Link to home
Start Free TrialLog in
Avatar of joex
joex

asked on

Kerberos error

The attached error is appearing in the jboss logs for kerberos.

Any idea why this is occurring?

Thanks.

Here are the jaas options given to JBoss:

     <application-policy name="spnego-server">
      <authentication>
        <login-module code="com.sun.security.auth.module.Krb5LoginModule"
          flag="required">
          <module-option name="storeKey">true</module-option>
          <module-option name="debug">true</module-option>
          <module-option name="useKeyTab">true</module-option>
          <module-option name="keyTab">file:///opt/WebSphere7/configurationfiles/kerberos/krbABCDdev01.etc.xyz...keytab</module-option>
          <module-option name="principal">HTTP/dev-abcd-1.etc.xyz...</module-option>
        </login-module>
      </authentication>
    </application-policy>


2011-04-29 09:31:32,090 INFO  [org.jboss.web.tomcat.service.deployers.TomcatDeployment] (ResourceContainer.invoker.nonDaemon-1) deploy, ctxPath=/TestAuthWeb
2011-04-29 09:31:32,192 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticket
Cache is null isInitiator true KeyTab is file:///opt/WebSphere7/configurationfiles/kerberos/krbABCDdev01.etc.xyz...keytab refreshKrb5Config is false principal is HT
TP/dev-abcd-1.etc...xyz tryFirstPass is false useFirstPass is false storePass is false clearPass is false
2011-04-29 09:31:32,198 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KeyTabInputStream, readName(): ETC.XYZ...
2011-04-29 09:31:32,198 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KeyTabInputStream, readName(): HTTP
2011-04-29 09:31:32,199 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KeyTabInputStream, readName(): dev-abcd-1.etc.xyz...
2011-04-29 09:31:32,199 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KeyTab: load() entry length: 94; type: 18
2011-04-29 09:31:32,348 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) Added key: 18version: 3
2011-04-29 09:31:32,348 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) Ordering keys wrt default_tkt_enctypes list
2011-04-29 09:31:32,348 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) default etypes for default_tkt_enctypes: 18.
2011-04-29 09:31:32,349 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) 0: EncryptionKey: keyType=18 kvno=3 keyValue (hex dump)=
2011-04-29 09:31:32,349 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) 0000: 26 EF 20 40 EF 5F C6 67   D6 3D AA 2E DB CF E8 CA  &. @._.g.=......
2011-04-29 09:31:32,350 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) 0010: 61 1F 7A 0F 1A 25 4F CB   4D AC D7 3F F4 1D A4 02  a.z..%O.M..?....
2011-04-29 09:31:32,350 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)
2011-04-29 09:31:32,350 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)
2011-04-29 09:31:32,350 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) principal's key obtained from the keytab
2011-04-29 09:31:32,350 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) Acquire TGT using AS Exchange
2011-04-29 09:31:32,353 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) default etypes for default_tkt_enctypes: 18.
2011-04-29 09:31:32,353 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KrbAsReq calling createMessage
2011-04-29 09:31:32,354 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KrbAsReq in createMessage
2011-04-29 09:31:32,357 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KrbKdcReq send: kdc=10.248.129.12 UDP:88, timeout=30000, number of retries =3, #bytes
=163
2011-04-29 09:31:32,359 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KDCCommunication: kdc=10.248.129.12 UDP:88, timeout=30000,Attempt =1, #bytes=163
2011-04-29 09:31:32,362 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KrbKdcReq send: #bytes read=204
2011-04-29 09:31:32,362 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KrbKdcReq send: #bytes read=204
2011-04-29 09:31:32,363 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KdcAccessibility: remove 10.248.129.12
2011-04-29 09:31:32,363 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KDCRep: init() encoding tag is 126 req type is 11
2011-04-29 09:31:32,366 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>>KRBError:
2011-04-29 09:31:32,367 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   sTime is Fri Apr 29 09:31:32 EDT 2011 1304083892000
2011-04-29 09:31:32,367 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   suSec is 554495
2011-04-29 09:31:32,367 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   error code is 25
2011-04-29 09:31:32,367 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   error Message is Additional pre-authentication required
2011-04-29 09:31:32,368 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   realm is ETC.XYZ...
2011-04-29 09:31:32,368 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   sname is krbtgt/ETC.XYZ...
2011-04-29 09:31:32,368 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   eData provided.
2011-04-29 09:31:32,368 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   msgType is 30
2011-04-29 09:31:32,369 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>>Pre-Authentication Data:
2011-04-29 09:31:32,369 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   PA-DATA type = 19
2011-04-29 09:31:32,369 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   PA-ETYPE-INFO2 etype = 18
2011-04-29 09:31:32,369 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>>Pre-Authentication Data:
2011-04-29 09:31:32,370 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   PA-DATA type = 2
2011-04-29 09:31:32,370 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   PA-ENC-TIMESTAMP
2011-04-29 09:31:32,370 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>>Pre-Authentication Data:
2011-04-29 09:31:32,370 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   PA-DATA type = 16
2011-04-29 09:31:32,370 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>>Pre-Authentication Data:
2011-04-29 09:31:32,370 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   PA-DATA type = 15
2011-04-29 09:31:32,371 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
2011-04-29 09:31:32,371 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) Updated salt from pre-auth = ETC.XYZ...HTTPdev-abcd-1.etc.xyz...
2011-04-29 09:31:32,371 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>>KrbAsReq salt is ETC.XYZ...HTTPdev-abcd-1.etc.xyz...
2011-04-29 09:31:32,371 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) Pre-Authenticaton: find key for etype = 18
2011-04-29 09:31:32,372 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) AS-REQ: Add PA_ENC_TIMESTAMP now
2011-04-29 09:31:32,373 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
2011-04-29 09:31:32,752 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KrbAsReq calling createMessage
2011-04-29 09:31:32,753 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KrbAsReq in createMessage
2011-04-29 09:31:32,754 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KrbKdcReq send: kdc=10.248.129.12 UDP:88, timeout=30000, number of retries =3, #bytes
=250
2011-04-29 09:31:32,754 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KDCCommunication: kdc=10.248.129.12 UDP:88, timeout=30000,Attempt =1, #bytes=250
2011-04-29 09:31:32,788 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KrbKdcReq send: #bytes read=98
2011-04-29 09:31:32,788 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KrbKdcReq send: #bytes read=98
2011-04-29 09:31:32,788 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KdcAccessibility: remove 10.248.129.12
2011-04-29 09:31:32,788 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>> KDCRep: init() encoding tag is 126 req type is 11
2011-04-29 09:31:32,789 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) >>>KRBError:
2011-04-29 09:31:32,789 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   sTime is Fri Apr 29 09:31:32 EDT 2011 1304083892000
2011-04-29 09:31:32,789 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   suSec is 944507
2011-04-29 09:31:32,789 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   error code is 14
2011-04-29 09:31:32,789 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   error Message is KDC has no support for encryption type
2011-04-29 09:31:32,789 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   realm is ETC.XYZ...
2011-04-29 09:31:32,790 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   sname is krbtgt/ETC.XYZ...
2011-04-29 09:31:32,790 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)   msgType is 30
2011-04-29 09:31:32,790 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1)          [Krb5LoginModule] authentication failed
2011-04-29 09:31:32,790 INFO  [STDOUT] (ResourceContainer.invoker.nonDaemon-1) KDC has no support for encryption type (14)
2011-04-29 09:31:32,792 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/TestAuthWeb]] (ResourceContainer.invoker.nonDaemon-1) Exception starting
 filter SpnegoHttpFilter: javax.servlet.ServletException: javax.security.auth.login.LoginException: KDC has no support for encryption type (14)
        at net.sourceforge.spnego.SpnegoHttpFilter.init(SpnegoHttpFilter.java:198) [:]
        at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:447) [:6.0.0.Final]
        at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3246) [:6.0.0.Final]
        at org.apache.catalina.core.StandardContext.start(StandardContext.java:3843) [:6.0.0.Final]
        at org.jboss.web.tomcat.service.deployers.TomcatDeployment.performDeployInternal(TomcatDeployment.java:294) [:6.0.0.Final]
        at org.jboss.web.tomcat.service.deployers.TomcatDeployment.performDeploy(TomcatDeployment.java:146) [:6.0.0.Final]

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of for_yan
for_yan
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial