All geek questions in one place

Why can't JDK1.8.0u121 find kerberos types default_tkt_enctypes? (KrbException: etypes is not supported by default for default_tkt_enctypes)

The following is information about my environment: -

KDC Server : Windows Server 2012

Target machine : Windows 7

JDK Version : Oracle 1.8.0_121 (64 bit)

I get the following exception when I run the Java kinit command on a computer running Windows 7: -

C:\Program Files\Java\jdk1.8.0_121\bin>kinit -k -t "C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab" HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM
Exception: krb_error 0 no supported default etypes for default_tkt_enctypes No error
KrbException: no supported default etypes for default_tkt_enctypes
        at sun.security.krb5.Config.defaultEtype(Config.java:844)
        at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:249)
        at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:262)
        at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
        at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
        at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
        at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
        at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)

Command output in debug mode: -

C:\Program Files\Java\jdk1.8.0_121\bin>kinit -J-Dsun.security.krb5.debug=true -k -t "C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomca
t_ad.keytab" HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM
>>>KinitOptions cache name is C:\Users\devtcadmin\krb5cc_devtcadmin
Principal is HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM
>>> Kinit using keytab
>>> Kinit keytab file name: C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab
Java config name: null
LSA: Found Ticket
LSA: Made NewWeakGlobalRef
LSA: Found PrincipalName
LSA: Made NewWeakGlobalRef
LSA: Found DerValue
LSA: Made NewWeakGlobalRef
LSA: Found EncryptionKey
LSA: Made NewWeakGlobalRef
LSA: Found TicketFlags
LSA: Made NewWeakGlobalRef
LSA: Found KerberosTime
LSA: Made NewWeakGlobalRef
LSA: Found String
LSA: Made NewWeakGlobalRef
LSA: Found DerValue constructor
LSA: Found Ticket constructor
LSA: Found PrincipalName constructor
LSA: Found EncryptionKey constructor
LSA: Found TicketFlags constructor
LSA: Found KerberosTime constructor
LSA: Finished OnLoad processing
Native config name: C:\Windows\krb5.ini
Loaded from native config
>>> Kinit realm name is DEVDEVELOPMENT.COM
>>> Creating KrbAsReq
>>> KrbKdcReq local addresses for dev26 are:

        dev26/192.168.1.229
IPv4 address

        dev26/fe80:0:0:0:78ae:388f:4f63:3717%11
IPv6 address
>>> KdcAccessibility: reset
>>> KeyTabInputStream, readName(): DEVDEVELOPMENT.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): dev26.devdevelopment.com
>>> KeyTab: load() entry length: 99; type: 18
Looking for keys for: HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM
Added key: 18version: 3
Exception: krb_error 0 no supported default etypes for default_tkt_enctypes No error
KrbException: no supported default etypes for default_tkt_enctypes
        at sun.security.krb5.Config.defaultEtype(Config.java:844)
        at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:249)
        at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:262)
        at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
        at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
        at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
        at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
        at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)

The following is the output of the ktpass command on the KDC server (Windows Server 2012) to create the file tomcat_ad.keytab: -

C:\Users\Administrator>ktpass /out C:\tomcat_ad.keytab /mapuser devtcadmin@DEVDEVELOPMENT.COM /princ HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM /pass ****** /crypto AES256-SHA1 ptype KRB5_NT_PRINCIPAL
    Targeting domain controller: dev.devdevelopment.com
    Using legacy password setting method
    Successfully mapped HTTP/dev26.devdevelopment.com to devtcadmin.
    Key created.
    Output keytab to C:\tomcat_ad.keytab:
    Keytab version: 0x502
    keysize 99 HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x12 (AES256-SHA1) keylength 32 (0xf20788d7c6f99c385fc91b53c7d9ef55591d314e5340ca1fb9acac1b178c8861)

The following is the contents of the krb5.ini file , which is located in C: \ Windows on a Windows 7 machine: -

[libdefaults]
default_realm=DEVDEVELOPMENT.COM
default_keytab_name="C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab"
default_tkt_enctypes=aes256-cts-hmac-shal-96
default_tgs_enctypes=aes256-cts-hmac-shal-96
permitted_enctypes=aes256-cts-hmac-shal-96
udp_preference_limit=1
forwardable=true

[realms]
DEVDEVELOPMENT.COM={
    kdc=dev.devdevelopment.com:88
}

[domain_realm]
devdevelopment.com=DEVDEVELOPMENT.COM
.devdevelopment.com=DEVDEVELOPMENT.COM

Java ktab Windows 7: -

C:\Program Files\Java\jdk1.8.0_121\bin>ktab -l -e -t -k "C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab"
Keytab name: C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab
KVNO Timestamp      Principal
---- -------------- ---------------------------------------------------------------------------------------
   3 1/1/70 5:30 AM HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM (18:AES256 CTS mode with HMAC SHA1-96)

jar JCE C:\Program Files\Java\jre1.8.0_121\lib\security C:\Program \Java\jdk1.8.0_121\jre\lib\security.

, ?

1 ( ): -

tomcat_ad.keytab C:\Program Files\Java\jre1.8.0_121\bin: -

C:\Program Files\Java\jdk1.8.0_121\bin>kinit -k -t tomcat_ad.keytab HTTP/dev26.devdevelopment.com
New ticket is stored in cache file C:\Users\devtcadmin\krb5cc_devtcadmin

kinit tomcat_ad.keytab C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab C:\Program Files\Java\jdk1.8.0_121\bin; path: -

C:\Users\devtcadmin>kinit -k -t "C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab" HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM
New ticket is stored in cache file C:\Users\devtcadmin\krb5cc_devtcadmin

kinit : -

C:\Users\devtcadmin>kinit -J-Dsun.security.krb5.debug=true -k -t "C:\Program Files\Apache Software Foundation\Tomcat 8.5\conf\tomcat_ad.keytab" HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM
>>>KinitOptions cache name is C:\Users\devtcadmin\krb5cc_devtcadmin
Principal is HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM
>>> Kinit using keytab
>>> Kinit keytab file name: C:\Program Files\Apache Software Foundation\Tomcat 8.5\conf\tomcat_ad.keytab
Java config name: null
LSA: Found Ticket
LSA: Made NewWeakGlobalRef
LSA: Found PrincipalName
LSA: Made NewWeakGlobalRef
LSA: Found DerValue
LSA: Made NewWeakGlobalRef
LSA: Found EncryptionKey
LSA: Made NewWeakGlobalRef
LSA: Found TicketFlags
LSA: Made NewWeakGlobalRef
LSA: Found KerberosTime
LSA: Made NewWeakGlobalRef
LSA: Found String
LSA: Made NewWeakGlobalRef
LSA: Found DerValue constructor
LSA: Found Ticket constructor
LSA: Found PrincipalName constructor
LSA: Found EncryptionKey constructor
LSA: Found TicketFlags constructor
LSA: Found KerberosTime constructor
LSA: Finished OnLoad processing
Native config name: C:\Windows\krb5.ini
Loaded from native config
>>> Kinit realm name is DEVDEVELOPMENT.COM
>>> Creating KrbAsReq
>>> KrbKdcReq local addresses for dev26 are:

        dev26/192.168.1.229
IPv4 address

        dev26/fe80:0:0:0:78ae:388f:4f63:3717%11
IPv6 address
>>> KdcAccessibility: reset
Looking for keys for: HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23.
Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type:  No error
KrbException: Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type:
        at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280)
        at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
        at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
        at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
        at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
        at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)

C:\Windows\krb5.ini? kinit ?

+4
2

. . keytab C:\Program Files\Java\jdk1.8.0_121\bin , . Kerberos SPN, , krb5.conf, .

kinit -k -t tomcat_ad.keytab HTTP/dev26.devdevelopment.com

, , JCE \lib\security. , , Java JRE .

: "" AD devtcadmin , " 256- Kerberos AES".

, Windows 7 C:\Windows\krb5.conf , . , Kerberos encrytpion , Windows 7/2008 TCP , UDP.

#default_tkt_enctypes=aes256-cts-hmac-shal-96
#default_tgs_enctypes=aes256-cts-hmac-shal-96
#permitted_enctypes=aes256-cts-hmac-shal-96
#udp_preference_limit=1

TechNet, : Kerberos Keytabs -

+4

JDK Kerberos Windows Server 2012R2 Linux, "" keytab. , , :

KrbException: no supported default etypes for default_tkt_enctypes

, OpenJDK EType.java, allow_weak_crypto:

OpenJDK9 EType.java

krb5.conf :

[libdefaults]
       allow_weak_crypto = true
+1

Source: https://habr.com/ru/post/1673104/

More articles:


All Articles