Forum Stats

  • 3,824,927 Users
  • 2,260,440 Discussions


Kerberos SSO Error: "Cannot find key of appropriate type to decrypt"

rrdavis07 Member Posts: 3
edited Dec 2, 2019 5:01PM in Kerberos & Java GSS (JGSS)

I have an environment with several instances (PROD, Dev, UAT, Sandbox, etc) of a Weblogic-based application that have been set up with Kerberos SSO. All servers are essentially identical. Keytab files have been created using the KTPASS command. One of the instances is generating an error during SSO login. The pertinent section of the log:

(Nov 19 2019 15:22:45:[[ACTIVE] ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)']: ERROR ) - GSS-API error occured during Kerberos token processingGSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)(Nov 19 2019 15:22:45:[[ACTIVE] ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)']: ERROR - Invalid login information provided: Kerberos single sign-on authentication failed: Failed to retrieve User Principal Name from Kerberos token.

As far as error regarding: "Failed to retrieve UPN...", I've confirmed using SETSPN -L that the UPN does indeed exist.

Just to be clear, the instance of the application is a new instance and the keytab file was created at a different time than the other instances. However, the same command structure was used:

ktpass -princ HTTP/[email protected] -mapuser [email protected] -pass XXXXXXXX -crypto ALL -ptype KRB5_NT_PRINCIPAL -out c:\keytabfile.keytab

Anyone have any thoughts as to why SSO is not working on just this one instance?