Skip to Main Content
Forums

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.

"Cannot find key of appropriate type to decrypt" error again - W2k8

843810Apr 5 2010 — edited Jul 22 2010
Getting "Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96" when working with a Java (using JDK 1.6.0_18) application that is mimicking what is happening within OpenSSO's WindowsSSO module (where the problem started). I have searched the forum and whilst there are similar questions, none of the solutions fit. I have tried a lot of different permutations of the ktpass command and most lead back to here. When using the /crypto ALL param in ktpass the problem switches to checksum errors.

The keytab file was generated using the following parameters: 
ktpass /mapuser OPENSSOHOST@CONTOSO.LOCAL /out c:\temp\openssohost.HTTP.keytab /princ HTTP/OPENSSOHOST.contoso.local@CONTOSO.LOCAL /ptype KRB5_NT_PRINCIPAL /pass Passw0rd
Targeting domain controller: DC1W.contoso.local
Using legacy password setting method
Successfully mapped HTTP/OPENSSOHOST.contoso.local to openssohost.
Key created.
Output keytab to c:\temp\openssohost.HTTP.keytab:
Keytab version: 0x502
keysize 79 HTTP/OPENSSOHOST.contoso.local@CONTOSO.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x17 (RC4-HMAC) keylength 16 0xa87f3a337d73085c45f9416be5787d86)
I created a standalone application to save me time when trying different permutations of keytab file generation using different ktpass parameters. The Java app is running against a Windows 2008 Server SP2 AD/KDC. Here is the exception/debug output from the application using the -Dsun.security.spnego.debug=true and -Dsun.security.krb5.debug=true flags: 
Config name: C:\Windows\krb5.ini
     KeyTabInputStream, readName(): CONTOSO.LOCAL
     KeyTabInputStream, readName(): HTTP
     KeyTabInputStream, readName(): OPENSSOHOST.contoso.local
     KeyTab: load() entry length: 79; type: 23
Added key: 23version: 3
Ordering keys wrt default_tkt_enctypes list
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17 18.
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17 18.
    KrbAsReq calling createMessage
    KrbAsReq in createMessage
    KrbKdcReq send: kdc=dc1w.contoso.local UDP:88, timeout=30000, number of retries =3, #bytes=164
    KDCCommunication: kdc=dc1w.contoso.local UDP:88, timeout=30000,Attempt =1, #bytes=164
    KrbKdcReq send: #bytes read=183
    KrbKdcReq send: #bytes read=183
    KDCRep: init() encoding tag is 126 req type is 11
    KRBError:
         sTime is Tue Apr 06 11:56:54 NZST 2010 1270511814000
         suSec is 686624
         error code is 25
         error Message is Additional pre-authentication required
         realm is CONTOSO.LOCAL
         sname is krbtgt/CONTOSO.LOCAL
         eData provided.
         msgType is 30
    Pre-Authentication Data:
         PA-DATA type = 11
         PA-ETYPE-INFO etype = 23
    Pre-Authentication Data:
         PA-DATA type = 19
         PA-ETYPE-INFO2 etype = 23
    Pre-Authentication Data:
         PA-DATA type = 2
         PA-ENC-TIMESTAMP
    Pre-Authentication Data:
         PA-DATA type = 16
    Pre-Authentication Data:
         PA-DATA type = 15
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
    KrbAsReq salt is CONTOSO.LOCALHTTPopenssohost.contoso.local
Pre-Authenticaton: find key for etype = 23
AS-REQ: Add PA_ENC_TIMESTAMP now
     EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
     KrbAsReq calling createMessage
     KrbAsReq in createMessage
     KrbKdcReq send: kdc=dc1w.contoso.local UDP:88, timeout=30000, number of retries =3, #bytes=247
     KDCCommunication: kdc=dc1w.contoso.local UDP:88, timeout=30000,Attempt =1, #bytes=247
     KrbKdcReq send: #bytes read=98
     KrbKdcReq send: #bytes read=98
     KDCRep: init() encoding tag is 126 req type is 11
      KRBError:
         sTime is Tue Apr 06 11:56:54 NZST 2010 1270511814000
         suSec is 811624
         error code is 52
         error Message is Response too big for UDP, retry with TCP
         realm is CONTOSO.LOCAL
         sname is krbtgt/CONTOSO.LOCAL
         msgType is 30
     KrbKdcReq send: kdc=dc1w.contoso.local TCP:88, timeout=30000, number of retries =3, #bytes=247
     DEBUG: TCPClient reading 1472 bytes
     KrbKdcReq send: #bytes read=1472
     KrbKdcReq send: #bytes read=1472
     EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
     KrbAsRep cons in KrbAsReq.getReply HTTP/openssohost.contoso.local
Service Subject:HTTP/openssohost.contoso.local@CONTOSO.LOCAL
Entered SpNegoContext.acceptSecContext with state=STATE_NEW
SpNegoContext.acceptSecContext: receiving token = a0 82..
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.48018.1.2.2
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.113554.1.2.2
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.30
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.10
SpNegoToken NegTokenInit: reading Mech Token
SpNegoToken NegTokenInit : no MIC token included
SpNegoContext.acceptSecContext: received token of type = SPNEGO NegTokenInit
SpNegoContext: negotiated mechanism = 1.2.840.113554.1.2.2
Found key for HTTP/openssohost.contoso.local@CONTOSO.LOCAL(23)
Entered Krb5Context.acceptSecContext with state=STATE_NEW
java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:396)
        at kerberostest.Main.doSubjectCall(Main.java:54)
        at kerberostest.Main.main(Main.java:44)
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)
        at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
        at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:874)
        at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:541)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
        at kerberostest.Main$1.run(Main.java:58)
Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96
        at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:262)
        at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
        at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
        at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)

Comments

843810
Just an update on my original question in case it helps...

If I switch to /crypto AES256-SHA1 in the ktpass command I get Checksum failed errors instead. Has anyone been able to make Java 1.6 Kerberos apps work with a Windows AD/KDC running on Windows Server 2008? If yes, what steps did you follow?

Here are the results: 
      KeyTabInputStream, readName(): CONTOSO.LOCAL
      KeyTabInputStream, readName(): HTTP
      KeyTabInputStream, readName(): OPENSSOHOST.contoso.local
      KeyTab: load() entry length: 95; type: 18
Added key: 18version: 3
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 18 23 16 3 1.
0: EncryptionKey: keyType=18 kvno=3 keyValue (hex dump)=
0000: 32 A0 E6 1C 0E 2E AE 8F   2B C0 4A 28 29 84 91 3D  2.......+.J()..=
0010: CC C6 49 B1 EF 18 28 DA   22 A9 4D 8B D0 36 47 AE  ..I...(.".M..6G.


default etypes for default_tkt_enctypes: 18 23 16 3 1.
      KrbAsReq calling createMessage
      KrbAsReq in createMessage
      KrbKdcReq send: kdc=dc1w.contoso.local UDP:88, timeout=30000, number of retries =3, #bytes=164
      KDCCommunication: kdc=dc1w.contoso.local UDP:88, timeout=30000,Attempt =1, #bytes=164
      KrbKdcReq send: #bytes read=205
      KrbKdcReq send: #bytes read=205
      KDCRep: init() encoding tag is 126 req type is 11
     KRBError:
         sTime is Tue Apr 06 10:51:04 NZST 2010 1270507864000
         suSec is 47253
         error code is 25
         error Message is Additional pre-authentication required
         realm is CONTOSO.LOCAL
         sname is krbtgt/CONTOSO.LOCAL
         eData provided.
         msgType is 30
     Pre-Authentication Data:
         PA-DATA type = 19
         PA-ETYPE-INFO2 etype = 18
     Pre-Authentication Data:
         PA-DATA type = 2
         PA-ENC-TIMESTAMP
     Pre-Authentication Data:
         PA-DATA type = 16
     Pre-Authentication Data:
         PA-DATA type = 15
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
Updated salt from pre-auth = CONTOSO.LOCALHTTPOPENSSOHOST.contoso.local
     KrbAsReq salt is CONTOSO.LOCALHTTPOPENSSOHOST.contoso.local
Pre-Authenticaton: find key for etype = 18
AS-REQ: Add PA_ENC_TIMESTAMP now
      EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
      KrbAsReq calling createMessage
      KrbAsReq in createMessage
      KrbKdcReq send: kdc=dc1w.contoso.local UDP:88, timeout=30000, number of retries =3, #bytes=251
      KDCCommunication: kdc=dc1w.contoso.local UDP:88, timeout=30000,Attempt =1, #bytes=251
      KrbKdcReq send: #bytes read=98
      KrbKdcReq send: #bytes read=98
      KDCRep: init() encoding tag is 126 req type is 11
     KRBError:
         sTime is Tue Apr 06 10:51:04 NZST 2010 1270507864000
         suSec is 203503
         error code is 52
         error Message is Response too big for UDP, retry with TCP
         realm is CONTOSO.LOCAL
         sname is krbtgt/CONTOSO.LOCAL
         msgType is 30
      KrbKdcReq send: kdc=dc1w.contoso.local TCP:88, timeout=30000, number of retries =3, #bytes=251
     DEBUG: TCPClient reading 1581 bytes
      KrbKdcReq send: #bytes read=1581
      KrbKdcReq send: #bytes read=1581
      EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
      KrbAsRep cons in KrbAsReq.getReply HTTP/openssohost.contoso.local
Service Subject:HTTP/openssohost.contoso.local@CONTOSO.LOCAL
Entered SpNegoContext.acceptSecContext with state=STATE_NEW
SpNegoContext.acceptSecContext: receiving token = a0 82 06 2d 30 82 06 29 a0.....
5f a3 6e 04 01 
Checksum failed !
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.48018.1.2.2
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.113554.1.2.2
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.30
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.10
SpNegoToken NegTokenInit: reading Mech Token
SpNegoToken NegTokenInit : no MIC token included
SpNegoContext.acceptSecContext: received token of type = SPNEGO NegTokenInit
SpNegoContext: negotiated mechanism = 1.2.840.113554.1.2.2
Found key for HTTP/openssohost.contoso.local@CONTOSO.LOCAL(18)
Entered Krb5Context.acceptSecContext with state=STATE_NEW
      EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:396)
        at kerberostest.Main.doSubjectCall(Main.java:54)
        at kerberostest.Main.main(Main.java:44)
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
        at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
        at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:874)
        at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:541)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
        at kerberostest.Main$1.run(Main.java:58)
        ... 4 more
Caused by: KrbException: Checksum failed
        at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:85)
        at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:77)
        at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
        at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:267)
        at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
        at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
        at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
        ... 11 more
Caused by: java.security.GeneralSecurityException: Checksum failed
        at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:431)
        at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:254)
        at sun.security.krb5.internal.crypto.Aes256.decrypt(Aes256.java:59)
        at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:83)
        ... 17 more
{code}


Thanks

Mark
843810
hi mark,
I have the same problem in my install, i'm triying an SSO using CAS Spnego and Kerberos, i'm using DES-CBC-MD5 crypto.
this is my exception :
[#|2010-04-16T10:15:14.506+0200|INFO|sun-appserver2.1|net.java.spnego.SpnegoServerAuthModule|_ThreadID=16;_ThreadName=httpSSLWorkerThread-38005-1;|jmac.gss_dialog_failed
GSSException: Failure unspecified at GSS-API level (Mechanism level: Integrity check on decrypted field failed (31))
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:874)
at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:541)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
at net.java.spnego.SpnegoServerAuthModule.validateRequest(SpnegoServerAuthModule.java:251)
at com.sun.enterprise.security.jmac.config.GFServerConfigProvider$GFServerAuthContext.validateRequest(GFServerConfigProvider.java:1172)
at com.sun.web.security.RealmAdapter.validate(RealmAdapter.java:1331)
at com.sun.web.security.RealmAdapter.invokeAuthenticateDelegate(RealmAdapter.java:1213)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:643)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:625)
at org.apache.catalina.core.StandardPipeline.doChainInvoke(StandardPipeline.java:599)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:92)
at com.sun.enterprise.web.PESessionLockingStandardPipeline.invoke(PESessionLockingStandardPipeline.java:98)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:222)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:648)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:593)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:587)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1096)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:166)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:648)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:593)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:587)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1096)
at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:288)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:647)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.doProcess(DefaultProcessorTask.java:579)
at com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.process(DefaultProcessorTask.java:831)
at com.sun.enterprise.web.connector.grizzly.DefaultReadTask.executeProcessorTask(DefaultReadTask.java:341)
at com.sun.enterprise.web.connector.grizzly.ssl.SSLReadTask.process(SSLReadTask.java:440)
at com.sun.enterprise.web.connector.grizzly.ssl.SSLReadTask.doTask(SSLReadTask.java:228)
at com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:265)
at com.sun.enterprise.web.connector.grizzly.ssl.SSLWorkerThread.run(SSLWorkerThread.java:106)
Caused by: KrbException: Integrity check on decrypted field failed (31)
at sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:154)
at sun.security.krb5.internal.crypto.DesCbcMd5EType.decrypt(DesCbcMd5EType.java:33)
at sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:125)
at sun.security.krb5.internal.crypto.DesCbcMd5EType.decrypt(DesCbcMd5EType.java:33)
at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:267)
at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
... 34 more

did you find an issue!!
any help will be welcome
thanks
843810
I guess OPENSSOHOST is a CNAME.

You have to use the name of the computer to create the keytab instead of a DNS Record like OPENSSOHOST . Then it will work.
843810
Hi Markdr,

You've received the "Cannot find key of appropriate type to decrypt".

From the exceptions you've pasted into your first message we can see cause: "Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96".

Key type of this encryption is 18.

Now in command line type: klist -e -k krb5.keytab
and look for Key types. You should have encryption type 18.

Here's full list of those codes: http://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xml. Key type is eType. Yours is aes256-cts-hmac-sha1-96

If you don't have it, then use ktpass to generate correct keytab with correct encoding: aes256.

Best regards & good luck,
Kamil
1 - 4
Locked Post
New comments cannot be posted to this locked post.

Post Details

Locked on Aug 19 2010
Added on Apr 5 2010
#kerberos-java-gss-jgss
4 comments
33,845 views