5
votes

I'm trying to do a Spring Security Kerberos with Active Directory credentials as stated in http://docs.spring.io/spring-security-kerberos/docs/1.0.1.RELEASE/reference/htmlsingle/#samples-sec-server-win-auth. I'd like to say that I've got most of the things down (SPN, keytabs, etc.). Now I've got a checksum fail. Supposing I change my principal name, I get an AES encryption error.

I'm using Spring Boot on RHEL 6 with Oracle Java 1.8 + JCE Sample from https://github.com/spring-projects/spring-security-kerberos/tree/master/spring-security-kerberos-samples/sec-server-win-auth

Here is what I get when run the jar


Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is /home/boss/webdev125-3.keytab refreshKrb5Config is false principal is http/[email protected] tryFirstPass is false useFirstPass is false storePass is false clearPass is false

principal is http/[email protected] Will use keytab Commit Succeeded

....

2015-11-25 11:29:09.631 DEBUG 5559 --- [nio-8080-exec-3] .a.KerberosServiceAuthenticationProvider : Try to validate Kerberos Token 2015-11-25 11:29:10.003 WARN 5559 --- [nio-8080-exec-3] w.a.SpnegoAuthenticationProcessingFilter : Negotiate Header was invalid:

...

org.springframework.security.authentication.BadCredentialsException: Kerberos validation not successful at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:71) at org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:64) at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)

...

Caused by: org.ietf.jgss.GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)

    at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:856)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
    at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:906)
    at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:556)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
    at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:170)
    at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:153)
    ... 48 common frames omitted

Caused by: sun.security.krb5.KrbCryptoException: Checksum failed

    at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:102)
    at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:94)
    at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:175)
    at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:281)
    at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149)
    at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
    at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829)
    ... 56 common frames omitted

Caused by: java.security.GeneralSecurityException: Checksum failed

    at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:451)
    at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:272)
    at sun.security.krb5.internal.crypto.Aes256.decrypt(Aes256.java:76)
    at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:100)
    ... 62 common frames omitted

Some other details:

  • /etc/krb5.conf does have default_tgs_enctypes, default_tkt_enctypes to include aes256-cts-hmac-sha1-96
  • default keytab location is matching between the application and krb5.conf
  • keytabs are being generated on a windows server, then copied to RHEL
2

2 Answers

6
votes

It seems that I had conflicts with existing Service Principal Mappings. Once I cleaned it up, the error stopped happening. This link helped me find the solution - https://developer.jboss.org/wiki/ConfiguringJBossNegotiationInAnAllWindowsDomain?_sscc=t

0
votes

I hit this issue recently.

The DNS of the service must match the service principal name. The principal name must start with HTTP/

Example: Service DNS: www.ala-bala.com Principal name must be: HTTP/ala-bala.com@REALM

The realm doesn't have to match the DNS.

If running locally, the DNS obviously will not match the principal.

You can work around it by adding a line to /etc/hosts: 127.0.0.1 ala-bala.com

You can also use a client which allows you to override the kerberos host/principal name like requests_kerberos in Python.