[jboss-jira] [JBoss JIRA] Created: (SECURITY-393) Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC
Nagendra krishnawat (JIRA)
jira-events at lists.jboss.org
Fri Mar 20 16:19:24 EDT 2009
Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC
-----------------------------------------------------------------------------------------------------------------------
Key: SECURITY-393
URL: https://jira.jboss.org/jira/browse/SECURITY-393
Project: JBoss Security and Identity Management
Issue Type: Bug
Security Level: Public (Everyone can see)
Components: Negotiation
Environment: Server Machine: Microsoft windows server 2003 R2 (Name: PASKTABSVR1, Domain: wamtest.wa.local, FullName:PASKTABSVR1.wamtest.wa.local)
KDC : windows server 2003 R2, In my case server and KDC are same machine. (Name: PASKTABSVR1, Domain: wamtest.wa.local FullName:PASKTABSVR1.wamtest.wa.local)
Client Machine: Microsoft windows XP professional (Name: PASKTABCL1, Domain: wamtest.wa.local FullName:PASKTABCL1.wamtest.wa.local)
Reporter: Nagendra krishnawat
Assignee: Anil Saldhana
Fix For: Negotiation_2.0.3.GA
I am using SPNEGO for silent authentication. Referring https://www.jboss.org/community/docs/DOC-10680
Environment specification:
Server Machine: Microsoft windows server 2003 R2 (Name: PASKTABSVR1, Domain: wamtest.wa.local, FullName:PASKTABSVR1.wamtest.wa.local)
KDC : windows server 2003 R2, In my case server and KDC are same machine. (Name: PASKTABSVR1, Domain: wamtest.wa.local FullName:PASKTABSVR1.wamtest.wa.local)
Client Machine: Microsoft windows XP professional (Name: PASKTABCL1, Domain: wamtest.wa.local FullName:PASKTABCL1.wamtest.wa.local)
I basically followed the pdf document userguide downloaded from above link (https://www.jboss.org/community/docs/DOC-10680)
I have checked "Use DES type encryption types for this account"
SPN setting:
C:\Program Files\Support Tools>setspn -l PASKTABSVR1
Registered ServicePrincipalNames for CN=PASKTABSVR1,OU=Domain Controllers,DC=wamtest,DC=wa,DC=local:
HTTP/PASKTABSVR1.wamtest.wa.local
NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/PASKTABSVR1.wamtest.wa.local
ldap/PASKTABSVR1.wamtest.wa.local/ForestDnsZones.wamtest.wa.local
GC/PASKTABSVR1.wamtest.wa.local/wamtest.wa.local
HOST/PASKTABSVR1.wamtest.wa.local/WAMTEST
HOST/PASKTABSVR1
HOST/PASKTABSVR1.wamtest.wa.local
HOST/PASKTABSVR1.wamtest.wa.local/wamtest.wa.local
E3514235-4B06-11D1-AB04-00C04FC2DCD2/c97c1681-4636-4d4a-b7fe-94f6bf0567cf/wamtest.wa.local
ldap/c97c1681-4636-4d4a-b7fe-94f6bf0567cf._msdcs.wamtest.wa.local
ldap/PASKTABSVR1.wamtest.wa.local/WAMTEST
ldap/PASKTABSVR1
ldap/PASKTABSVR1.wamtest.wa.local
ldap/PASKTABSVR1.wamtest.wa.local/DomainDnsZones.wamtest.wa.local
ldap/PASKTABSVR1.wamtest.wa.local/wamtest.wa.local
DNS/PASKTABSVR1.wamtest.wa.local
Command used to create keytab file:
C:\Program Files\Support Tools>ktpass -crypto DES-CBC-CRC -princ host/PASKTABS... at WAMTEST.WA.LOCAL -pass Autumn08 -mapus
er WAMTEST\PASKTABSVR1 -out C:\pasktabsvr1.host.keytab
Login moduoles from Jboss(login-config.xml):
.
..
......
<application-policy name="host">
<authentication>
<login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
<module-option name="storeKey">true</module-option>
<module-option name="useKeyTab">true</module-option>
<module-option name="principal">host/PASKTABS... at WAMTEST.WA.LOCAL</module-option>
<module-option name="keyTab">C:/pasktabsvr1.host.keytab</module-option>
<module-option name="doNotPrompt">true</module-option>
<module-option name="debug">true</module-option>
</login-module>
</authentication>
</application-policy>
<application-policy name="SPNEGO">
<authentication>
<login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule" flag="requisite">
<module-option name="password-stacking">useFirstPass</module-option>
<module-option name="serverSecurityDomain">host</module-option>
</login-module>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
<module-option name="password-stacking">useFirstPass</module-option>
<module-option name="usersProperties">props/spnego-users.properties</module-option>
<module-option name="rolesProperties">props/spnego-roles.properties</module-option>
</login-module>
</authentication>
</application-policy>
.....
..
.
As per document there are three tests,
First and second test passes, ie the client browser gets the token, in second test host login module gets authenticated ie the second test passes.
The final test, i.e. "secured" which is the integrated test of both client and server fails with following exception:
Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:262)
at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
I tried mapping different SPN:
C:\Program Files\Support Tools>setspn.exe -a HTTP/PASKTABSVR1.wamtest.wa.local PASKTABSVR1
C:\Program Files\Support Tools>setspn.exe -a HTTP/pasktabsvr1.wamtest.wa.local PASKTABSVR1 (Small case pasktansvr1)
But it didn't help, I got same exception "Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC"
Am I doing anything fundamentally wrong or this is a bug, or user doc is prepared on different environment.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list