Hello,According to this exception : *KrbException: Specified version of key is not available (44)*, it seems that your keytab does not include the key with the expected cipher. You can check it with ktutil :
$ ktutil ktutil: rkt /etc/tomcat/cas/http.keytab ktutil: l -e slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 2 HTTP/myserver@MYDOMAIN (aes256-cts-hmac-sha1-96) 2 2 HTTP/myserver@MYDOMAIN (arcfour-hmac) 3 2 HTTP/myserver@MYDOMAIN (des3-cbc-sha1) 4 2 HTTP/myserver@MYDOMAIN (des-cbc-crc)The first time I tried to use SPNEGO against MIT kerberos, I ran into another exception related to AES 256 : *KrbException: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled* This is a java related issue, not CAS related : I had to download a Java Cryptography Extension with unlimited strength in order to use keys larger than 128 bits.
Rgds. Le 15/04/2013 17:10, Mathew Anderson a écrit :
Marvin - Thanks for the response and guidance.I have submitted the improvement. The JIRA number is CAS-1295 <https://issues.jasig.org/browse/CAS-1295>.https://issues.jasig.org/browse/CAS-1295On Mon, Apr 15, 2013 at 7:39 AM, Marvin S. Addison <[email protected] <mailto:[email protected]>> wrote:The default tkt and tgs enctypes need to be set to rc4-hmac. Windows Server 2008 supports encryption up to 256 aes however, not all Kerberos clients do, *including the CAS server Kerberos client. The encryption is forced down to rc4-hmac for compatibility with CAS*. Not very familiar with that part of the codebase, but as I understand your observation, CAS only support the RC4 cipher and you would like support for other ciphers, including AES-256. Is that correct? If yes, please file a Jira improvement issue for it and post the link to the issue here to close the loop. Thanks, M-- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected] <mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
-- Philippe MARASSE Service Informatique - Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Coeur 86021 Poitiers Cedex Tel : 05.49.44.57.19
smime.p7s
Description: Signature cryptographique S/MIME
