Question

SSO with kerberos

2

For a client with multiple on-premise applications we implemented kerberos succesfully for application 1. When implementing for application 2 (same version of Mx, same kerberos module, Java OS, same Network, same script for keytab file creation) we got an error: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled We solved this by applying the extended security jars but can't solve this one Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96 the only difference is found in the m2ee log. The working server : Added key: 23version: 4 Not-working server Added key: 23version: 6 23 must be KERB_ETYPE_RC4_HMAC EDIT SOLUTION: Ok, found it, the encryption message can be distracting. The cause is that the first keytab was originally created with the servername and after that with the dns name. The solution for application 2 was to add the servername to the kerberos user with advanced properties (AD servicePrincipalName) or the setspn command.

asked 2015-11-12

Chris de Gelder

2 answers

Ronald Catersels · Answer 1 · 2015-11-12

I assume you have read this post on stackoverflow: http://stackoverflow.com/questions/12956037/gssexception-encryption-type-aes256cts-mode-with-hmac-sha1-96-is-not-suppo?

Regards,

Ronald

[EDIT]

This post could also be interesting: https://issues.apache.org/jira/browse/AMBARI-8840

Jasper van der Hoek · Answer 2 · 2015-11-12

Based on that message my first idea would be as the post from Ronald suggests the unlimited strength policy.

Have you validated that the JCE has been installed on either server?
You can easily confirm this by looking in "program files/java x/lib/security/", if you open the file local_policy.jar in a zip tool and look at the file "default_local.policy". You should see these lines:

grant {      
     // There is no restriction to any algorithms.       
     permission javax.crypto.CryptoAllPermission;

It's been a long time since I had to do a Kerberos setup, but a tool that I used to troubleshooting:
http://www.iis.net/downloads/category/troubleshoot (look for the deleg config tools)
http://blogs.msdn.com/b/webtopics/archive/2008/04/25/delegconfig-a-tool-to-help-resolve-kerberos-authentication-and-delegation-issues.aspx

Also did you enable the configuration on the server level to accept the Kerberos type certificate. By default since windows 2008 the kerberos encryption isn't enabled.
http://blogs.msdn.com/b/openspecification/archive/2011/05/31/windows-configurations-for-kerberos-supported-encryption-type.aspx