I am trying to establish a secure connection to an Windows 2008 Server Active Directory using a Kerberos Ticket obtained from the JAAS KerberosLoginModule.
With the default kerberos encryption types the connection is established and "des-cbc-md5" is used for encryption.
If I change the kerberos encryption types in "krb5.ini" to default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
then i can see in the Ticket that aes128-cts is used, but I alway get the following error:
+java.security.PrivilegedActionException: javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: Final handshake failed [Caused by+ +GSSException: Token had invalid integrity check (Mechanism level: Corrupt checksum in Wrap token)]]+
+...+ Caused by: GSSException: Token had invalid integrity check (Mechanism level: Corrupt checksum in Wrap token) at sun.security.jgss.krb5.WrapToken_v2.getDataFromBuffer(Unknown Source) at sun.security.jgss.krb5.WrapToken_v2.getData(Unknown Source) at sun.security.jgss.krb5.WrapToken_v2.getData(Unknown Source) at sun.security.jgss.krb5.Krb5Context.unwrap(Unknown Source) at sun.security.jgss.GSSContextImpl.unwrap(Unknown Source)
With Wireshark I can see the following communication betwen the Client and the AD Server
As far as I understand the Problem the client tries to verify the message from the Server by calculating an checksum (using aes128) and comparing this checksum with the value delivered in the Message and the Exception is thrown because the checksums do not match.
I am using the following option to create the LDAP Context:
it seems to be a JRE Problem. When I use the Kerberos implementation from "Vintela Single Sign-On for Java" I can establish a "aes256" secured LDAP connection to the AD Server.
This LDAP connection allows to change the passwords of the users stored in the AD.
The problem is that "Vintela Single Sign-On for Java" is not free, so it would be nice to have a solution which works with the Kerberos implementation of the JRE.
The error is the same for "aes128" and "aes256" encryption.
And with Wireshark I can not see any differences in the packets send to the AD and received from the AD.