[cas-user] CAS + Spengo at AES 256

Fri, 05 Apr 2013 11:36:29 -0700 

Hello

I have CAS running on redhat/tomcat and am trying to get it to use SPNEGO.
I have the keytabs and such setup correctly and I can kinit/klist.  Also I
can do SPNEGO at the apache level on the same machine without issue.  But
trying to get CAS to work with SPENGO, I am getting odd encryption issues.
One thing to note, our KDC only uses aes-256.

It looks like when I connect to CAS with my browser, it is selecting the
rc4 encryption type, not the aes-256 one.

Here is an except from my log:
default etypes for default_tkt_enctypes: 3 1 23 16 17 18.
Pre-Authenticaton: find key for etype = 23
AS-REQ: Add PA_ENC_TIMESTAMP now
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: #bytes read=645
>>> KrbKdcReq send: #bytes read=645
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/myserver
Entered Krb5Context.acceptSecContext with state=STATE_NEW
jcifs.spnego.AuthenticationException: Error performing Kerberos
authentication: java.lang.reflect.InvocationTargetException
        at
jcifs.spnego.Authentication.processKerberos(Authentication.java:447)
        at
jcifs.spnego.Authentication.processSpnego(Authentication.java:346)
        at jcifs.spnego.Authentication.process(Authentication.java:235)
....
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism
level: Specified version of key is not available (44))
        at
sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
        at
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
        at
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
        ... 154 more
Caused by: KrbException: Specified version of key is not available (44)
        at sun.security.krb5.EncryptionKey.findKey(EncryptionKey.java:516)
        at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:260)
        at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)


After trying to research this, I did see in an older post (
http://jasig.275507.n4.nabble.com/CAS-SPNEGO-authentication-always-right-with-IE-td1568991.html)
the following:

The default tkt and tgs enctypes need to be set to rc4-hmac.  Windows
Server 2008 supports encryption up to 256 aes however, not all Kerberos
clients do, including the CAS server Kerberos client.  The encryption is
forced down to rc4-hmac for compatibility with CAS.


Is this still correct, does CAS only support rc4?

-- 
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Reply via email to