• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2051
  • Last Modified:

Kerberos error

The attached error is appearing in the jboss logs for kerberos.

Any idea why this is occurring?

Thanks.

Here are the jaas options given to JBoss:

     <application-policy name="spnego-server">
      <authentication>
        <login-module code="com.sun.security.auth.module.Krb5LoginModule"
          flag="required">
          <module-option name="storeKey">true</module-option>
          <module-option name="debug">true</module-option>
          <module-option name="useKeyTab">true</module-option>
          <module-option name="keyTab">file:///opt/WebSphere7/configurationfiles/kerberos/krbABCDdev01.etc.xyz...keytab</module-option>
          <module-option name="principal">HTTP/dev-abcd-1.etc.xyz...</module-option>
        </login-module>
      </authentication>
    </application-policy>


2011-04-29 09:31:32,090 INFO  [org.jboss.web.tomcat.service.deployers.TomcatDeployment] (ResourceContainer.invoker.nonDaemon-1) deploy, ctxPath=/TestAuthWeb
2011-04-29 09:31:32,192 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticket
Cache is null isInitiator true KeyTab is file:///opt/WebSphere7/configurationfiles/kerberos/krbABCDdev01.etc.xyz...keytab refreshKrb5Config is false principal is HT
TP/dev-abcd-1.etc...xyz tryFirstPass is false useFirstPass is false storePass is false clearPass is false
2011-04-29 09:31:32,198 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KeyTabInputStream, readName(): ETC.XYZ...
2011-04-29 09:31:32,198 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KeyTabInputStream, readName(): HTTP
2011-04-29 09:31:32,199 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KeyTabInputStream, readName(): dev-abcd-1.etc.xyz...
2011-04-29 09:31:32,199 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KeyTab: load() entry length: 94; type: 18
2011-04-29 09:31:32,348 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) Added key: 18version: 3
2011-04-29 09:31:32,348 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) Ordering keys wrt default_tkt_enctypes list
2011-04-29 09:31:32,348 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) default etypes for default_tkt_enctypes: 18.
2011-04-29 09:31:32,349 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) 0: EncryptionKey: keyType=18 kvno=3 keyValue (hex dump)=
2011-04-29 09:31:32,349 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) 0000: 26 EF 20 40 EF 5F C6 67   D6 3D AA 2E DB CF E8 CA  &. @._.g.=......
2011-04-29 09:31:32,350 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) 0010: 61 1F 7A 0F 1A 25 4F CB   4D AC D7 3F F4 1D A4 02  a.z..%O.M..?....
2011-04-29 09:31:32,350 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)
2011-04-29 09:31:32,350 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)
2011-04-29 09:31:32,350 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) principal's key obtained from the keytab
2011-04-29 09:31:32,350 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) Acquire TGT using AS Exchange
2011-04-29 09:31:32,353 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) default etypes for default_tkt_enctypes: 18.
2011-04-29 09:31:32,353 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KrbAsReq calling createMessage
2011-04-29 09:31:32,354 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KrbAsReq in createMessage
2011-04-29 09:31:32,357 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KrbKdcReq send: kdc=10.248.129.12 UDP:88, timeout=30000, number of retries =3, #bytes
=163
2011-04-29 09:31:32,359 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KDCCommunication: kdc=10.248.129.12 UDP:88, timeout=30000,Attempt =1, #bytes=163
2011-04-29 09:31:32,362 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KrbKdcReq send: #bytes read=204
2011-04-29 09:31:32,362 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KrbKdcReq send: #bytes read=204
2011-04-29 09:31:32,363 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KdcAccessibility: remove 10.248.129.12
2011-04-29 09:31:32,363 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KDCRep: init() encoding tag is 126 req type is 11
2011-04-29 09:31:32,366 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>>KRBError:
2011-04-29 09:31:32,367 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   sTime is Fri Apr 29 09:31:32 EDT 2011 1304083892000
2011-04-29 09:31:32,367 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   suSec is 554495
2011-04-29 09:31:32,367 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   error code is 25
2011-04-29 09:31:32,367 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   error Message is Additional pre-authentication required
2011-04-29 09:31:32,368 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   realm is ETC.XYZ...
2011-04-29 09:31:32,368 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   sname is krbtgt/ETC.XYZ...
2011-04-29 09:31:32,368 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   eData provided.
2011-04-29 09:31:32,368 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   msgType is 30
2011-04-29 09:31:32,369 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>>Pre-Authentication Data:
2011-04-29 09:31:32,369 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   PA-DATA type = 19
2011-04-29 09:31:32,369 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   PA-ETYPE-INFO2 etype = 18
2011-04-29 09:31:32,369 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>>Pre-Authentication Data:
2011-04-29 09:31:32,370 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   PA-DATA type = 2
2011-04-29 09:31:32,370 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   PA-ENC-TIMESTAMP
2011-04-29 09:31:32,370 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>>Pre-Authentication Data:
2011-04-29 09:31:32,370 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   PA-DATA type = 16
2011-04-29 09:31:32,370 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>>Pre-Authentication Data:
2011-04-29 09:31:32,370 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   PA-DATA type = 15
2011-04-29 09:31:32,371 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
2011-04-29 09:31:32,371 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) Updated salt from pre-auth = ETC.XYZ...HTTPdev-abcd-1.etc.xyz...
2011-04-29 09:31:32,371 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>>KrbAsReq salt is ETC.XYZ...HTTPdev-abcd-1.etc.xyz...
2011-04-29 09:31:32,371 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) Pre-Authenticaton: find key for etype = 18
2011-04-29 09:31:32,372 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) AS-REQ: Add PA_ENC_TIMESTAMP now
2011-04-29 09:31:32,373 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
2011-04-29 09:31:32,752 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KrbAsReq calling createMessage
2011-04-29 09:31:32,753 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KrbAsReq in createMessage
2011-04-29 09:31:32,754 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KrbKdcReq send: kdc=10.248.129.12 UDP:88, timeout=30000, number of retries =3, #bytes
=250
2011-04-29 09:31:32,754 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KDCCommunication: kdc=10.248.129.12 UDP:88, timeout=30000,Attempt =1, #bytes=250
2011-04-29 09:31:32,788 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KrbKdcReq send: #bytes read=98
2011-04-29 09:31:32,788 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KrbKdcReq send: #bytes read=98
2011-04-29 09:31:32,788 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KdcAccessibility: remove 10.248.129.12
2011-04-29 09:31:32,788 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KDCRep: init() encoding tag is 126 req type is 11
2011-04-29 09:31:32,789 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>>KRBError:
2011-04-29 09:31:32,789 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   sTime is Fri Apr 29 09:31:32 EDT 2011 1304083892000
2011-04-29 09:31:32,789 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   suSec is 944507
2011-04-29 09:31:32,789 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   error code is 14
2011-04-29 09:31:32,789 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   error Message is KDC has no support for encryption type
2011-04-29 09:31:32,789 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   realm is ETC.XYZ...
2011-04-29 09:31:32,790 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   sname is krbtgt/ETC.XYZ...
2011-04-29 09:31:32,790 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   msgType is 30
2011-04-29 09:31:32,790 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)          [Krb5LoginModule] authentication failed
2011-04-29 09:31:32,790 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) KDC has no support for encryption type (14)
2011-04-29 09:31:32,792 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/TestAuthWeb]] (ResourceContainer.invoker.nonDaemon-1) Exception starting
 filter SpnegoHttpFilter: javax.servlet.ServletException: javax.security.auth.login.LoginException: KDC has no support for encryption type (14)
        at net.sourceforge.spnego.SpnegoHttpFilter.init(SpnegoHttpFilter.java:198) [:]
        at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:447) [:6.0.0.Final]
        at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3246) [:6.0.0.Final]
        at org.apache.catalina.core.StandardContext.start(StandardContext.java:3843) [:6.0.0.Final]
        at org.jboss.web.tomcat.service.deployers.TomcatDeployment.performDeployInternal(TomcatDeployment.java:294) [:6.0.0.Final]
        at org.jboss.web.tomcat.service.deployers.TomcatDeployment.performDeploy(TomcatDeployment.java:146) [:6.0.0.Final]

Open in new window

0
joex
Asked:
joex
1 Solution
 
for_yanCommented:


from this link:
http://download.oracle.com/javase/1.5.0/docs/guide/security/jgss/tutorials/Troubleshooting.html



# javax.security.auth.login.LoginException: KrbException: KDC has no support for encryption type (14) - KDC has no support for encryption type

    Cause 1: Your KDC does not support the encryption type requested.

    Solution 1: Sun's implementation of Kerberos supports the following encryption types: des-cbc-md5, des-cbc-crc and des3-cbc-sha1.

    Applications can select the desired encryption type by specifying following tags in the Kerberos Configuration file krb5.conf:

        [libdefaults]
        default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
        default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
        permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
         

    If not specified, the default value is:

        des-cbc-md5 des-cbc-crc des3-cbc-sha1
         

    Cause 2: This exception is thrown when using native ticket cache on some Windows platforms. Microsoft has added a new feature in which they no longer export the session keys for Ticket-Granting Tickets (TGTs). As a result, the native TGT obtained on Windows has an "empty" session key and null EType. The effected platforms include: Windows Server 2003, Windows 2000 Server Service Pack 4 (SP4) and Windows XP SP2.

    Solution 2: You need to update the Windows registry to disable this new feature. The registry key allowtgtsessionkey should be added--and set correctly--to allow session keys to be sent in the Kerberos Ticket-Granting Ticket.

    On the Windows Server 2003 and Windows 2000 SP4, here is the required registry setting:

        HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
        Value Name: allowtgtsessionkey
        Value Type: REG_DWORD
        Value: 0x01  ( default is 0 )

    By default, the value is 0; setting it to "0x01" allows a session key to be included in the TGT.

    Here is the location of the registry setting on Windows XP SP2:

        HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\
        Value Name: allowtgtsessionkey
        Value Type: REG_DWORD
        Value: 0x01

0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now