOC -k -t http-web.keytab

My principal and keytab are app.service-principal=HTTP/httpweb.metsys.loc@METSYS.LOC app.keytab-location=/http-web.keytab

I added to krb5.conf

[libdefaults]
        default_realm = METSYS.LOC
        default_tgs_enctypes = rc4-hmac
        default_tkt_enctypes = rc4-hmac

I created the

setspn -A HTTP/httpweb@METSYS.loc http-web
ktpass /out http-web.keytab /mapuser http-web@METSYS.LOC /princ HTTP/httpweb.metsys.loc@METSYS.LOC  /pass Password_1 /ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT /kvno 0

I follow many posts but anyone it resolve the problem

Thanks for help

I resolved . The problem is the keytab file specified. If I use path relative to webapp or classpath:/path it doesn't work. But with an absolute path file:/etc/http-web.keytab works!! — Luca Chiesa, Jul 01 '17 at 10:20

Spring Security Kerberos - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC

I have the following error after configurating spring- kerberos

0 Answers0