KDC n'a pas de support pour le chiffrement de type (14)

Je suis en train de mettre en œuvre l'authentification unique avec kerberos à l'aide de printemps à la sécurité kerberos extension.

J'ai créé un fichier keytab et j'obtiens l'erreur suivante lorsque vous essayez d'accéder à ma webapp:

GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)

J'ai essayé de tester mon fichier keytab selon ce post.

Le fichier keytab a été créé avec la commande suivante:

ktpass /out http-web.keytab /mapuser [email protected] /princ HTTP/[email protected] /pass myPass /ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT /kvno 0

Mon krb5.conf est comme suit

[libdefaults]
default_realm = MYDOMAIN.COM
permitted_enctypes =  aes256-cts arcfour-hmac-md5 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes256-cts arcfour-hmac-md5 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tkt_enctypes = aes256-cts arcfour-hmac-md5 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true

[realms]
MYDOMAIN.COM = {
kdc = controller1.mydomain.com:88
kdc = controler2.mydomain.com:88
kdc = controller3.mydomain.com:88
admin_server = controller3.mydomain.com
default_domain = MYDOMAIN.COM
}

[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM

[login]
krb4_convert = true
krb4_get_tickets = false

J'obtiens l'erreur suivante:

 KDC has no support for encryption type (14)

J'ai essayé activation DES, AES-128 et AES-256 pour le compte de la SPN, mais elle ne résout pas le problème.

Ce qui me manque ici?

Grâce,
Lior

Dans ktpass vous êtes forçant un étrange valeur de kvno: 0. En général c'est 1 ou plus. À partir de Windows 2008, on peut définir l'crypto à Tous.
blogs.msdn.com/b/openspecification/archive/2011/05/31/...
Comme AD augmente toujours "la clé de la version' dans l'entrée correspondant à SPN lorsque vous utilisez ktpass vous devez cocher la case " version clé abord au service de l'ANNONCE, puis l'utiliser +1 pour '/kvno " pour ktpass. Cependant ce n'est pas lié à ce problème
Hé les gars, Merci pour votre aide. J'ai lu que java peut avoir des problèmes avec la lecture d'un fichier keytab avec kvno autre que 0, c'est pourquoi j'ai particulièrement mis à 0. Malheureusement, je ne pouvais pas trouver ce post encore une fois... de toute façon, je l'ai essayé aujourd'hui sans la spécification kvno, et j'obtiens la même erreur.
J'ai dû cocher les cases pour chacun de mes spn comptes pour "Ce compte prend en charge Kerberos AES 128 bits de cryptage" et "Ce compte prend en charge Kerberos AES 256 bits de cryptage".

OriginalL'auteur Lior Chaga | 2014-05-22

  1. 5

    juste défoncé ma tête contre le KrbException "KDC n'a pas de support pour enryption type (14)" pour plusieurs jours dans la séquence. J'ai visité de nombreux endroits, y compris certains approfondie MSDN billets de blog (de Sun Hongwei, Sebastian Canevari) je ne peut pas faire référence pour manque de notoriété.

    Merci, pour votre mention de kvno 0 et dsiabling de DES il fonctionne maintenant aussi sur mon côté.

    En fin de compte, il est apparu que j'ai mon Compte d'Utilisateur de l'installation avec

    userAccountControl: 0d66048 ou 0x10200 qui correspond à 0b10000001000000000
    ou ADS_UF_DONT_EXPIRE_PASSWD (0x00010000) et ADS_UF_NORMAL_ACCOUNT (0x00000200), mais pas de UF_USE_DES_KEY_ONLY (0x200000), établis

    et

    fs-SupportedEncryptionTypes: 0d16 ou 0x10 qui correspond à 0b10000 ou AES256-CTS-HMAC-SHA1-96 (0x10), mais pas de RC4-HMAC (0x04).

    ldapsearch -h masterdc.localnet.org -D 'spn_hostname' -w '*password*' -b 'ou=Accounts,dc=localnet,dc=org' -s sub 'userPrincipalName=HTTP/[email protected]' distinguishedName servicePrincipalName userPrincipalName msDS-SupportedEncryptionTypes userAccountControl
# extended LDIF
#
# LDAPv3
# base <ou=Accounts,dc=localnet,dc=org> with scope subtree
# filter: userPrincipalName=HTTP/[email protected]
# requesting: distinguishedName servicePrincipalName userPrincipalName msDS-SupportedEncryptionTypes userAccountControl
#

# spn_hostname, DokSvc, Services, Accounts, localnet.org
dn: CN=spn_hostname,OU=DokSvc,OU=Services,OU=Accounts,DC=localnet,DC=org
distinguishedName: CN=spn_hostname,OU=DokSvc,OU=Services,OU=Accounts,DC=localnet,DC=org
userAccountControl: 66048
userPrincipalName: HTTP/[email protected]
servicePrincipalName: HTTP/hostname.localnet.org
servicePrincipalName: HTTP/[email protected]
msDS-SupportedEncryptionTypes: 16

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

    Avec ce et le suivant dans mon /etc/krb5.conf je peux reproducably provoquer "KrbException KDC n'a pas de support pour enryption type (14)" lors de la suppression de la rc4-hmac de la default_tkt_enctypes.

    /etc/krb5.conf:

    [logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log
[libdefaults]
  default_realm = LOCALNET.DE
  default_tkt_enctypes = aes256-cts
  default_tgs_enctypes = aes256-cts
  permitted_enctypes = aes256-cts
[realms]
LOCALNET.ORG = {
  kdc = masterdc.localnet.org:88
  admin_server = masterdc.localnet.org
  default_domain = LOCALNET.ORG
}
[domain_realm]
  .localnet.org = LOCALNET.ORG
  localnet.org = LOCALNET.ORG
[appdefaults]
  autologin = true
  forward = true
  forwardable = true
  encrypt = true

    Toutefois, si vous la changez pour default_tkt_enctypes = aes256-cts rc4-hmac il va réussir.

    Notez que vous pouvez également laisser la spécification de la default_tkt_enctypes directive dans /etc/krb5.conf, afin de le faire fonctionner. 

    Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23.

    À cet effet, il ressemble à Windows Server 2008 SP2 Active Directory ne demandent explicitement RC4-HMAC dans la Pré-phase d'Authentification:

             PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

    J'ai mis à jour la JCE 1.8.0 politique de fichiers au sein de mon du JDK jre/lib/security dossier pour AES256 à être pris en charge.

    Salutations,
    Stefan

    La enctypes sont précisées dans les

    Kerberos Paramètres
    http://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml

    etype   encryption type     Reference
1   des-cbc-crc     [RFC3961]
3   des-cbc-md5     [RFC3961]
17  aes128-cts-hmac-sha1-96     [RFC3962]
18  aes256-cts-hmac-sha1-96     [RFC3962]
23  rc4-hmac    [RFC4757]

    Échec:

    java -cp /somepath/krb5.jar -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Kinit -k -t /somepath/spn_hostname.keytab HTTP/[email protected]
>>>KinitOptions cache name is /tmp/krb5cc_723
Principal is HTTP/[email protected]
>>> Kinit using keytab
>>> Kinit keytab file name: /somepath/spn_hostname.keytab
Java config name: null
LSA: Found Ticket
LSA: Made NewWeakGlobalRef
LSA: Found PrincipalName
LSA: Made NewWeakGlobalRef
LSA: Found DerValue
LSA: Made NewWeakGlobalRef
LSA: Found EncryptionKey
LSA: Made NewWeakGlobalRef
LSA: Found TicketFlags
LSA: Made NewWeakGlobalRef
LSA: Found KerberosTime
LSA: Made NewWeakGlobalRef
LSA: Found String
LSA: Made NewWeakGlobalRef
LSA: Found DerValue constructor
LSA: Found Ticket constructor
LSA: Found PrincipalName constructor
LSA: Found EncryptionKey constructor
LSA: Found TicketFlags constructor
LSA: Found KerberosTime constructor
LSA: Finished OnLoad processing
Native config name: C:\Windows\krb5.ini
Loaded from native config
>>> Kinit realm name is LOCALNET.ORG
>>> Creating KrbAsReq
>>> KrbKdcReq local addresses for hostname.localnet.org are:

        hostname.localnet.org/192.168.1.2
IPv4 address
>>> KdcAccessibility: reset
>>> KeyTabInputStream, readName(): LOCALNET.ORG
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): hostname.localnet.org
>>> KeyTab: load() entry length: 64; type: 1
>>> KeyTabInputStream, readName(): LOCALNET.ORG
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): hostname.localnet.org
>>> KeyTab: load() entry length: 64; type: 3
>>> KeyTabInputStream, readName(): LOCALNET.ORG
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): hostname.localnet.org
>>> KeyTab: load() entry length: 72; type: 23
>>> KeyTabInputStream, readName(): LOCALNET.ORG
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): hostname.localnet.org
>>> KeyTab: load() entry length: 88; type: 18
>>> KeyTabInputStream, readName(): LOCALNET.ORG
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): hostname.localnet.org
>>> KeyTab: load() entry length: 72; type: 17
Looking for keys for: HTTP/[email protected]
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/[email protected]
Found unsupported keytype (1) for HTTP/[email protected]
default etypes for default_tkt_enctypes: 18.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=masterdc.localnet.org UDP:88, timeout=30000, number of retries =3, #bytes=216
>>> KDCCommunication: kdc=masterdc.localnet.org UDP:88, timeout=30000,Attempt =1, #bytes=216
>>> KrbKdcReq send: #bytes read=194
>>>Pre-Authentication Data:
         PA-DATA type = 19
         PA-ETYPE-INFO2 etype = 18, salt = LOCALNET.ORGHTTPhostname.localnet.org, s2kparams = null

>>>Pre-Authentication Data:
         PA-DATA type = 2
         PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
         PA-DATA type = 16

>>>Pre-Authentication Data:
         PA-DATA type = 15

>>> KdcAccessibility: remove masterdc.localnet.org:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
         sTime is Tue Jan 17 18:49:14 CET 2017 1484675354000
         suSec is 822386
         error code is 25
         error Message is Additional pre-authentication required
         sname is krbtgt/[email protected]
         eData provided.
         msgType is 30
>>>Pre-Authentication Data:
         PA-DATA type = 19
         PA-ETYPE-INFO2 etype = 18, salt = LOCALNET.ORGHTTPhostname.localnet.org, s2kparams = null

>>>Pre-Authentication Data:
         PA-DATA type = 2
         PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
         PA-DATA type = 16

>>>Pre-Authentication Data:
         PA-DATA type = 15

KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 18.
Looking for keys for: HTTP/[email protected]
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/[email protected]
Found unsupported keytype (1) for HTTP/[email protected]
Looking for keys for: HTTP/[email protected]
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/[email protected]
Found unsupported keytype (1) for HTTP/[email protected]
default etypes for default_tkt_enctypes: 18.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=masterdc.localnet.org UDP:88, timeout=30000, number of retries =3, #bytes=305
>>> KDCCommunication: kdc=masterdc.localnet.org UDP:88, timeout=30000,Attempt =1, #bytes=305
>>> KrbKdcReq send: #bytes read=93
>>> KdcAccessibility: remove masterdc.localnet.org:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
         sTime is Tue Jan 17 18:49:14 CET 2017 1484675354000
         suSec is 25186
         error code is 14
         error Message is KDC has no support for encryption type
         sname is krbtgt/[email protected]
         msgType is 30
Exception: krb_error 14 KDC has no support for encryption type (14) KDC has no support for encryption type
KrbException: KDC has no support for encryption type (14)
        at sun.security.krb5.KrbAsRep.<init>(Unknown Source)
        at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source)
        at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source)
        at sun.security.krb5.internal.tools.Kinit.<init>(Unknown Source)
        at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)
Caused by: KrbException: Identifier doesn't match expected value (906)
        at sun.security.krb5.internal.KDCRep.init(Unknown Source)
        at sun.security.krb5.internal.ASRep.init(Unknown Source)
        at sun.security.krb5.internal.ASRep.<init>(Unknown Source)
        ... 5 more

    Succès:

    java -cp /home/wls0/webdav/krb5.jar -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Kinit -k -t /somepath/spn_hostname.keytab HTTP/[email protected]
>>>KinitOptions cache name is /tmp/krb5cc_723
Principal is HTTP/[email protected]
>>> Kinit using keytab
>>> Kinit keytab file name: /somepath/spn_hostname.keytab
Java config name: null
Native config name: /etc/krb5.conf
Loaded from native config
>>> Kinit realm name is LOCALNET.ORG
>>> Creating KrbAsReq
>>> KrbKdcReq local addresses for hostname.localnet.org are:

        hostname.localnet.org/192.168.1.2
IPv4 address
>>> KdcAccessibility: reset
>>> KeyTabInputStream, readName(): LOCALNET.ORG
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): hostname.localnet.org
>>> KeyTab: load() entry length: 64; type: 1
>>> KeyTabInputStream, readName(): LOCALNET.ORG
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): hostname.localnet.org
>>> KeyTab: load() entry length: 64; type: 3
>>> KeyTabInputStream, readName(): LOCALNET.ORG
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): hostname.localnet.org
>>> KeyTab: load() entry length: 72; type: 23
>>> KeyTabInputStream, readName(): LOCALNET.ORG
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): hostname.localnet.org
>>> KeyTab: load() entry length: 88; type: 18
>>> KeyTabInputStream, readName(): LOCALNET.ORG
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): hostname.localnet.org
>>> KeyTab: load() entry length: 72; type: 17
Looking for keys for: HTTP/[email protected]
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/[email protected]
Found unsupported keytype (1) for HTTP/[email protected]
default etypes for default_tkt_enctypes: 23 18.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=masterdc.localnet.org UDP:88, timeout=30000, number of retries =3, #bytes=180
>>> KDCCommunication: kdc=masterdc.localnet.org UDP:88, timeout=30000,Attempt =1, #bytes=180
>>> KrbKdcReq send: #bytes read=201
>>>Pre-Authentication Data:
         PA-DATA type = 19
         PA-ETYPE-INFO2 etype = 18, salt = LOCALNET.ORGHTTPhostname.localnet.org, s2kparams = null
         PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

>>>Pre-Authentication Data:
         PA-DATA type = 2
         PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
         PA-DATA type = 16

>>>Pre-Authentication Data:
         PA-DATA type = 15

>>> KdcAccessibility: remove masterdc.localnet.org
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
         sTime is Tue Jan 17 19:11:56 CET 2017 1484676716000
         suSec is 116308
         error code is 25
         error Message is Additional pre-authentication required
         sname is krbtgt/[email protected]
         eData provided.
         msgType is 30
>>>Pre-Authentication Data:
         PA-DATA type = 19
         PA-ETYPE-INFO2 etype = 18, salt = LOCALNET.ORGHTTPhostname.localnet.org, s2kparams = null
         PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

>>>Pre-Authentication Data:
         PA-DATA type = 2
         PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
         PA-DATA type = 16

>>>Pre-Authentication Data:
         PA-DATA type = 15

KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 18.
Looking for keys for: HTTP/[email protected]
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/[email protected]
Found unsupported keytype (1) for HTTP/[email protected]
Looking for keys for: HTTP/[email protected]
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/[email protected]
Found unsupported keytype (1) for HTTP/[email protected]
default etypes for default_tkt_enctypes: 23 18.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=masterdc.localnet.org UDP:88, timeout=30000, number of retries =3, #bytes=269
>>> KDCCommunication: kdc=masterdc.localnet.org UDP:88, timeout=30000,Attempt =1, #bytes=269
>>> KrbKdcReq send: #bytes read=94
>>> KrbKdcReq send: kdc=masterdc.localnet.org TCP:88, timeout=30000, number of retries =3, #bytes=269
>>> KDCCommunication: kdc=masterdc.localnet.org TCP:88, timeout=30000,Attempt =1, #bytes=269
>>>DEBUG: TCPClient reading 1615 bytes
>>> KrbKdcReq send: #bytes read=1615
>>> KdcAccessibility: remove masterdc.localnet.org
Looking for keys for: HTTP/[email protected]
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/[email protected]
Found unsupported keytype (1) for HTTP/[email protected]
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/hostname.localnet.org
New ticket is stored in cache file /tmp/krb5cc_723

    PS: Vous pouvez extraire le Kerberos 5 Outils à partir d'un Windows JDK Oracle avez supprimé de la version de JDK 1.6-delà. Cela vous donne plus de sortie de débogage sur une plateforme Linux avec le Paramètre (-Dsun.de sécurité.krb5.debug=true).

    mkdir sun.security.krb5
cd sun.security.krb5
"C:\Oracle\Java\jdk1.8.0_112\bin\jar.exe" -xf C:\Oracle\Java\jre1.8.0_112\lib\rt.jar sun\security\krb5
"C:\Oracle\Java\jdk1.8.0_112\bin\jar.exe" -cf krb5.jar sun\security\krb5
dir

    Cela fonctionne autour de JDK-6910497 : Kinit classe manquante
    http://bugs.java.com/bugdatabase/view_bug.do?bug_id=6910497

    OriginalL'auteur stefan123t

  2. 4

    A finalement obtenu ce travail:
    Lors de la mise en œuvre de l'authentification kerberos pour Oracle JDK 6, on devrait utiliser RC4-HMAC chiffrement, et ainsi de le DES et l'AES de soutien doit être désactivé pour le compte de l'utilisateur.

    Pourquoi n'ai-je vérifier en premier lieu est une autre histoire....

    OriginalL'auteur Lior Chaga

  3. 0

    Ce qui les a aidé dans mon cas, c'était le commutateur

    ktpass ... -crypto all ...

    et j'ai commenté l'ensemble de ces krb5.conf:

    # default_tkt_enctypes = ...
# default_tgs_enctypes = ...
# permitted_enctypes   = ...

    Je suppose que c'est la configuration par défaut avec rc4-hmac codage qui est la plus compatible.

    Pas les réglages ont été nécessaires dans Active Directory sur mon compte SPN.

    Windows Server 2008, Weblogic 10.3.6, Oracle JDK 1.7

    OriginalL'auteur E.Egiazarov