Java Authentication against Active Directory, authentication mismatch?
Solution 1
So, I got it past this stage. I can only guess that the DES support in active directory for Windows Server 2012 is broken, as I ended up tweaking my krb5.conf file and setting the two default ticket types and permitted types to just aes256-cts-hmac-sha1-96 and it worked for the one user. After enabling aes256 for other users in AD, it continued to work.
Solution 2
You need to access the user's account and check the 'use kerberos DES encryption types' checkbox.
You'll need to login to your DS as an admin to do this of course.
Solution 3
Looking at init() in KDCRep.java, the only part that looks it could be throwing your error is:
150 if ((subDer.getTag() & 0x1F) == 0x00) {
151 pvno = subDer.getData().getBigInteger().intValue();
152 if (pvno != Krb5.PVNO) {
153 throw new KrbApErrException(Krb5.KRB_AP_ERR_BADVERSION);
154 }
155 } else {
156 throw new Asn1Exception(Krb5.ASN1_BAD_ID);
157 }
It does seem a bit odd that the error's being printed as a KrbException, but it could work since KrbApErrException is a subclass of KrbException. init() can't throw any other subclasses of KrbException, though.
Scratch that. A better possibility is that it's one of the Asn1Exceptions in there, since the constructor in KrbAsRep.java catches and rethrows those errors as KrbExceptions (with an appropriate initCause that would match up pretty well with the stack trace).
"Identifier doesn't match expected value (906)" leads me to believe it's throwing a Asn1Exception(Krb5.ASN1_BAD_ID), since Krb5.ASN1_BAD_ID has value 906. That's not overly helpful, since that seems to be the default error in init().
See if you can generate the DerValue corresponding to your configuration and inspect it manually, seeing where init() would reject it, then step backward from there, looking at what part of your configuration created the erroneous bits.
Upon further inspection, the message "KDC has no support for encryption type" leads me to believe Krb5.KDC_ERR_ETYPE_NOSUPP must have been used. But, as that's only used for the default instance of Etype, that might not mean much.
ohshazbot
Updated on December 13, 2020Comments
-
ohshazbot over 3 years
So I have some code which I'm testing to make sure it works nicely for authentication. It works fine against straight kerberos, so I figured there should only be some minor hiccups with AD. Unfortunately, I cannot get around a KrbException: KDC has no support for encryption type (14).
I know the error is an encryption type mismatch. But I can kinit just fine, it's only in the code that I hit an issue. I'm not setting anything, so I think it should be inheriting the same defaults as kinit, but that obviously isn't the case.
The code-
System.setProperty("sun.security.krb5.debug", "true"); System.setProperty("java.security.krb5.realm", "TEST.SQRRL.COM"); System.setProperty("java.security.krb5.kdc", "172.16.101.128"); System.setProperty("java.security.auth.login.config", "./conf/jaas.conf"); System.setProperty("javax.security.auth.useSubjectCredsOnly", "true"); // "Client" references the JAAS configuration in the jaas.conf file. LoginContext loginCtx = null; loginCtx = new LoginContext("Server", new LoginCallbackHandler("test".toCharArray())); loginCtx.login(); subject = loginCtx.getSubject();and the jaas.conf
Server { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=false storeKey=true useTicketCache=true principal="[email protected]"; };And, the stack trace-
>>>KRBError: sTime is Tue Nov 27 18:16:36 EST 2012 1354058196000 suSec is 257213 error code is 14 error Message is KDC has no support for encryption type realm is test.SQRRL.COM sname is krbtgt/test.SQRRL.COM msgType is 30 javax.security.auth.login.LoginException: KDC has no support for encryption type (14) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696) at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) at javax.security.auth.login.LoginContext.login(LoginContext.java:579) at authenticators.KerberosAuthenticator.<init>(KerberosAuthenticator.java:37) at main.ServerImpl.<init>(ServerImpl.java:91) at main.PlugServer.run(PlugServer.java:22) at main.PlugServer.main(PlugServer.java:42) Caused by: KrbException: KDC has no support for encryption type (14) at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:66) at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:446) at sun.security.krb5.Credentials.sendASRequest(Credentials.java:401) at sun.security.krb5.Credentials.acquireTGT(Credentials.java:373) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:662) ... 15 more Caused by: KrbException: Identifier doesn't match expected value (906) at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133) at sun.security.krb5.internal.ASRep.init(ASRep.java:58) at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53) at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50) ... 19 more Exception in thread "main" java.lang.RuntimeException: javax.security.auth.login.LoginException: KDC has no support for encryption type (14) at main.PlugServer.run(PlugServer.java:36) at main.PlugServer.main(PlugServer.java:42) Caused by: javax.security.auth.login.LoginException: KDC has no support for encryption type (14) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696) at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) at javax.security.auth.login.LoginContext.login(LoginContext.java:579) at authenticators.KerberosAuthenticator.<init>(KerberosAuthenticator.java:37) at main.ServerImpl.<init>(ServerImpl.java:91) at main.PlugServer.run(PlugServer.java:22) ... 1 more Caused by: KrbException: KDC has no support for encryption type (14) at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:66) at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:446) at sun.security.krb5.Credentials.sendASRequest(Credentials.java:401) at sun.security.krb5.Credentials.acquireTGT(Credentials.java:373) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:662) ... 15 more Caused by: KrbException: Identifier doesn't match expected value (906) at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133) at sun.security.krb5.internal.ASRep.init(ASRep.java:58) at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53) at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50) ... 19 more