10 Replies Latest reply: Jan 27, 2010 9:33 AM by 843810 RSS

    krb_error 0

    843810
      Hi all,

      We are trying to set up Kerberos SSO with weblogic for an internal application, so far we have been following the guide at [http://download.oracle.com/docs/cd/E12839_01/web.1111/e13707/sso.htm|http://download.oracle.com/docs/cd/E12839_01/web.1111/e13707/sso.htm].

      I am trying to set this up locally on my machine (TI-C8R783J).

      A new user was added to the Active Directory (AD) (TI-C8R783J@ISYS.TRACEGROUP.COM).

      setspn was run on the AD server (TIDC.ISYS.TRACEGROUP.COM) as per the guide above.

      Output of setspn -L TI-C8R783J@ISYS.TRACEGROUP.COM was...
      Registered ServicePrincipalNames for CN=TI-C8R783J,OU=Desktops,DC=isys,DC=tracegroup,DC=com:
          HTTP/TI-C8R783J.isys.tracegroup.com
          HOST/TI-C8R783J
          HOST/TI-C8R783J.isys.tracegroup.com
      I then ran
      ktpass -princ host/TI-C8R783J@ISYS.TRACEGROUP.COM -pass 12345 -mapuser TI-C8R783J -out c:\weblogic.keytab
      output was...
      Targeting domain controller: TIDC.isys.tracegroup.com
      Using legacy password setting method
      Successfully mapped host/TI-C8R783J to TI-C8R783J.
      WARNING: pType and account type do not match. This might cause  problems.
      Key created.
      Output keytab to c:\weblogic.keytab:
      Keytab version: 0x502
      keysize 70 host/TI-C8R783J@ISYS.TRACEGROUP.COM ptype 0 (KRB5_NT_UNKNOWN) vno 7 e
      type 0x17 (RC4-HMAC) keylength 16 (0x4d001483a4958ba45bcdd01569b6fba8)
      I have also run
      ktab -k weblogic.keytab -a TI-C8R783J@ISYS.TRACEGROUP.COM
      output was...
      Password for TI-C8R783J@ISYS.TRACEGROUP.COM:12345
      Done!
      Service key for TI-C8R783J@ISYS.TRACEGROUP.COM is saved in C:\bea\wlserver_10.3\samples\domains\wl_server\weblogic.keytab
      I created and adjusted the krb5.ini file under c:\winnt\krb5.ini
      [libdefaults]
      default_realm = ISYS.TRACEGROUP.COM
      default_tkt_enctypes = des-cbc-crc
      default_tgs_enctypes = des-cbc-crc
      ticket_lifetime = 600
      
      [realms]
      ISYS.TRACEGROUP.COM = {
           admin_server = TIDC.ISYS.TRACEGROUP.COM
           default_domain = ISYS.TRACEGROUP.COM
              kdc = TIDC.ISYS.TRACEGROUP.COM
      }
      
      [domain_realm]
      .isys.tracegroup.com = ISYS.TRACEGROUP.COM
      
      [appdefaults]
      autologin = true
      forward = true
      forwardable = true
      encrypt = true
      However, when I then try to run
      kinit -k -t weblogic.keytab TI-C8R783J@ISYS.TRACEGROUP.COM
      I get the error...
      Exception: krb_error 24 Pre-authentication information was invalid (24) Pre-aut
      on was invalid
      KrbException: Pre-authentication information was invalid (24)
              at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:66)
              at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:449)
              at sun.security.krb5.internal.tools.Kinit.sendASRequest(Kinit.java:306)
              at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:257)
              at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:107)
      Caused by: KrbException: Identifier doesn't match expected value (906)
              at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
              at sun.security.krb5.internal.ASRep.init(ASRep.java:58)
              at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53)
              at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50)
              ... 4 more
      As suggested by another forum I saw I also tried
      kinit -k -t weblogic.keytab HOST/TI-C8R783J@ISYS.TRACEGROUP.COM
      But get the error...
      Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes available; only have
       keys of following type: RC4 with HMAC  No error
      KrbException: Do not have keys of types listed in default_tkt_enctypes available; only have keys of
      following type: RC4 with HMAC
              at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:238)
              at sun.security.krb5.KrbAsReq.init(KrbAsReq.java:345)
              at sun.security.krb5.KrbAsReq.<init>(KrbAsReq.java:260)
              at sun.security.krb5.KrbAsReq.<init>(KrbAsReq.java:219)
              at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:221)
              at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:107)
      I haven't got a clue as to why this error is occurring. I am all very new to kerberos so any pointers in the right direction would be much appreciated.

      Thanks.

      George.
        • 1. Re: krb_error 0
          843810
          Active Directory Kerberos uses rc4-hmac not des-cbc-crc. Add rc4-hmac to both enctypes in krb5.ini and try again
          • 2. Re: krb_error 0
            843810
            I added rc4-hmac to krb5.ini to make it look like this...
            [libdefaults]
            default_realm = ISYS.TRACEGROUP.COM
            default_tkt_enctypes = des-cbc-crc rc4-hmac
            default_tgs_enctypes = des-cbc-crc rc4-hmac
            ticket_lifetime = 600
            
            [realms]
            ISYS.TRACEGROUP.COM = {
                 admin_server = TIDC.ISYS.TRACEGROUP.COM
                 default_domain = ISYS.TRACEGROUP.COM
                 kdc = TIDC.ISYS.TRACEGROUP.COM
            }
            
            [domain_realm]
            .isys.tracegroup.com = ISYS.TRACEGROUP.COM
            
            [appdefaults]
            autologin = true
            forward = true
            forwardable = true
            encrypt = true
            Now when I run "kinit -k -t opentwins.keytab host/ti-c8r783j" I get the error...
            Exception: krb_error 14 KDC has no support for encryption type (14) KDC has no support for encryptio
            n type
            KrbException: KDC has no support for encryption type (14)
                    at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:66)
                    at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:449)
                    at sun.security.krb5.internal.tools.Kinit.sendASRequest(Kinit.java:306)
                    at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:237)
                    at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:107)
            Caused by: KrbException: Identifier doesn't match expected value (906)
                    at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
                    at sun.security.krb5.internal.ASRep.init(ASRep.java:58)
                    at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53)
                    at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50)
                    ... 4 more
            Any ideas?

            Much appreciated.
            • 3. Re: krb_error 0
              843810
              What version of JDK are you using?
              • 4. Re: krb_error 0
                843810
                java version "1.6.0_05"
                Java(TM) SE Runtime Environment (build 1.6.0_05-b13)
                BEA JRockit(R) (build R27.6.0-50_o-100423-1.6.0_05-20080626-2105-windows-ia32, compiled mode)
                • 5. Re: krb_error 0
                  843810
                  That's your JRE version. What is your JDK version?
                  • 6. Re: krb_error 0
                    843810
                    That is the JRE bundled in the JDK.

                    JDK version = JRockit 1.6
                    • 7. Re: krb_error 0
                      843810
                      Try removing "des-cbc-crc" from krb5.ini
                      • 8. Re: krb_error 0
                        843810
                        I tried that, get the same error still.
                        • 9. Re: krb_error 0
                          843810
                          Hmmm. You're client is still encrypting with etype 14 which is not supported by AD.

                          Does this post help? It may be a jrockit issue.

                          Re: Principal problem

                          You may need help from someone with jrockit/Kerberos experience.
                          • 10. Re: krb_error 0
                            843810
                            Thanks Joe, I re-followed exactly what the guy from the link you gave did, all appears to work now.

                            I think the key was "ktpass -out thehost.http.keytab -mapuser theuser -crypto DES-CBC-CRC -princ host/thehost@DOMAIN.LOCAL -pass password -ptype KRB5_NT_PRINCIPAL" in particular the -crypto DES-CBC-CRC.

                            and removing refrences from enctypes from the krb5.ini.

                            Again, thanks for your help.

                            Edited by: george_lee on Jan 27, 2010 7:32 AM