Re: KrbException: Do not have keys of types listed in default_tkt_enctypes available

Fri, 15 May 2015 00:45:08 -0700 

On 15/05/2015 08:34, Ravindhar Konka wrote:
> Hi All
> I am trying to use SSO functionality for my app
> 
> apache-tomcat-7.0.61
> windows server 2008 R2
> java 1.8.0_25
> active directory machine ( DOMAIN-ad)
> tomcat instance machine (windows-sso-demo)
> username (ss0ad...@domain.com)
> password (XXXXXX)
> 
> 
> krb5.ini
> 
> 
> [libdefaults]
> default_realm = DOMAIN.COM
> default_keytab_name = FILE:c:\apache-tomcat-7.0.61\conf\test.keytab
> default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES3-CBC-SHA1 
> DES-CBC-MD5 DES-CBC-CRC
> default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES3-CBC-SHA1 
> DES-CBC-MD5 DES-CBC-CRC
> permitted_enctypes =  AES256-CTS AES128-CTS RC4-HMAC DES3-CBC-SHA1 
> DES-CBC-MD5 DES-CBC-CRC
> forwardable=true
> 
> [realms]
> DOMAIN.COM= {
>         kdc = DOMAIN-ad:88
>                                 default_domain = DOMAIN.com
> }
> 
> [domain_realm]
> domain.com=DOMAIN.COM
> .domain.com= DOMAIN.COM
> 
> [appdefaults]
> autologin = true
> forward = true
> forwardable = true
> encrypt = true
> 
> test.keytab
> 
> C:\Users\Administrator>ktpass -princ HTTP/windows-sso-demo.domain.com@DOMAIN
> .COM -mapuser ssoadmin -pass P@ssw0rd -crypto all -kvno 0 -ptype 
> KRB5_NT_PRINCIP
> AL -out test.keytab
> 
> 
> C:\Users\ssoadmin>kinit ssoadmin
> Password for ssoad...@domain.com:
> New ticket is stored in cache file C:\Users\ssoadmin\krb5cc_ssoadmin
> 
> 
> C:\Users\ssoadmin>kinit -k -t test.keytab
> Exception: krb_error 0 Do not have keys of types listed in 
> default_tkt_enctypes
> available; only have keys of following type:  No error
> KrbException: Do not have keys of types listed in default_tkt_enctypes 
> available
> ; only have keys of following type:
>         at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280)
>         at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
>         at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
>         at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
>         at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
>         at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
> 
> 
> CAN YOU PLEASE HELP ME

http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html

Follow those steps *exactly* and you will have a working configuration.
Note there is a known issue with SPNEGO and Java 8u40 onwards. Stick to
an earlier Java version until we have a workaround in place.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to