This discussion is archived
10 Replies Latest reply: Jan 27, 2010 7:33 AM by 843810 RSS

krb_error 0

843810 Newbie
Currently Being Moderated
Hi all,

We are trying to set up Kerberos SSO with weblogic for an internal application, so far we have been following the guide at [http://download.oracle.com/docs/cd/E12839_01/web.1111/e13707/sso.htm|http://download.oracle.com/docs/cd/E12839_01/web.1111/e13707/sso.htm].

I am trying to set this up locally on my machine (TI-C8R783J).

A new user was added to the Active Directory (AD) (TI-C8R783J@ISYS.TRACEGROUP.COM).

setspn was run on the AD server (TIDC.ISYS.TRACEGROUP.COM) as per the guide above.

Output of setspn -L TI-C8R783J@ISYS.TRACEGROUP.COM was...
Registered ServicePrincipalNames for CN=TI-C8R783J,OU=Desktops,DC=isys,DC=tracegroup,DC=com:
    HTTP/TI-C8R783J.isys.tracegroup.com
    HOST/TI-C8R783J
    HOST/TI-C8R783J.isys.tracegroup.com
I then ran
ktpass -princ host/TI-C8R783J@ISYS.TRACEGROUP.COM -pass 12345 -mapuser TI-C8R783J -out c:\weblogic.keytab
output was...
Targeting domain controller: TIDC.isys.tracegroup.com
Using legacy password setting method
Successfully mapped host/TI-C8R783J to TI-C8R783J.
WARNING: pType and account type do not match. This might cause  problems.
Key created.
Output keytab to c:\weblogic.keytab:
Keytab version: 0x502
keysize 70 host/TI-C8R783J@ISYS.TRACEGROUP.COM ptype 0 (KRB5_NT_UNKNOWN) vno 7 e
type 0x17 (RC4-HMAC) keylength 16 (0x4d001483a4958ba45bcdd01569b6fba8)
I have also run
ktab -k weblogic.keytab -a TI-C8R783J@ISYS.TRACEGROUP.COM
output was...
Password for TI-C8R783J@ISYS.TRACEGROUP.COM:12345
Done!
Service key for TI-C8R783J@ISYS.TRACEGROUP.COM is saved in C:\bea\wlserver_10.3\samples\domains\wl_server\weblogic.keytab
I created and adjusted the krb5.ini file under c:\winnt\krb5.ini
[libdefaults]
default_realm = ISYS.TRACEGROUP.COM
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
ticket_lifetime = 600

[realms]
ISYS.TRACEGROUP.COM = {
     admin_server = TIDC.ISYS.TRACEGROUP.COM
     default_domain = ISYS.TRACEGROUP.COM
        kdc = TIDC.ISYS.TRACEGROUP.COM
}

[domain_realm]
.isys.tracegroup.com = ISYS.TRACEGROUP.COM

[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true
However, when I then try to run
kinit -k -t weblogic.keytab TI-C8R783J@ISYS.TRACEGROUP.COM
I get the error...
Exception: krb_error 24 Pre-authentication information was invalid (24) Pre-aut
on was invalid
KrbException: Pre-authentication information was invalid (24)
        at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:66)
        at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:449)
        at sun.security.krb5.internal.tools.Kinit.sendASRequest(Kinit.java:306)
        at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:257)
        at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:107)
Caused by: KrbException: Identifier doesn't match expected value (906)
        at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
        at sun.security.krb5.internal.ASRep.init(ASRep.java:58)
        at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53)
        at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50)
        ... 4 more
As suggested by another forum I saw I also tried
kinit -k -t weblogic.keytab HOST/TI-C8R783J@ISYS.TRACEGROUP.COM
But get the error...
Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes available; only have
 keys of following type: RC4 with HMAC  No error
KrbException: Do not have keys of types listed in default_tkt_enctypes available; only have keys of
following type: RC4 with HMAC
        at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:238)
        at sun.security.krb5.KrbAsReq.init(KrbAsReq.java:345)
        at sun.security.krb5.KrbAsReq.<init>(KrbAsReq.java:260)
        at sun.security.krb5.KrbAsReq.<init>(KrbAsReq.java:219)
        at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:221)
        at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:107)
I haven't got a clue as to why this error is occurring. I am all very new to kerberos so any pointers in the right direction would be much appreciated.

Thanks.

George.
  • 1. Re: krb_error 0
    843810 Newbie
    Currently Being Moderated
    Active Directory Kerberos uses rc4-hmac not des-cbc-crc. Add rc4-hmac to both enctypes in krb5.ini and try again
  • 2. Re: krb_error 0
    843810 Newbie
    Currently Being Moderated
    I added rc4-hmac to krb5.ini to make it look like this...
    [libdefaults]
    default_realm = ISYS.TRACEGROUP.COM
    default_tkt_enctypes = des-cbc-crc rc4-hmac
    default_tgs_enctypes = des-cbc-crc rc4-hmac
    ticket_lifetime = 600
    
    [realms]
    ISYS.TRACEGROUP.COM = {
         admin_server = TIDC.ISYS.TRACEGROUP.COM
         default_domain = ISYS.TRACEGROUP.COM
         kdc = TIDC.ISYS.TRACEGROUP.COM
    }
    
    [domain_realm]
    .isys.tracegroup.com = ISYS.TRACEGROUP.COM
    
    [appdefaults]
    autologin = true
    forward = true
    forwardable = true
    encrypt = true
    Now when I run "kinit -k -t opentwins.keytab host/ti-c8r783j" I get the error...
    Exception: krb_error 14 KDC has no support for encryption type (14) KDC has no support for encryptio
    n type
    KrbException: KDC has no support for encryption type (14)
            at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:66)
            at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:449)
            at sun.security.krb5.internal.tools.Kinit.sendASRequest(Kinit.java:306)
            at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:237)
            at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:107)
    Caused by: KrbException: Identifier doesn't match expected value (906)
            at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
            at sun.security.krb5.internal.ASRep.init(ASRep.java:58)
            at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53)
            at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50)
            ... 4 more
    Any ideas?

    Much appreciated.
  • 3. Re: krb_error 0
    843810 Newbie
    Currently Being Moderated
    What version of JDK are you using?
  • 4. Re: krb_error 0
    843810 Newbie
    Currently Being Moderated
    java version "1.6.0_05"
    Java(TM) SE Runtime Environment (build 1.6.0_05-b13)
    BEA JRockit(R) (build R27.6.0-50_o-100423-1.6.0_05-20080626-2105-windows-ia32, compiled mode)
  • 5. Re: krb_error 0
    843810 Newbie
    Currently Being Moderated
    That's your JRE version. What is your JDK version?
  • 6. Re: krb_error 0
    843810 Newbie
    Currently Being Moderated
    That is the JRE bundled in the JDK.

    JDK version = JRockit 1.6
  • 7. Re: krb_error 0
    843810 Newbie
    Currently Being Moderated
    Try removing "des-cbc-crc" from krb5.ini
  • 8. Re: krb_error 0
    843810 Newbie
    Currently Being Moderated
    I tried that, get the same error still.
  • 9. Re: krb_error 0
    843810 Newbie
    Currently Being Moderated
    Hmmm. You're client is still encrypting with etype 14 which is not supported by AD.

    Does this post help? It may be a jrockit issue.

    Re: Principal problem

    You may need help from someone with jrockit/Kerberos experience.
  • 10. Re: krb_error 0
    843810 Newbie
    Currently Being Moderated
    Thanks Joe, I re-followed exactly what the guy from the link you gave did, all appears to work now.

    I think the key was "ktpass -out thehost.http.keytab -mapuser theuser -crypto DES-CBC-CRC -princ host/thehost@DOMAIN.LOCAL -pass password -ptype KRB5_NT_PRINCIPAL" in particular the -crypto DES-CBC-CRC.

    and removing refrences from enctypes from the krb5.ini.

    Again, thanks for your help.

    Edited by: george_lee on Jan 27, 2010 7:32 AM