Thank you for the info. Double checking the keytab, I do have the aes256
one listed:
8 1 HTTP/host@domain (aes256-cts-hmac-sha1-96)
I did noticed that with Oracle's java, i needed to download the
cryptography extension. I also tried with OpenJDK (1.6.0_24 in this case)
and received a similar error - It starts to use aes256 - but cas uses
arcfour and the checksum fails.
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
>>>KrbAsReq salt is hostHTTPdomain
Pre-Authenticaton: find key for etype = 18
AS-REQ: Add PA_ENC_TIMESTAMP now
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=ip UDP:x, timeout=30000, number of retries =3,
#bytes=243
>>> KDCCommunication: kdc=ip UDP:x, timeout=30000,Attempt =1, #bytes=243
>>> KrbKdcReq send: #bytes read=683
>>> KrbKdcReq send: #bytes read=683
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/host
Found key for HTTP/host@domain(23)
Found key for HTTP/host@domain(1)
Found key for HTTP/host@domain(16)
Found key for HTTP/host@domain(3)
Found key for HTTP/host@domain(18)
Entered Krb5Context.acceptSecContext with state=STATE_NEW
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Checksum failed !
jcifs.spnego.AuthenticationException: Error performing Kerberos
authentication: java.lang.reflect.InvocationTargetException
at
jcifs.spnego.Authentication.processKerberos(Authentication.java:447)
at
jcifs.spnego.Authentication.processSpnego(Authentication.java:346)
at jcifs.spnego.Authentication.process(Authentication.java:235)
at
org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler.doAuthentication(JCIFSSpnegoAuthenticationHandler.java:70)
Thanks again for the suggestions!
On Tue, Apr 16, 2013 at 3:37 AM, Philippe MARASSE <
[email protected]> wrote:
> Hello,
>
> According to this exception : *KrbException: Specified version of key is
> not available (44)*, it seems that your keytab does not include the key
> with the expected cipher. You can check it with ktutil :
>
> $ ktutil
> ktutil: rkt /etc/tomcat/cas/http.keytab
> ktutil: l -e
> slot KVNO Principal
> ---- ----
> ---------------------------------------------------------------------
> 1 2 HTTP/myserver@MYDOMAIN (aes256-cts-hmac-sha1-96)
> 2 2 HTTP/myserver@MYDOMAIN (arcfour-hmac)
> 3 2 HTTP/myserver@MYDOMAIN (des3-cbc-sha1)
> 4 2 HTTP/myserver@MYDOMAIN (des-cbc-crc)
>
> The first time I tried to use SPNEGO against MIT kerberos, I ran into
> another exception related to AES 256 : *KrbException: Encryption type
> AES256 CTS mode with HMAC SHA1-96 is not supported/enabled* This is a java
> related issue, not CAS related : I had to download a Java Cryptography
> Extension with unlimited strength in order to use keys larger than 128 bits.
>
> Rgds.
>
> Le 15/04/2013 17:10, Mathew Anderson a écrit :
>
> Marvin - Thanks for the response and guidance.
>
> I have submitted the improvement. The JIRA number is
> CAS-1295<https://issues.jasig.org/browse/CAS-1295>.
>
>
> https://issues.jasig.org/browse/CAS-1295
>
>
>
>
> On Mon, Apr 15, 2013 at 7:39 AM, Marvin S. Addison <
> [email protected]> wrote:
>
>> The default tkt and tgs enctypes need to be set to rc4-hmac. Windows
>>> Server 2008 supports encryption up to 256 aes however, not all Kerberos
>>> clients do, *including the CAS server Kerberos client. The encryption
>>> is forced down to rc4-hmac for compatibility with CAS*.
>>>
>>
>> Not very familiar with that part of the codebase, but as I understand
>> your observation, CAS only support the RC4 cipher and you would like
>> support for other ciphers, including AES-256. Is that correct? If yes,
>> please file a Jira improvement issue for it and post the link to the issue
>> here to close the loop.
>>
>> Thanks,
>> M
>>
>> --
>> You are currently subscribed to [email protected] as:
>> [email protected]
>> To unsubscribe, change settings or access archives, see
>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>
>
> --
> You are currently subscribed to [email protected] as:
> [email protected]
>
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
>
>
> --
> Philippe MARASSE
>
> Service Informatique - Centre Hospitalier Henri Laborit
> CS 10587 - 370 avenue Jacques Coeur
> 86021 Poitiers Cedex
> Tel : 05.49.44.57.19
>
>
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
