GSSException when running SPNEGO Kerberos with Integrated Windows Authentication

1
votes

I am trying to setup Kerberos Integrated Windows Authentication using spnego and tomcat.

This is first time I am doing this and have not seen a real enviornment so relying on online documentation mostly the spnego site. I am getting below error:

GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid Argument (400) Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)

Catalina log shows:
Jan 30, 2017 10:12:37 AM net.sourceforge.spnego.SpnegoHttpFilter doFilter
SEVERE: HTTP Authorization Header=Negotiate <edited - actual had a big key>
Jan 30, 2017 10:41:24 AM org.apache.coyote.AbstractProtocol pause
INFO: Pausing ProtocolHandler ["http-bio-8443"]
Jan 30, 2017 10:41:24 AM org.apache.coyote.AbstractProtocol pause

Attaching my krb5 and login.conf.

krb5.conf login.conf

KLIST command gives 2 keys:
CLIENT: B1GYZDM @ test.win.org
Server: krbtgt/test.win.org @ test.win.org
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) 

CLIENT: B1GYZDM @ test.win.org
Server: krbtgt/test.win.org @ test.win.org
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96

Tomcat is running as local-service. And keytab supports 128 & 256 encryption.

Can you please help me resolve the issue?

KRB5.conf:
[libdefaults]
default_tkt_enctypes = aes128-cts aes256-cts
default_tgs_enctypes = aes128-cts aes256-cts
permitted_enctypes   = aes128-cts aes256-cts

[realms]
test.win.org  = {
    kdc = test.win.org 
    default_domain = test.win.org 
}

[domain_realm]
test.win.org = test.win.org


login.conf:
spnego-client {
com.sun.security.auth.module.Krb5LoginModule required;
};

spnego-server {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
keyTab="file:///E:/Apps/apache-tomcat-7.0.40/bin/test.keytab"
isInitiator=false;
};

custom-client {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
keyTab="file:///E:/Apps/apache-tomcat-7.0.40/bin/test.keytab"
principal=B1ADPST000;
};
1
single-sign-onkerberoswindows-authenticationspnegomit-kerberos
Please paste the contents of krb5.conf and login.conf directly into the question itself. Don't make us go to another site to download them. Those files are short enough where you can do that. Well, definitely krb5.conf anyway, for login.conf, you can show the relevant SPNEGO section or the whole thing if it's not much longer than krb5.conf.T-Heron
I have updated the ticket with the file contentsmichael
Are you using Microsoft Active Directory fro Kerberos? Do you still have a copy of the keytab creation syntax you created the keytab with and if so can you also post that?T-Heron
Yes its using AD for kerberos. I dont have keytab command but have asked for command to admin will provide if I get it.michael

1 Answers

0
votes

I guess you get the error when you access the webapp..

Most likely the keytab file does not have a matching key entry.

You should use '/crypto all' when creating the keytab file.

You may run 'klist' on client side, not server side and check the service ticket the client obtained from the KDC for the service (host where the WebApp is deployed), not the 'ticket granting ticket (TGT)'