[jboss-jira] [JBoss JIRA] Resolved: (SECURITY-393) Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC
Nagendra krishnawat (JIRA)
jira-events at lists.jboss.org
Mon Mar 30 21:47:22 EDT 2009
[ https://jira.jboss.org/jira/browse/SECURITY-393?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Nagendra krishnawat resolved SECURITY-393.
------------------------------------------
Resolution: Done
Keep the following things in mind:
1. Create a saperate user in active directory which is different form the computer account name.
Eg. Suppose if your machine name is PASKTABSVR1.wamtest.wa.loal, then dont create a user with name PASKTABSVR1 and map SPN to it.
Create a saperate user say testserveruser, map the SPN like
C:\Documents and Settings\nkrishnawat.WAMTEST>setspn -A HTTP/PASKTABSVR1.wamtest.wa.local testserveruser
C:\Documents and Settings\nkrishnawat.WAMTEST>setspn -A host/PASKTABSVR1 testserveruser
C:\Documents and Settings\nkrishnawat.WAMTEST>setspn -A host/PASKTABSVR1.wamtest.wa.local testserveruser
Make sure that these SPN are not mapped to other user. To keep in mind "One SPN mapped to a user account should not be used to map other user account in same domain"
Second important thing is to create the client krb5.ini to handle the encryption types. Here client krb5.ini means the krb5.ini on the system where your browser is present (The browser making the request). The same krb5.ini should in in server c:\WINDOWS
> Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC
> -----------------------------------------------------------------------------------------------------------------------
>
> Key: SECURITY-393
> URL: https://jira.jboss.org/jira/browse/SECURITY-393
> Project: JBoss Security and Identity Management
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: Negotiation
> Environment: Server Machine: Microsoft windows server 2003 R2 (Name: PASKTABSVR1, Domain: wamtest.wa.local, FullName:PASKTABSVR1.wamtest.wa.local)
> KDC : windows server 2003 R2, In my case server and KDC are same machine. (Name: PASKTABSVR1, Domain: wamtest.wa.local FullName:PASKTABSVR1.wamtest.wa.local)
> Client Machine: Microsoft windows XP professional (Name: PASKTABCL1, Domain: wamtest.wa.local FullName:PASKTABCL1.wamtest.wa.local)
> Reporter: Nagendra krishnawat
> Assignee: Darran Lofthouse
> Fix For: Negotiation_2.0.3.GA
>
>
> I am using SPNEGO for silent authentication. Referring https://www.jboss.org/community/docs/DOC-10680
> Environment specification:
> Server Machine: Microsoft windows server 2003 R2 (Name: PASKTABSVR1, Domain: wamtest.wa.local, FullName:PASKTABSVR1.wamtest.wa.local)
> KDC : windows server 2003 R2, In my case server and KDC are same machine. (Name: PASKTABSVR1, Domain: wamtest.wa.local FullName:PASKTABSVR1.wamtest.wa.local)
> Client Machine: Microsoft windows XP professional (Name: PASKTABCL1, Domain: wamtest.wa.local FullName:PASKTABCL1.wamtest.wa.local)
> I basically followed the pdf document userguide downloaded from above link (https://www.jboss.org/community/docs/DOC-10680)
> I have checked "Use DES type encryption types for this account"
> SPN setting:
> C:\Program Files\Support Tools>setspn -l PASKTABSVR1
> Registered ServicePrincipalNames for CN=PASKTABSVR1,OU=Domain Controllers,DC=wamtest,DC=wa,DC=local:
> HTTP/PASKTABSVR1.wamtest.wa.local
> NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/PASKTABSVR1.wamtest.wa.local
> ldap/PASKTABSVR1.wamtest.wa.local/ForestDnsZones.wamtest.wa.local
> GC/PASKTABSVR1.wamtest.wa.local/wamtest.wa.local
> HOST/PASKTABSVR1.wamtest.wa.local/WAMTEST
> HOST/PASKTABSVR1
> HOST/PASKTABSVR1.wamtest.wa.local
> HOST/PASKTABSVR1.wamtest.wa.local/wamtest.wa.local
> E3514235-4B06-11D1-AB04-00C04FC2DCD2/c97c1681-4636-4d4a-b7fe-94f6bf0567cf/wamtest.wa.local
> ldap/c97c1681-4636-4d4a-b7fe-94f6bf0567cf._msdcs.wamtest.wa.local
> ldap/PASKTABSVR1.wamtest.wa.local/WAMTEST
> ldap/PASKTABSVR1
> ldap/PASKTABSVR1.wamtest.wa.local
> ldap/PASKTABSVR1.wamtest.wa.local/DomainDnsZones.wamtest.wa.local
> ldap/PASKTABSVR1.wamtest.wa.local/wamtest.wa.local
> DNS/PASKTABSVR1.wamtest.wa.local
> Command used to create keytab file:
> C:\Program Files\Support Tools>ktpass -crypto DES-CBC-CRC -princ host/PASKTABS... at WAMTEST.WA.LOCAL -pass Autumn08 -mapus
> er WAMTEST\PASKTABSVR1 -out C:\pasktabsvr1.host.keytab
> Login moduoles from Jboss(login-config.xml):
> .
> ..
> ......
> <application-policy name="host">
> <authentication>
> <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
> <module-option name="storeKey">true</module-option>
> <module-option name="useKeyTab">true</module-option>
> <module-option name="principal">host/PASKTABS... at WAMTEST.WA.LOCAL</module-option>
> <module-option name="keyTab">C:/pasktabsvr1.host.keytab</module-option>
> <module-option name="doNotPrompt">true</module-option>
> <module-option name="debug">true</module-option>
> </login-module>
> </authentication>
> </application-policy>
> <application-policy name="SPNEGO">
> <authentication>
> <login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule" flag="requisite">
> <module-option name="password-stacking">useFirstPass</module-option>
> <module-option name="serverSecurityDomain">host</module-option>
> </login-module>
> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
> <module-option name="password-stacking">useFirstPass</module-option>
> <module-option name="usersProperties">props/spnego-users.properties</module-option>
> <module-option name="rolesProperties">props/spnego-roles.properties</module-option>
> </login-module>
> </authentication>
> </application-policy>
> .....
> ..
> .
> As per document there are three tests,
> First and second test passes, ie the client browser gets the token, in second test host login module gets authenticated ie the second test passes.
> The final test, i.e. "secured" which is the integrated test of both client and server fails with following exception:
> Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC
> at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:262)
> at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
> at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
> I tried mapping different SPN:
> C:\Program Files\Support Tools>setspn.exe -a HTTP/PASKTABSVR1.wamtest.wa.local PASKTABSVR1
> C:\Program Files\Support Tools>setspn.exe -a HTTP/pasktabsvr1.wamtest.wa.local PASKTABSVR1 (Small case pasktansvr1)
> But it didn't help, I got same exception "Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC"
> Am I doing anything fundamentally wrong or this is a bug, or user doc is prepared on different environment.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list