问题
This is a related problem described here in the link Has anyone configured Kerberos SSO on Web Logic 12.1.2 with JDK 1.7 on Win 2012 successfully?.
Is this problem resolved? I am facing the exact same problem on the Weblogic server version 12.1.3.0 running on Windows Server 2012 R2 on jdk 7u79. When I remove aes256-cts-hmac-sha1-96 from the krb5.ini file and generate a keytab file using ktab or ktpass utility, I get the error message in weblogic server saying :
com.bea.security.utils.kerberos.KerberosException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96) Caused By: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:278)
Now, when I add aes256-cts-hmac-sha1-96 back to krb5.ini file and generate a keytab file, I get the error message in weblogic server saying
com.bea.security.utils.kerberos.KerberosException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed) Caused By: java.security.GeneralSecurityException: Checksum failed
at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:451)
I also tried to upgrade the jdk version to jdk 8u73 in the weblogic server 12.1.3.0 but the error scenario is exactly the same.
Also, when I try to use Weblogic server 12.2.1 on Windows Server 2012 R2 on jdk 8u73, I always get the error message:
GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos credentails)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:87)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:127)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:193)
at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:427)
The above error is also mentioned here https://community.cloudera.com/t5/Storage-Random-Access-HDFS/SPNEGO-authentication-failure-with-openjdk-gt-7u80-HADOOP-10786/td-p/34829. So it can possibly be a problem with all jdk7u80+.
I have spent more than a week now struggling with this problem and still haven't managed to find a fix.
来源:https://stackoverflow.com/questions/36970517/has-anyone-configured-kerberos-sso-on-web-logic-12-1-2-with-jdk-1-7-on-win-2012