We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Kerberos error

joex
joex asked
on
Medium Priority
2,743 Views
Last Modified: 2012-05-11
The attached error is appearing in the jboss logs for kerberos.

Any idea why this is occurring?

Thanks.

Here are the jaas options given to JBoss:

     <application-policy name="spnego-server">
      <authentication>
        <login-module code="com.sun.security.auth.module.Krb5LoginModule"
          flag="required">
          <module-option name="storeKey">true</module-option>
          <module-option name="debug">true</module-option>
          <module-option name="useKeyTab">true</module-option>
          <module-option name="keyTab">file:///opt/WebSphere7/configurationfiles/kerberos/krbABCDdev01.etc.xyz...keytab</module-option>
          <module-option name="principal">HTTP/dev-abcd-1.etc.xyz...</module-option>
        </login-module>
      </authentication>
    </application-policy>


2011-04-29 09:31:32,090 INFO  [org.jboss.web.tomcat.service.deployers.TomcatDeployment] (ResourceContainer.invoker.nonDaemon-1) deploy, ctxPath=/TestAuthWeb
2011-04-29 09:31:32,192 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticket
Cache is null isInitiator true KeyTab is file:///opt/WebSphere7/configurationfiles/kerberos/krbABCDdev01.etc.xyz...keytab refreshKrb5Config is false principal is HT
TP/dev-abcd-1.etc...xyz tryFirstPass is false useFirstPass is false storePass is false clearPass is false
2011-04-29 09:31:32,198 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KeyTabInputStream, readName(): ETC.XYZ...
2011-04-29 09:31:32,198 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KeyTabInputStream, readName(): HTTP
2011-04-29 09:31:32,199 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KeyTabInputStream, readName(): dev-abcd-1.etc.xyz...
2011-04-29 09:31:32,199 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KeyTab: load() entry length: 94; type: 18
2011-04-29 09:31:32,348 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) Added key: 18version: 3
2011-04-29 09:31:32,348 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) Ordering keys wrt default_tkt_enctypes list
2011-04-29 09:31:32,348 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) default etypes for default_tkt_enctypes: 18.
2011-04-29 09:31:32,349 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) 0: EncryptionKey: keyType=18 kvno=3 keyValue (hex dump)=
2011-04-29 09:31:32,349 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) 0000: 26 EF 20 40 EF 5F C6 67   D6 3D AA 2E DB CF E8 CA  &. @._.g.=......
2011-04-29 09:31:32,350 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) 0010: 61 1F 7A 0F 1A 25 4F CB   4D AC D7 3F F4 1D A4 02  a.z..%O.M..?....
2011-04-29 09:31:32,350 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)
2011-04-29 09:31:32,350 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)
2011-04-29 09:31:32,350 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) principal's key obtained from the keytab
2011-04-29 09:31:32,350 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) Acquire TGT using AS Exchange
2011-04-29 09:31:32,353 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) default etypes for default_tkt_enctypes: 18.
2011-04-29 09:31:32,353 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KrbAsReq calling createMessage
2011-04-29 09:31:32,354 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KrbAsReq in createMessage
2011-04-29 09:31:32,357 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KrbKdcReq send: kdc=10.248.129.12 UDP:88, timeout=30000, number of retries =3, #bytes
=163
2011-04-29 09:31:32,359 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KDCCommunication: kdc=10.248.129.12 UDP:88, timeout=30000,Attempt =1, #bytes=163
2011-04-29 09:31:32,362 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KrbKdcReq send: #bytes read=204
2011-04-29 09:31:32,362 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KrbKdcReq send: #bytes read=204
2011-04-29 09:31:32,363 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KdcAccessibility: remove 10.248.129.12
2011-04-29 09:31:32,363 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KDCRep: init() encoding tag is 126 req type is 11
2011-04-29 09:31:32,366 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>>KRBError:
2011-04-29 09:31:32,367 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   sTime is Fri Apr 29 09:31:32 EDT 2011 1304083892000
2011-04-29 09:31:32,367 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   suSec is 554495
2011-04-29 09:31:32,367 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   error code is 25
2011-04-29 09:31:32,367 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   error Message is Additional pre-authentication required
2011-04-29 09:31:32,368 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   realm is ETC.XYZ...
2011-04-29 09:31:32,368 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   sname is krbtgt/ETC.XYZ...
2011-04-29 09:31:32,368 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   eData provided.
2011-04-29 09:31:32,368 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   msgType is 30
2011-04-29 09:31:32,369 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>>Pre-Authentication Data:
2011-04-29 09:31:32,369 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   PA-DATA type = 19
2011-04-29 09:31:32,369 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   PA-ETYPE-INFO2 etype = 18
2011-04-29 09:31:32,369 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>>Pre-Authentication Data:
2011-04-29 09:31:32,370 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   PA-DATA type = 2
2011-04-29 09:31:32,370 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   PA-ENC-TIMESTAMP
2011-04-29 09:31:32,370 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>>Pre-Authentication Data:
2011-04-29 09:31:32,370 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   PA-DATA type = 16
2011-04-29 09:31:32,370 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>>Pre-Authentication Data:
2011-04-29 09:31:32,370 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   PA-DATA type = 15
2011-04-29 09:31:32,371 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
2011-04-29 09:31:32,371 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) Updated salt from pre-auth = ETC.XYZ...HTTPdev-abcd-1.etc.xyz...
2011-04-29 09:31:32,371 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>>KrbAsReq salt is ETC.XYZ...HTTPdev-abcd-1.etc.xyz...
2011-04-29 09:31:32,371 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) Pre-Authenticaton: find key for etype = 18
2011-04-29 09:31:32,372 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) AS-REQ: Add PA_ENC_TIMESTAMP now
2011-04-29 09:31:32,373 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
2011-04-29 09:31:32,752 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KrbAsReq calling createMessage
2011-04-29 09:31:32,753 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KrbAsReq in createMessage
2011-04-29 09:31:32,754 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KrbKdcReq send: kdc=10.248.129.12 UDP:88, timeout=30000, number of retries =3, #bytes
=250
2011-04-29 09:31:32,754 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KDCCommunication: kdc=10.248.129.12 UDP:88, timeout=30000,Attempt =1, #bytes=250
2011-04-29 09:31:32,788 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KrbKdcReq send: #bytes read=98
2011-04-29 09:31:32,788 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KrbKdcReq send: #bytes read=98
2011-04-29 09:31:32,788 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KdcAccessibility: remove 10.248.129.12
2011-04-29 09:31:32,788 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KDCRep: init() encoding tag is 126 req type is 11
2011-04-29 09:31:32,789 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>>KRBError:
2011-04-29 09:31:32,789 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   sTime is Fri Apr 29 09:31:32 EDT 2011 1304083892000
2011-04-29 09:31:32,789 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   suSec is 944507
2011-04-29 09:31:32,789 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   error code is 14
2011-04-29 09:31:32,789 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   error Message is KDC has no support for encryption type
2011-04-29 09:31:32,789 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   realm is ETC.XYZ...
2011-04-29 09:31:32,790 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   sname is krbtgt/ETC.XYZ...
2011-04-29 09:31:32,790 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   msgType is 30
2011-04-29 09:31:32,790 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)          [Krb5LoginModule] authentication failed
2011-04-29 09:31:32,790 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) KDC has no support for encryption type (14)
2011-04-29 09:31:32,792 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/TestAuthWeb]] (ResourceContainer.invoker.nonDaemon-1) Exception starting
 filter SpnegoHttpFilter: javax.servlet.ServletException: javax.security.auth.login.LoginException: KDC has no support for encryption type (14)
        at net.sourceforge.spnego.SpnegoHttpFilter.init(SpnegoHttpFilter.java:198) [:]
        at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:447) [:6.0.0.Final]
        at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3246) [:6.0.0.Final]
        at org.apache.catalina.core.StandardContext.start(StandardContext.java:3843) [:6.0.0.Final]
        at org.jboss.web.tomcat.service.deployers.TomcatDeployment.performDeployInternal(TomcatDeployment.java:294) [:6.0.0.Final]
        at org.jboss.web.tomcat.service.deployers.TomcatDeployment.performDeploy(TomcatDeployment.java:146) [:6.0.0.Final]

Open in new window

Comment
Watch Question

Awarded 2011
Awarded 2011
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.