Active directory KDC不支持加密类型(14)

Active directory KDC不支持加密类型(14),active-directory,kerberos,kdc,Active Directory,Kerberos,Kdc,我正在尝试使用SpringSecurityKerberos扩展通过kerberos实现SSO 我创建了一个keytab文件,尝试访问我的webapp时出现以下错误: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed) 我试着根据测试我的键盘 keytab是使用以下命令创建的: ktpass /out http-web.keytab /mapuser testing@MYDOM

我正在尝试使用SpringSecurityKerberos扩展通过kerberos实现SSO

我创建了一个keytab文件,尝试访问我的webapp时出现以下错误:

GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
我试着根据测试我的键盘

keytab是使用以下命令创建的:

ktpass /out http-web.keytab /mapuser testing@MYDOMAIN.COM /princ HTTP/testing@MYDOMAIN.COM /pass myPass /ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT /kvno 0
我的krb5.conf如下

[libdefaults]
default_realm = MYDOMAIN.COM
permitted_enctypes =  aes256-cts arcfour-hmac-md5 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes256-cts arcfour-hmac-md5 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tkt_enctypes = aes256-cts arcfour-hmac-md5 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true

[realms]
MYDOMAIN.COM = {
kdc = controller1.mydomain.com:88
kdc = controler2.mydomain.com:88
kdc = controller3.mydomain.com:88
admin_server = controller3.mydomain.com
default_domain = MYDOMAIN.COM
}

[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM

[login]
krb4_convert = true
krb4_get_tickets = false
我得到以下错误:

 KDC has no support for encryption type (14)
我曾尝试为SPN帐户启用DES、AES-128和AES-256,但没有解决问题

我错过了什么

谢谢, Lior终于开始工作了: 在为Oracle JDK 6实现kerberos身份验证时,应该使用RC4-HMAC加密,因此应该对用户帐户禁用DES和AES支持


我为什么要首先检查它们是另一个故事….

我的头连续几天被KrbException“KDC不支持enryption类型(14)”击中。我访问过很多地方,包括一些深入的MSDN博客帖子(来自《弘威太阳报》,塞巴斯蒂安·卡内瓦里),由于缺乏声誉,我无法参考

谢谢你提到kvno 0和dsiabling DES,现在它在我这边也可以工作了

最后,它归结为我有我的用户帐户设置

userAccountControl:与0B1000000100000000匹配的0d66048或0x10200 或ADS_UF_not_EXPIRE_PASSWD(0x00010000)和ADS_UF_NORMAL_ACCOUNT(0x00000200),但未设置UF_USE_DES_KEY_ONLY(0x200000)

msDS支持的加密类型:0d16或0x10,与0b10000或AES256-CTS-HMAC-SHA1-96(0x10)匹配,但未设置RC4-HMAC(0x04)

ldapsearch -h masterdc.localnet.org -D 'spn_hostname' -w '*password*' -b 'ou=Accounts,dc=localnet,dc=org' -s sub 'userPrincipalName=HTTP/hostname.localnet.org@LOCALNET.ORG' distinguishedName servicePrincipalName userPrincipalName msDS-SupportedEncryptionTypes userAccountControl
# extended LDIF
#
# LDAPv3
# base <ou=Accounts,dc=localnet,dc=org> with scope subtree
# filter: userPrincipalName=HTTP/hostname.localnet.org@LOCALNET.ORG
# requesting: distinguishedName servicePrincipalName userPrincipalName msDS-SupportedEncryptionTypes userAccountControl
#

# spn_hostname, DokSvc, Services, Accounts, localnet.org
dn: CN=spn_hostname,OU=DokSvc,OU=Services,OU=Accounts,DC=localnet,DC=org
distinguishedName: CN=spn_hostname,OU=DokSvc,OU=Services,OU=Accounts,DC=localnet,DC=org
userAccountControl: 66048
userPrincipalName: HTTP/hostname.localnet.org@LOCALNET.ORG
servicePrincipalName: HTTP/hostname.localnet.org
servicePrincipalName: HTTP/hostname.localnet.org@LOCALNET.ORG
msDS-SupportedEncryptionTypes: 16

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
但是,如果将其更改为默认值\u tkt\u enctypes=aes256 cts rc4 hmac,则会成功

请注意,您也可以省略在/etc/krb5.conf中指定默认的_tkt_enctypes指令,以使其正常工作

Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23.
因此,看起来Windows Server 2008 SP2 Active Directory在预身份验证阶段确实明确要求RC4-HMAC:

         PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
为了支持AES256,我更新了JDK的jre/lib/security文件夹中的JCE 1.8.0策略文件

亲切问候,, 斯特凡


这些类型在下指定

Kerberos参数


失败:

java -cp /somepath/krb5.jar -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Kinit -k -t /somepath/spn_hostname.keytab HTTP/hostname.localnet.org@LOCALNET.ORG
>>>KinitOptions cache name is /tmp/krb5cc_723
Principal is HTTP/hostname.localnet.org@LOCALNET.ORG
>>> Kinit using keytab
>>> Kinit keytab file name: /somepath/spn_hostname.keytab
Java config name: null
LSA: Found Ticket
LSA: Made NewWeakGlobalRef
LSA: Found PrincipalName
LSA: Made NewWeakGlobalRef
LSA: Found DerValue
LSA: Made NewWeakGlobalRef
LSA: Found EncryptionKey
LSA: Made NewWeakGlobalRef
LSA: Found TicketFlags
LSA: Made NewWeakGlobalRef
LSA: Found KerberosTime
LSA: Made NewWeakGlobalRef
LSA: Found String
LSA: Made NewWeakGlobalRef
LSA: Found DerValue constructor
LSA: Found Ticket constructor
LSA: Found PrincipalName constructor
LSA: Found EncryptionKey constructor
LSA: Found TicketFlags constructor
LSA: Found KerberosTime constructor
LSA: Finished OnLoad processing
Native config name: C:\Windows\krb5.ini
Loaded from native config
>>> Kinit realm name is LOCALNET.ORG
>>> Creating KrbAsReq
>>> KrbKdcReq local addresses for hostname.localnet.org are:

        hostname.localnet.org/192.168.1.2
IPv4 address
>>> KdcAccessibility: reset
>>> KeyTabInputStream, readName(): LOCALNET.ORG
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): hostname.localnet.org
>>> KeyTab: load() entry length: 64; type: 1
>>> KeyTabInputStream, readName(): LOCALNET.ORG
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): hostname.localnet.org
>>> KeyTab: load() entry length: 64; type: 3
>>> KeyTabInputStream, readName(): LOCALNET.ORG
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): hostname.localnet.org
>>> KeyTab: load() entry length: 72; type: 23
>>> KeyTabInputStream, readName(): LOCALNET.ORG
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): hostname.localnet.org
>>> KeyTab: load() entry length: 88; type: 18
>>> KeyTabInputStream, readName(): LOCALNET.ORG
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): hostname.localnet.org
>>> KeyTab: load() entry length: 72; type: 17
Looking for keys for: HTTP/hostname.localnet.org@LOCALNET.ORG
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/hostname.localnet.org@LOCALNET.ORG
Found unsupported keytype (1) for HTTP/hostname.localnet.org@LOCALNET.ORG
default etypes for default_tkt_enctypes: 18.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=masterdc.localnet.org UDP:88, timeout=30000, number of retries =3, #bytes=216
>>> KDCCommunication: kdc=masterdc.localnet.org UDP:88, timeout=30000,Attempt =1, #bytes=216
>>> KrbKdcReq send: #bytes read=194
>>>Pre-Authentication Data:
         PA-DATA type = 19
         PA-ETYPE-INFO2 etype = 18, salt = LOCALNET.ORGHTTPhostname.localnet.org, s2kparams = null

>>>Pre-Authentication Data:
         PA-DATA type = 2
         PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
         PA-DATA type = 16

>>>Pre-Authentication Data:
         PA-DATA type = 15

>>> KdcAccessibility: remove masterdc.localnet.org:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
         sTime is Tue Jan 17 18:49:14 CET 2017 1484675354000
         suSec is 822386
         error code is 25
         error Message is Additional pre-authentication required
         sname is krbtgt/LOCALNET.ORG@LOCALNET.ORG
         eData provided.
         msgType is 30
>>>Pre-Authentication Data:
         PA-DATA type = 19
         PA-ETYPE-INFO2 etype = 18, salt = LOCALNET.ORGHTTPhostname.localnet.org, s2kparams = null

>>>Pre-Authentication Data:
         PA-DATA type = 2
         PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
         PA-DATA type = 16

>>>Pre-Authentication Data:
         PA-DATA type = 15

KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 18.
Looking for keys for: HTTP/hostname.localnet.org@LOCALNET.ORG
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/hostname.localnet.org@LOCALNET.ORG
Found unsupported keytype (1) for HTTP/hostname.localnet.org@LOCALNET.ORG
Looking for keys for: HTTP/hostname.localnet.org@LOCALNET.ORG
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/hostname.localnet.org@LOCALNET.ORG
Found unsupported keytype (1) for HTTP/hostname.localnet.org@LOCALNET.ORG
default etypes for default_tkt_enctypes: 18.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=masterdc.localnet.org UDP:88, timeout=30000, number of retries =3, #bytes=305
>>> KDCCommunication: kdc=masterdc.localnet.org UDP:88, timeout=30000,Attempt =1, #bytes=305
>>> KrbKdcReq send: #bytes read=93
>>> KdcAccessibility: remove masterdc.localnet.org:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
         sTime is Tue Jan 17 18:49:14 CET 2017 1484675354000
         suSec is 25186
         error code is 14
         error Message is KDC has no support for encryption type
         sname is krbtgt/LOCALNET.ORG@LOCALNET.ORG
         msgType is 30
Exception: krb_error 14 KDC has no support for encryption type (14) KDC has no support for encryption type
KrbException: KDC has no support for encryption type (14)
        at sun.security.krb5.KrbAsRep.<init>(Unknown Source)
        at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source)
        at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source)
        at sun.security.krb5.internal.tools.Kinit.<init>(Unknown Source)
        at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)
Caused by: KrbException: Identifier doesn't match expected value (906)
        at sun.security.krb5.internal.KDCRep.init(Unknown Source)
        at sun.security.krb5.internal.ASRep.init(Unknown Source)
        at sun.security.krb5.internal.ASRep.<init>(Unknown Source)
        ... 5 more

PS:您可能希望从WindowsJDK中提取Kerberos 5工具,因为Oracle已经从JDK1.6以后的版本中删除了它。这在Linux平台上为您提供了额外的调试输出,参数为(-Dsun.security.krb5.debug=true)

这适用于JDK-6910497:缺少Kinit类

对我的情况有帮助的是开关

ktpass ... -crypto all ...
我在krb5.conf中评论了所有这些:

[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log
[libdefaults]
  default_realm = LOCALNET.DE
  default_tkt_enctypes = aes256-cts
  default_tgs_enctypes = aes256-cts
  permitted_enctypes = aes256-cts
[realms]
LOCALNET.ORG = {
  kdc = masterdc.localnet.org:88
  admin_server = masterdc.localnet.org
  default_domain = LOCALNET.ORG
}
[domain_realm]
  .localnet.org = LOCALNET.ORG
  localnet.org = LOCALNET.ORG
[appdefaults]
  autologin = true
  forward = true
  forwardable = true
  encrypt = true
# default_tkt_enctypes = ...
# default_tgs_enctypes = ...
# permitted_enctypes   = ...
我想它的默认设置与rc4 hmac编码是最兼容的

在我的SPN帐户的Active Directory中不需要特殊设置


Windows Server 2008、Weblogic 10.3.6、Oracle JDK 1.7

我的解决方案是通过帐户选项卡上的Active Directory用户和计算机工具检查AD用户的这两个选项:


在ktpass中,您强制输入一个奇怪的kvno:0值。通常是1或更多。从Windows 2008开始,您可以将crypto设置为All。当您使用ktpass时,AD总是在与SPN相对应的条目中增加“密钥版本”,您必须首先在AD中检查“密钥版本”,然后在ktpass中使用“/kvno”的+1。不过这与这个问题无关。伙计们,谢谢你们的帮助。我了解到java在读取kvno为0的keytab时可能会遇到问题,因此我专门将其设置为0。不幸的是,我再也找不到这个帖子了。。。无论如何,我现在在没有指定kvno的情况下尝试了它,但我得到了相同的错误。我必须为我的每个spn帐户选中“此帐户支持Kerberos AES 128位加密”和“此帐户支持Kerberos AES 256位加密”的复选框。您是对的,您需要启用并使用RC4-HMAC,因为它是MS Active Directory aka推荐和支持的密码。Kerberos。至少在2008年的变型中,我必须解决这个问题。我认为AES可以用于通信的其他部分,但密钥交换仅限于RC4-HMAC。您猜对了,RC4-HMAC是这里唯一受支持的编码/密码。我强烈反对这一点,尤其是最近版本的Oracle JDK(>=1.8.u060)正确地将MD5和RC4算法的已知不安全性列入黑名单。您可能需要在JDK conf/security/java.security中重新启用它们,方法是从JDK.tls.disabledAlgorithms和/或JDK.certpath.disabledAlgorithms中删除RC4。
mkdir sun.security.krb5
cd sun.security.krb5
"C:\Oracle\Java\jdk1.8.0_112\bin\jar.exe" -xf C:\Oracle\Java\jre1.8.0_112\lib\rt.jar sun\security\krb5
"C:\Oracle\Java\jdk1.8.0_112\bin\jar.exe" -cf krb5.jar sun\security\krb5
dir
ktpass ... -crypto all ...
# default_tkt_enctypes = ...
# default_tgs_enctypes = ...
# permitted_enctypes   = ...