Thanks for the continuous looking at this with me. Both the default_tkt_enctypes and the default_tgs_enctypes are commented out of my krb5.conf files. When the kerberos admin moved us over to aes256 only, he had us comment them out. I do not have a permitted_enctypes on my system.
On Wed, Apr 17, 2013 at 4:21 AM, Philippe MARASSE < [email protected]> wrote: > Hmmm, does the default enc_type defined in /etc/krb5.conf includes AES ? > > I got a look on our kerberized squid it shows in its krb5.conf : > > [libdefaults] > ... > default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 > des-cbc-crc > default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 > des-cbc-crc > permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 > des-cbc-crc > > I think you should have the same enctypes you'll find in your keytab. > > Rgds. > > Le 16/04/2013 14:47, Mathew Anderson a écrit : > > Thank you for the info. Double checking the keytab, I do have the aes256 > one listed: > > 8 1 HTTP/host@domain (aes256-cts-hmac-sha1-96) > > > I did noticed that with Oracle's java, i needed to download the > cryptography extension. I also tried with OpenJDK (1.6.0_24 in this case) > and received a similar error - It starts to use aes256 - but cas uses > arcfour and the checksum fails. > > AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ > >>>KrbAsReq salt is hostHTTPdomain > Pre-Authenticaton: find key for etype = 18 > AS-REQ: Add PA_ENC_TIMESTAMP now > >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType > >>> KrbAsReq calling createMessage > >>> KrbAsReq in createMessage > >>> KrbKdcReq send: kdc=ip UDP:x, timeout=30000, number of retries =3, > #bytes=243 > >>> KDCCommunication: kdc=ip UDP:x, timeout=30000,Attempt =1, #bytes=243 > >>> KrbKdcReq send: #bytes read=683 > >>> KrbKdcReq send: #bytes read=683 > >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType > >>> KrbAsRep cons in KrbAsReq.getReply HTTP/host > Found key for HTTP/host@domain(23) > Found key for HTTP/host@domain(1) > Found key for HTTP/host@domain(16) > Found key for HTTP/host@domain(3) > Found key for HTTP/host@domain(18) > Entered Krb5Context.acceptSecContext with state=STATE_NEW > >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType > Checksum failed ! > jcifs.spnego.AuthenticationException: Error performing Kerberos > authentication: java.lang.reflect.InvocationTargetException > at > jcifs.spnego.Authentication.processKerberos(Authentication.java:447) > at > jcifs.spnego.Authentication.processSpnego(Authentication.java:346) > at jcifs.spnego.Authentication.process(Authentication.java:235) > at > org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler.doAuthentication(JCIFSSpnegoAuthenticationHandler.java:70) > > > Thanks again for the suggestions! > > > > > On Tue, Apr 16, 2013 at 3:37 AM, Philippe MARASSE < > [email protected]> wrote: > >> Hello, >> >> According to this exception : *KrbException: Specified version of key is >> not available (44)*, it seems that your keytab does not include the key >> with the expected cipher. You can check it with ktutil : >> >> $ ktutil >> ktutil: rkt /etc/tomcat/cas/http.keytab >> ktutil: l -e >> slot KVNO Principal >> ---- ---- >> --------------------------------------------------------------------- >> 1 2 HTTP/myserver@MYDOMAIN (aes256-cts-hmac-sha1-96) >> 2 2 HTTP/myserver@MYDOMAIN (arcfour-hmac) >> 3 2 HTTP/myserver@MYDOMAIN (des3-cbc-sha1) >> 4 2 HTTP/myserver@MYDOMAIN (des-cbc-crc) >> >> The first time I tried to use SPNEGO against MIT kerberos, I ran into >> another exception related to AES 256 : *KrbException: Encryption type >> AES256 CTS mode with HMAC SHA1-96 is not supported/enabled* This is a java >> related issue, not CAS related : I had to download a Java Cryptography >> Extension with unlimited strength in order to use keys larger than 128 bits. >> >> Rgds. >> >> Le 15/04/2013 17:10, Mathew Anderson a écrit : >> >> Marvin - Thanks for the response and guidance. >> >> I have submitted the improvement. The JIRA number is >> CAS-1295<https://issues.jasig.org/browse/CAS-1295>. >> >> >> https://issues.jasig.org/browse/CAS-1295 >> >> >> >> >> On Mon, Apr 15, 2013 at 7:39 AM, Marvin S. Addison < >> [email protected]> wrote: >> >>> The default tkt and tgs enctypes need to be set to rc4-hmac. Windows >>>> Server 2008 supports encryption up to 256 aes however, not all Kerberos >>>> clients do, *including the CAS server Kerberos client. The encryption >>>> is forced down to rc4-hmac for compatibility with CAS*. >>>> >>> >>> Not very familiar with that part of the codebase, but as I understand >>> your observation, CAS only support the RC4 cipher and you would like >>> support for other ciphers, including AES-256. Is that correct? If yes, >>> please file a Jira improvement issue for it and post the link to the issue >>> here to close the loop. >>> >>> Thanks, >>> M >>> >>> -- >>> You are currently subscribed to [email protected] as: >>> [email protected] >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> >> >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> >> >> -- >> Philippe MARASSE >> >> Service Informatique - Centre Hospitalier Henri Laborit >> CS 10587 - 370 avenue Jacques Coeur >> 86021 Poitiers Cedex >> Tel : 05.49.44.57.19 >> >> > > > -- > Philippe MARASSE > > Service Informatique - Centre Hospitalier Henri Laborit > CS 10587 - 370 avenue Jacques Coeur > 86021 Poitiers Cedex > Tel : 05.49.44.57.19 > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
