[jboss-jira] [JBoss JIRA] Assigned: (SECURITY-393) Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC

Anil Saldhana (JIRA) jira-events at lists.jboss.org
Fri Mar 20 16:26:22 EDT 2009 

     [ https://jira.jboss.org/jira/browse/SECURITY-393?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Anil Saldhana reassigned SECURITY-393:
--------------------------------------

    Assignee: Darran Lofthouse  (was: Anil Saldhana)


> Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC
> -----------------------------------------------------------------------------------------------------------------------
>
>                 Key: SECURITY-393
>                 URL: https://jira.jboss.org/jira/browse/SECURITY-393
>             Project: JBoss Security and Identity Management
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Negotiation
>         Environment: Server Machine: Microsoft windows server 2003 R2 (Name: PASKTABSVR1, Domain: wamtest.wa.local, FullName:PASKTABSVR1.wamtest.wa.local)
> KDC               : windows server 2003 R2, In my case server and KDC are same machine. (Name: PASKTABSVR1, Domain: wamtest.wa.local                      FullName:PASKTABSVR1.wamtest.wa.local)
> Client Machine: Microsoft windows XP professional (Name: PASKTABCL1, Domain: wamtest.wa.local  FullName:PASKTABCL1.wamtest.wa.local) 
>            Reporter: Nagendra krishnawat
>            Assignee: Darran Lofthouse
>             Fix For: Negotiation_2.0.3.GA
>
>
> I am using SPNEGO for silent authentication. Referring https://www.jboss.org/community/docs/DOC-10680
> Environment specification:
> Server Machine: Microsoft windows server 2003 R2 (Name: PASKTABSVR1, Domain: wamtest.wa.local, FullName:PASKTABSVR1.wamtest.wa.local)
> KDC               : windows server 2003 R2, In my case server and KDC are same machine. (Name: PASKTABSVR1, Domain: wamtest.wa.local                      FullName:PASKTABSVR1.wamtest.wa.local)
> Client Machine: Microsoft windows XP professional (Name: PASKTABCL1, Domain: wamtest.wa.local  FullName:PASKTABCL1.wamtest.wa.local)
> I basically followed the pdf document userguide downloaded from above link (https://www.jboss.org/community/docs/DOC-10680)
> I have checked "Use DES type encryption types for this account"
> SPN setting:
> C:\Program Files\Support Tools>setspn -l PASKTABSVR1
> Registered ServicePrincipalNames for CN=PASKTABSVR1,OU=Domain Controllers,DC=wamtest,DC=wa,DC=local:
>     HTTP/PASKTABSVR1.wamtest.wa.local
>     NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/PASKTABSVR1.wamtest.wa.local
>     ldap/PASKTABSVR1.wamtest.wa.local/ForestDnsZones.wamtest.wa.local
>     GC/PASKTABSVR1.wamtest.wa.local/wamtest.wa.local
>     HOST/PASKTABSVR1.wamtest.wa.local/WAMTEST
>     HOST/PASKTABSVR1
>     HOST/PASKTABSVR1.wamtest.wa.local
>     HOST/PASKTABSVR1.wamtest.wa.local/wamtest.wa.local
>     E3514235-4B06-11D1-AB04-00C04FC2DCD2/c97c1681-4636-4d4a-b7fe-94f6bf0567cf/wamtest.wa.local
>     ldap/c97c1681-4636-4d4a-b7fe-94f6bf0567cf._msdcs.wamtest.wa.local
>     ldap/PASKTABSVR1.wamtest.wa.local/WAMTEST
>     ldap/PASKTABSVR1
>     ldap/PASKTABSVR1.wamtest.wa.local
>     ldap/PASKTABSVR1.wamtest.wa.local/DomainDnsZones.wamtest.wa.local
>     ldap/PASKTABSVR1.wamtest.wa.local/wamtest.wa.local
>     DNS/PASKTABSVR1.wamtest.wa.local
> Command used to create keytab file:
> C:\Program Files\Support Tools>ktpass -crypto DES-CBC-CRC -princ host/PASKTABS... at WAMTEST.WA.LOCAL -pass Autumn08 -mapus
> er WAMTEST\PASKTABSVR1 -out C:\pasktabsvr1.host.keytab
> Login moduoles from Jboss(login-config.xml):
> .
> ..
> ......
> <application-policy name="host">
>                 <authentication>
>                 <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
>                         <module-option name="storeKey">true</module-option>
>                         <module-option name="useKeyTab">true</module-option>
>                         <module-option name="principal">host/PASKTABS... at WAMTEST.WA.LOCAL</module-option>
>                         <module-option name="keyTab">C:/pasktabsvr1.host.keytab</module-option>
>                         <module-option name="doNotPrompt">true</module-option>
>                         <module-option name="debug">true</module-option>
>                 </login-module>
>                 </authentication>
>         </application-policy>
>         <application-policy name="SPNEGO">
>                 <authentication>
>                         <login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule" flag="requisite">
>                                 <module-option name="password-stacking">useFirstPass</module-option>
>                                 <module-option name="serverSecurityDomain">host</module-option>
>                         </login-module>
>                         <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
>                                 <module-option name="password-stacking">useFirstPass</module-option>
>                                 <module-option name="usersProperties">props/spnego-users.properties</module-option>
>                                 <module-option name="rolesProperties">props/spnego-roles.properties</module-option>
>                         </login-module>
>                         </authentication>
>         </application-policy>
> .....
> ..
> .
> As per document there are three tests,
> First and second test passes, ie the client browser gets the token, in second test host login module gets authenticated ie the second test passes.
> The final test, i.e.  "secured" which is the integrated test of both client and server fails with following exception:
> Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC
>         at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:262)
>         at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
>         at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
> I tried mapping different SPN:
> C:\Program Files\Support Tools>setspn.exe -a HTTP/PASKTABSVR1.wamtest.wa.local PASKTABSVR1
> C:\Program Files\Support Tools>setspn.exe -a HTTP/pasktabsvr1.wamtest.wa.local PASKTABSVR1       (Small case pasktansvr1)
> But it didn't help, I got same exception "Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC"
> Am I doing anything fundamentally wrong or this is a bug, or user doc is prepared on different environment.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list