KDC has no support for encryption type (14)

前端 未结 3 1211
清歌不尽
清歌不尽 2021-01-14 00:34

I\'m trying to implement SSO with kerberos using spring-security-kerberos extension.

I\'ve created a keytab file and I get the following error when trying to access

相关标签:
3条回答
  • 2021-01-14 01:04

    Finally got it working: When implementing kerberos authentication for Oracle JDK 6, one should use RC4-HMAC encryption, and so the DES and AES support should be disabled for the user account.

    Why did I check them in the first place is another story....

    0 讨论(0)
  • 2021-01-14 01:26

    What helped in my case was the switch

    ktpass ... -crypto all ...
    

    and I commented all of these in krb5.conf:

    # default_tkt_enctypes = ...
    # default_tgs_enctypes = ...
    # permitted_enctypes   = ...
    

    I guess it's default setup with rc4-hmac encoding that's most compatible.

    No special settings were needed in Active Directory on my SPN account.

    Windows Server 2008, Weblogic 10.3.6, Oracle JDK 1.7

    0 讨论(0)
  • 2021-01-14 01:27

    just bashed my head against the KrbException "KDC has no support for enryption type (14)" for several days in sequence. I have visited many places including some indepth MSDN blog posts (from Hongwei Sun, Sebastian Canevari) I cannot reference for lack of reputation.

    Thanks, for your mention of kvno 0 and dsiabling DES it now also works on my side.

    In the end it boiled down that I have my User Account setup with

    userAccountControl: 0d66048 or 0x10200 which matches 0b10000001000000000 or ADS_UF_DONT_EXPIRE_PASSWD (0x00010000) and ADS_UF_NORMAL_ACCOUNT (0x00000200) but no UF_USE_DES_KEY_ONLY (0x200000) being set

    and

    msDS-SupportedEncryptionTypes: 0d16 or 0x10 which matches 0b10000 or AES256-CTS-HMAC-SHA1-96 (0x10) but no RC4-HMAC (0x04) being set.

    ldapsearch -h masterdc.localnet.org -D 'spn_hostname' -w '*password*' -b 'ou=Accounts,dc=localnet,dc=org' -s sub 'userPrincipalName=HTTP/hostname.localnet.org@LOCALNET.ORG' distinguishedName servicePrincipalName userPrincipalName msDS-SupportedEncryptionTypes userAccountControl
    # extended LDIF
    #
    # LDAPv3
    # base <ou=Accounts,dc=localnet,dc=org> with scope subtree
    # filter: userPrincipalName=HTTP/hostname.localnet.org@LOCALNET.ORG
    # requesting: distinguishedName servicePrincipalName userPrincipalName msDS-SupportedEncryptionTypes userAccountControl
    #
    
    # spn_hostname, DokSvc, Services, Accounts, localnet.org
    dn: CN=spn_hostname,OU=DokSvc,OU=Services,OU=Accounts,DC=localnet,DC=org
    distinguishedName: CN=spn_hostname,OU=DokSvc,OU=Services,OU=Accounts,DC=localnet,DC=org
    userAccountControl: 66048
    userPrincipalName: HTTP/hostname.localnet.org@LOCALNET.ORG
    servicePrincipalName: HTTP/hostname.localnet.org
    servicePrincipalName: HTTP/hostname.localnet.org@LOCALNET.ORG
    msDS-SupportedEncryptionTypes: 16
    
    # search result
    search: 2
    result: 0 Success
    
    # numResponses: 2
    # numEntries: 1
    

    With this and the following in my /etc/krb5.conf I can reproducably provoke "KrbException KDC has no support for enryption type (14)" when removing rc4-hmac from the default_tkt_enctypes.

    /etc/krb5.conf:

    [logging]
      default = FILE:/var/log/krb5libs.log
      kdc = FILE:/var/log/krb5kdc.log
      admin_server = FILE:/var/log/kadmind.log
    [libdefaults]
      default_realm = LOCALNET.DE
      default_tkt_enctypes = aes256-cts
      default_tgs_enctypes = aes256-cts
      permitted_enctypes = aes256-cts
    [realms]
    LOCALNET.ORG = {
      kdc = masterdc.localnet.org:88
      admin_server = masterdc.localnet.org
      default_domain = LOCALNET.ORG
    }
    [domain_realm]
      .localnet.org = LOCALNET.ORG
      localnet.org = LOCALNET.ORG
    [appdefaults]
      autologin = true
      forward = true
      forwardable = true
      encrypt = true
    

    However if you change it to default_tkt_enctypes = aes256-cts rc4-hmac it will succeed.

    Note that you can also leave out specifying the default_tkt_enctypes directive in /etc/krb5.conf, in order to make it work.

    Using builtin default etypes for default_tkt_enctypes
    default etypes for default_tkt_enctypes: 18 17 16 23.
    

    It therefor looks like Windows Server 2008 SP2 Active Directory does explicitly require RC4-HMAC in the Pre-Authentication phase:

             PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
    

    I have updated JCE 1.8.0 policy files within my JDK's jre/lib/security folder in order for AES256 to be supported.

    Kind regards, Stefan


    The enctypes are specified under

    Kerberos Parameters http://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml

    etype   encryption type     Reference
    1   des-cbc-crc     [RFC3961]
    3   des-cbc-md5     [RFC3961]
    17  aes128-cts-hmac-sha1-96     [RFC3962]
    18  aes256-cts-hmac-sha1-96     [RFC3962]
    23  rc4-hmac    [RFC4757]
    

    Failure:

    java -cp /somepath/krb5.jar -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Kinit -k -t /somepath/spn_hostname.keytab HTTP/hostname.localnet.org@LOCALNET.ORG
    >>>KinitOptions cache name is /tmp/krb5cc_723
    Principal is HTTP/hostname.localnet.org@LOCALNET.ORG
    >>> Kinit using keytab
    >>> Kinit keytab file name: /somepath/spn_hostname.keytab
    Java config name: null
    LSA: Found Ticket
    LSA: Made NewWeakGlobalRef
    LSA: Found PrincipalName
    LSA: Made NewWeakGlobalRef
    LSA: Found DerValue
    LSA: Made NewWeakGlobalRef
    LSA: Found EncryptionKey
    LSA: Made NewWeakGlobalRef
    LSA: Found TicketFlags
    LSA: Made NewWeakGlobalRef
    LSA: Found KerberosTime
    LSA: Made NewWeakGlobalRef
    LSA: Found String
    LSA: Made NewWeakGlobalRef
    LSA: Found DerValue constructor
    LSA: Found Ticket constructor
    LSA: Found PrincipalName constructor
    LSA: Found EncryptionKey constructor
    LSA: Found TicketFlags constructor
    LSA: Found KerberosTime constructor
    LSA: Finished OnLoad processing
    Native config name: C:\Windows\krb5.ini
    Loaded from native config
    >>> Kinit realm name is LOCALNET.ORG
    >>> Creating KrbAsReq
    >>> KrbKdcReq local addresses for hostname.localnet.org are:
    
            hostname.localnet.org/192.168.1.2
    IPv4 address
    >>> KdcAccessibility: reset
    >>> KeyTabInputStream, readName(): LOCALNET.ORG
    >>> KeyTabInputStream, readName(): HTTP
    >>> KeyTabInputStream, readName(): hostname.localnet.org
    >>> KeyTab: load() entry length: 64; type: 1
    >>> KeyTabInputStream, readName(): LOCALNET.ORG
    >>> KeyTabInputStream, readName(): HTTP
    >>> KeyTabInputStream, readName(): hostname.localnet.org
    >>> KeyTab: load() entry length: 64; type: 3
    >>> KeyTabInputStream, readName(): LOCALNET.ORG
    >>> KeyTabInputStream, readName(): HTTP
    >>> KeyTabInputStream, readName(): hostname.localnet.org
    >>> KeyTab: load() entry length: 72; type: 23
    >>> KeyTabInputStream, readName(): LOCALNET.ORG
    >>> KeyTabInputStream, readName(): HTTP
    >>> KeyTabInputStream, readName(): hostname.localnet.org
    >>> KeyTab: load() entry length: 88; type: 18
    >>> KeyTabInputStream, readName(): LOCALNET.ORG
    >>> KeyTabInputStream, readName(): HTTP
    >>> KeyTabInputStream, readName(): hostname.localnet.org
    >>> KeyTab: load() entry length: 72; type: 17
    Looking for keys for: HTTP/hostname.localnet.org@LOCALNET.ORG
    Added key: 17version: 0
    Added key: 18version: 0
    Added key: 23version: 0
    Found unsupported keytype (3) for HTTP/hostname.localnet.org@LOCALNET.ORG
    Found unsupported keytype (1) for HTTP/hostname.localnet.org@LOCALNET.ORG
    default etypes for default_tkt_enctypes: 18.
    >>> KrbAsReq creating message
    >>> KrbKdcReq send: kdc=masterdc.localnet.org UDP:88, timeout=30000, number of retries =3, #bytes=216
    >>> KDCCommunication: kdc=masterdc.localnet.org UDP:88, timeout=30000,Attempt =1, #bytes=216
    >>> KrbKdcReq send: #bytes read=194
    >>>Pre-Authentication Data:
             PA-DATA type = 19
             PA-ETYPE-INFO2 etype = 18, salt = LOCALNET.ORGHTTPhostname.localnet.org, s2kparams = null
    
    >>>Pre-Authentication Data:
             PA-DATA type = 2
             PA-ENC-TIMESTAMP
    >>>Pre-Authentication Data:
             PA-DATA type = 16
    
    >>>Pre-Authentication Data:
             PA-DATA type = 15
    
    >>> KdcAccessibility: remove masterdc.localnet.org:88
    >>> KDCRep: init() encoding tag is 126 req type is 11
    >>>KRBError:
             sTime is Tue Jan 17 18:49:14 CET 2017 1484675354000
             suSec is 822386
             error code is 25
             error Message is Additional pre-authentication required
             sname is krbtgt/LOCALNET.ORG@LOCALNET.ORG
             eData provided.
             msgType is 30
    >>>Pre-Authentication Data:
             PA-DATA type = 19
             PA-ETYPE-INFO2 etype = 18, salt = LOCALNET.ORGHTTPhostname.localnet.org, s2kparams = null
    
    >>>Pre-Authentication Data:
             PA-DATA type = 2
             PA-ENC-TIMESTAMP
    >>>Pre-Authentication Data:
             PA-DATA type = 16
    
    >>>Pre-Authentication Data:
             PA-DATA type = 15
    
    KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
    default etypes for default_tkt_enctypes: 18.
    Looking for keys for: HTTP/hostname.localnet.org@LOCALNET.ORG
    Added key: 17version: 0
    Added key: 18version: 0
    Added key: 23version: 0
    Found unsupported keytype (3) for HTTP/hostname.localnet.org@LOCALNET.ORG
    Found unsupported keytype (1) for HTTP/hostname.localnet.org@LOCALNET.ORG
    Looking for keys for: HTTP/hostname.localnet.org@LOCALNET.ORG
    Added key: 17version: 0
    Added key: 18version: 0
    Added key: 23version: 0
    Found unsupported keytype (3) for HTTP/hostname.localnet.org@LOCALNET.ORG
    Found unsupported keytype (1) for HTTP/hostname.localnet.org@LOCALNET.ORG
    default etypes for default_tkt_enctypes: 18.
    >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
    >>> KrbAsReq creating message
    >>> KrbKdcReq send: kdc=masterdc.localnet.org UDP:88, timeout=30000, number of retries =3, #bytes=305
    >>> KDCCommunication: kdc=masterdc.localnet.org UDP:88, timeout=30000,Attempt =1, #bytes=305
    >>> KrbKdcReq send: #bytes read=93
    >>> KdcAccessibility: remove masterdc.localnet.org:88
    >>> KDCRep: init() encoding tag is 126 req type is 11
    >>>KRBError:
             sTime is Tue Jan 17 18:49:14 CET 2017 1484675354000
             suSec is 25186
             error code is 14
             error Message is KDC has no support for encryption type
             sname is krbtgt/LOCALNET.ORG@LOCALNET.ORG
             msgType is 30
    Exception: krb_error 14 KDC has no support for encryption type (14) KDC has no support for encryption type
    KrbException: KDC has no support for encryption type (14)
            at sun.security.krb5.KrbAsRep.<init>(Unknown Source)
            at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source)
            at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source)
            at sun.security.krb5.internal.tools.Kinit.<init>(Unknown Source)
            at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)
    Caused by: KrbException: Identifier doesn't match expected value (906)
            at sun.security.krb5.internal.KDCRep.init(Unknown Source)
            at sun.security.krb5.internal.ASRep.init(Unknown Source)
            at sun.security.krb5.internal.ASRep.<init>(Unknown Source)
            ... 5 more
    

    Success:

    java -cp /home/wls0/webdav/krb5.jar -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Kinit -k -t /somepath/spn_hostname.keytab HTTP/hostname.localnet.org@LOCALNET.ORG
    >>>KinitOptions cache name is /tmp/krb5cc_723
    Principal is HTTP/hostname.localnet.org@LOCALNET.ORG
    >>> Kinit using keytab
    >>> Kinit keytab file name: /somepath/spn_hostname.keytab
    Java config name: null
    Native config name: /etc/krb5.conf
    Loaded from native config
    >>> Kinit realm name is LOCALNET.ORG
    >>> Creating KrbAsReq
    >>> KrbKdcReq local addresses for hostname.localnet.org are:
    
            hostname.localnet.org/192.168.1.2
    IPv4 address
    >>> KdcAccessibility: reset
    >>> KeyTabInputStream, readName(): LOCALNET.ORG
    >>> KeyTabInputStream, readName(): HTTP
    >>> KeyTabInputStream, readName(): hostname.localnet.org
    >>> KeyTab: load() entry length: 64; type: 1
    >>> KeyTabInputStream, readName(): LOCALNET.ORG
    >>> KeyTabInputStream, readName(): HTTP
    >>> KeyTabInputStream, readName(): hostname.localnet.org
    >>> KeyTab: load() entry length: 64; type: 3
    >>> KeyTabInputStream, readName(): LOCALNET.ORG
    >>> KeyTabInputStream, readName(): HTTP
    >>> KeyTabInputStream, readName(): hostname.localnet.org
    >>> KeyTab: load() entry length: 72; type: 23
    >>> KeyTabInputStream, readName(): LOCALNET.ORG
    >>> KeyTabInputStream, readName(): HTTP
    >>> KeyTabInputStream, readName(): hostname.localnet.org
    >>> KeyTab: load() entry length: 88; type: 18
    >>> KeyTabInputStream, readName(): LOCALNET.ORG
    >>> KeyTabInputStream, readName(): HTTP
    >>> KeyTabInputStream, readName(): hostname.localnet.org
    >>> KeyTab: load() entry length: 72; type: 17
    Looking for keys for: HTTP/hostname.localnet.org@LOCALNET.ORG
    Added key: 17version: 0
    Added key: 18version: 0
    Added key: 23version: 0
    Found unsupported keytype (3) for HTTP/hostname.localnet.org@LOCALNET.ORG
    Found unsupported keytype (1) for HTTP/hostname.localnet.org@LOCALNET.ORG
    default etypes for default_tkt_enctypes: 23 18.
    >>> KrbAsReq creating message
    >>> KrbKdcReq send: kdc=masterdc.localnet.org UDP:88, timeout=30000, number of retries =3, #bytes=180
    >>> KDCCommunication: kdc=masterdc.localnet.org UDP:88, timeout=30000,Attempt =1, #bytes=180
    >>> KrbKdcReq send: #bytes read=201
    >>>Pre-Authentication Data:
             PA-DATA type = 19
             PA-ETYPE-INFO2 etype = 18, salt = LOCALNET.ORGHTTPhostname.localnet.org, s2kparams = null
             PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
    
    >>>Pre-Authentication Data:
             PA-DATA type = 2
             PA-ENC-TIMESTAMP
    >>>Pre-Authentication Data:
             PA-DATA type = 16
    
    >>>Pre-Authentication Data:
             PA-DATA type = 15
    
    >>> KdcAccessibility: remove masterdc.localnet.org
    >>> KDCRep: init() encoding tag is 126 req type is 11
    >>>KRBError:
             sTime is Tue Jan 17 19:11:56 CET 2017 1484676716000
             suSec is 116308
             error code is 25
             error Message is Additional pre-authentication required
             sname is krbtgt/LOCALNET.ORG@LOCALNET.ORG
             eData provided.
             msgType is 30
    >>>Pre-Authentication Data:
             PA-DATA type = 19
             PA-ETYPE-INFO2 etype = 18, salt = LOCALNET.ORGHTTPhostname.localnet.org, s2kparams = null
             PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
    
    >>>Pre-Authentication Data:
             PA-DATA type = 2
             PA-ENC-TIMESTAMP
    >>>Pre-Authentication Data:
             PA-DATA type = 16
    
    >>>Pre-Authentication Data:
             PA-DATA type = 15
    
    KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
    default etypes for default_tkt_enctypes: 23 18.
    Looking for keys for: HTTP/hostname.localnet.org@LOCALNET.ORG
    Added key: 17version: 0
    Added key: 18version: 0
    Added key: 23version: 0
    Found unsupported keytype (3) for HTTP/hostname.localnet.org@LOCALNET.ORG
    Found unsupported keytype (1) for HTTP/hostname.localnet.org@LOCALNET.ORG
    Looking for keys for: HTTP/hostname.localnet.org@LOCALNET.ORG
    Added key: 17version: 0
    Added key: 18version: 0
    Added key: 23version: 0
    Found unsupported keytype (3) for HTTP/hostname.localnet.org@LOCALNET.ORG
    Found unsupported keytype (1) for HTTP/hostname.localnet.org@LOCALNET.ORG
    default etypes for default_tkt_enctypes: 23 18.
    >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
    >>> KrbAsReq creating message
    >>> KrbKdcReq send: kdc=masterdc.localnet.org UDP:88, timeout=30000, number of retries =3, #bytes=269
    >>> KDCCommunication: kdc=masterdc.localnet.org UDP:88, timeout=30000,Attempt =1, #bytes=269
    >>> KrbKdcReq send: #bytes read=94
    >>> KrbKdcReq send: kdc=masterdc.localnet.org TCP:88, timeout=30000, number of retries =3, #bytes=269
    >>> KDCCommunication: kdc=masterdc.localnet.org TCP:88, timeout=30000,Attempt =1, #bytes=269
    >>>DEBUG: TCPClient reading 1615 bytes
    >>> KrbKdcReq send: #bytes read=1615
    >>> KdcAccessibility: remove masterdc.localnet.org
    Looking for keys for: HTTP/hostname.localnet.org@LOCALNET.ORG
    Added key: 17version: 0
    Added key: 18version: 0
    Added key: 23version: 0
    Found unsupported keytype (3) for HTTP/hostname.localnet.org@LOCALNET.ORG
    Found unsupported keytype (1) for HTTP/hostname.localnet.org@LOCALNET.ORG
    >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
    >>> KrbAsRep cons in KrbAsReq.getReply HTTP/hostname.localnet.org
    New ticket is stored in cache file /tmp/krb5cc_723
    

    PS: You might want to extract the Kerberos 5 Tools from a Windows JDK because Oracle have removed it from the JDK 1.6 onwards. This gives you additional debug output on Linux platform with the Parameter (-Dsun.security.krb5.debug=true).

    mkdir sun.security.krb5
    cd sun.security.krb5
    "C:\Oracle\Java\jdk1.8.0_112\bin\jar.exe" -xf C:\Oracle\Java\jre1.8.0_112\lib\rt.jar sun\security\krb5
    "C:\Oracle\Java\jdk1.8.0_112\bin\jar.exe" -cf krb5.jar sun\security\krb5
    dir
    

    This works around JDK-6910497 : Kinit class missing http://bugs.java.com/bugdatabase/view_bug.do?bug_id=6910497

    0 讨论(0)
提交回复
热议问题