Hello CAS folks! I am just following up with my question I posted on April 5th. The main part of the was :
With the current version of CAS, does it only support rc4 when doing SPENGO? My question stems from the following older post to this group and my lack of getting SPENGO to work with CAS using AES-256. ( http://jasig.275507.n4.nabble.com/CAS-SPNEGO-authentication-always-right-with-IE-td1568991.html ) The default tkt and tgs enctypes need to be set to rc4-hmac. Windows Server 2008 supports encryption up to 256 aes however, not all Kerberos clients do, *including the CAS server Kerberos client. The encryption is forced down to rc4-hmac for compatibility with CAS*. thanks! On Fri, Apr 5, 2013 at 12:36 PM, Mathew Anderson <[email protected]>wrote: > Hello > > I have CAS running on redhat/tomcat and am trying to get it to use SPNEGO. > I have the keytabs and such setup correctly and I can kinit/klist. Also I > can do SPNEGO at the apache level on the same machine without issue. But > trying to get CAS to work with SPENGO, I am getting odd encryption issues. > One thing to note, our KDC only uses aes-256. > > It looks like when I connect to CAS with my browser, it is selecting the > rc4 encryption type, not the aes-256 one. > > Here is an except from my log: > default etypes for default_tkt_enctypes: 3 1 23 16 17 18. > Pre-Authenticaton: find key for etype = 23 > AS-REQ: Add PA_ENC_TIMESTAMP now > >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType > >>> KrbAsReq calling createMessage > >>> KrbAsReq in createMessage > >>> KrbKdcReq send: #bytes read=645 > >>> KrbKdcReq send: #bytes read=645 > >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType > >>> KrbAsRep cons in KrbAsReq.getReply HTTP/myserver > Entered Krb5Context.acceptSecContext with state=STATE_NEW > jcifs.spnego.AuthenticationException: Error performing Kerberos > authentication: java.lang.reflect.InvocationTargetException > at > jcifs.spnego.Authentication.processKerberos(Authentication.java:447) > at > jcifs.spnego.Authentication.processSpnego(Authentication.java:346) > at jcifs.spnego.Authentication.process(Authentication.java:235) > .... > Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism > level: Specified version of key is not available (44)) > at > sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741) > at > sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323) > at > sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267) > ... 154 more > Caused by: KrbException: Specified version of key is not available (44) > at sun.security.krb5.EncryptionKey.findKey(EncryptionKey.java:516) > at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:260) > at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134) > > > After trying to research this, I did see in an older post ( > http://jasig.275507.n4.nabble.com/CAS-SPNEGO-authentication-always-right-with-IE-td1568991.html) > the following: > > The default tkt and tgs enctypes need to be set to rc4-hmac. Windows > Server 2008 supports encryption up to 256 aes however, not all Kerberos > clients do, including the CAS server Kerberos client. The encryption is > forced down to rc4-hmac for compatibility with CAS. > > > Is this still correct, does CAS only support rc4? > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
