So, I got it past this stage. I can only guess that the DES support in active directory for Windows Server 2012 is broken, as I ended up tweaking my krb5.conf file and setting the two default ticket types and permitted types to just aes256-cts-hmac-sha1-96 and it worked for the one user. After enabling aes256 for other users in AD, it continued to work.
Java Authentication against Active Directory, authentication mismatch?
-
02-12-2021 - |
Question
So I have some code which I'm testing to make sure it works nicely for authentication. It works fine against straight kerberos, so I figured there should only be some minor hiccups with AD. Unfortunately, I cannot get around a KrbException: KDC has no support for encryption type (14).
I know the error is an encryption type mismatch. But I can kinit just fine, it's only in the code that I hit an issue. I'm not setting anything, so I think it should be inheriting the same defaults as kinit, but that obviously isn't the case.
The code-
System.setProperty("sun.security.krb5.debug", "true");
System.setProperty("java.security.krb5.realm", "TEST.SQRRL.COM");
System.setProperty("java.security.krb5.kdc", "172.16.101.128");
System.setProperty("java.security.auth.login.config", "./conf/jaas.conf");
System.setProperty("javax.security.auth.useSubjectCredsOnly", "true");
// "Client" references the JAAS configuration in the jaas.conf file.
LoginContext loginCtx = null;
loginCtx = new LoginContext("Server", new LoginCallbackHandler("test".toCharArray()));
loginCtx.login();
subject = loginCtx.getSubject();
and the jaas.conf
Server {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=false
storeKey=true
useTicketCache=true
principal="accumulo@test.SQRRL.COM";
};
And, the stack trace-
>>>KRBError:
sTime is Tue Nov 27 18:16:36 EST 2012 1354058196000
suSec is 257213
error code is 14
error Message is KDC has no support for encryption type
realm is test.SQRRL.COM
sname is krbtgt/test.SQRRL.COM
msgType is 30
javax.security.auth.login.LoginException: KDC has no support for encryption type (14)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at authenticators.KerberosAuthenticator.<init>(KerberosAuthenticator.java:37)
at main.ServerImpl.<init>(ServerImpl.java:91)
at main.PlugServer.run(PlugServer.java:22)
at main.PlugServer.main(PlugServer.java:42)
Caused by: KrbException: KDC has no support for encryption type (14)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:66)
at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:446)
at sun.security.krb5.Credentials.sendASRequest(Credentials.java:401)
at sun.security.krb5.Credentials.acquireTGT(Credentials.java:373)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:662)
... 15 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
at sun.security.krb5.internal.ASRep.init(ASRep.java:58)
at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50)
... 19 more
Exception in thread "main" java.lang.RuntimeException: javax.security.auth.login.LoginException: KDC has no support for encryption type (14)
at main.PlugServer.run(PlugServer.java:36)
at main.PlugServer.main(PlugServer.java:42)
Caused by: javax.security.auth.login.LoginException: KDC has no support for encryption type (14)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at authenticators.KerberosAuthenticator.<init>(KerberosAuthenticator.java:37)
at main.ServerImpl.<init>(ServerImpl.java:91)
at main.PlugServer.run(PlugServer.java:22)
... 1 more
Caused by: KrbException: KDC has no support for encryption type (14)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:66)
at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:446)
at sun.security.krb5.Credentials.sendASRequest(Credentials.java:401)
at sun.security.krb5.Credentials.acquireTGT(Credentials.java:373)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:662)
... 15 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
at sun.security.krb5.internal.ASRep.init(ASRep.java:58)
at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50)
... 19 more
Solution
OTHER TIPS
You need to access the user's account and check the 'use kerberos DES encryption types' checkbox.
You'll need to login to your DS as an admin to do this of course.
Looking at init()
in KDCRep.java, the only part that looks it could be throwing your error is:
150 if ((subDer.getTag() & 0x1F) == 0x00) { 151 pvno = subDer.getData().getBigInteger().intValue(); 152 if (pvno != Krb5.PVNO) { 153 throw new KrbApErrException(Krb5.KRB_AP_ERR_BADVERSION); 154 } 155 } else { 156 throw new Asn1Exception(Krb5.ASN1_BAD_ID); 157 }
It does seem a bit odd that the error's being printed as a KrbException
, but it could work since KrbApErrException
is a subclass of KrbException
. init()
can't throw any other subclasses of KrbException
, though.
Scratch that. A better possibility is that it's one of the Asn1Exception
s in there, since the constructor in KrbAsRep.java catches and rethrows those errors as KrbException
s (with an appropriate initCause
that would match up pretty well with the stack trace).
"Identifier doesn't match expected value (906)"
leads me to believe it's throwing a Asn1Exception(Krb5.ASN1_BAD_ID)
, since Krb5.ASN1_BAD_ID
has value 906. That's not overly helpful, since that seems to be the default error in init()
.
See if you can generate the DerValue
corresponding to your configuration and inspect it manually, seeing where init()
would reject it, then step backward from there, looking at what part of your configuration created the erroneous bits.
Upon further inspection, the message "KDC has no support for encryption type"
leads me to believe Krb5.KDC_ERR_ETYPE_NOSUPP
must have been used. But, as that's only used for the default instance of Etype
, that might not mean much.