[libdefaults]
default_realm = DOMAIN.COM
default_keytab_name = FILE:c:\apache-tomcat-7.0.61\conf\test.keytab
default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
forwardable=true
[realms]
DOMAIN.COM= {
kdc = domain-ad.DOMAIN.com:88
default_domain = DOMAIN.com
}
[domain_realm]
domain.com=DOMAIN.COM
.domain.com= DOMAIN.COM
[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true
C:\Users\Administrator>ktpass /out c:\test.keytab /mapuser ssoad...@domain.com
/princ HTTP/windows-sso-demo.domain....@domain.com /pass P@ssw0rd /kvno 0
C:\Users\ssoadmin>kinit -k -t test.keytab
Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes
available; only have keys of following type: No error
KrbException: Do not have keys of types listed in default_tkt_enctypes available
; only have keys of following type:
at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280)
at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
C:\Users\ssoadmin>
-----Original Message-----
From: Ravindhar Konka [mailto:ravindhar_ko...@persistent.com]
Sent: Friday, May 15, 2015 1:38 PM
To: Tomcat Users List
Subject: RE: KrbException: Do not have keys of types listed in
default_tkt_enctypes available
Hey Mark
thanks for quick reply ,I followed same doc. Which you provided
-----Original Message-----
From: Mark Thomas [mailto:ma...@apache.org]
Sent: Friday, May 15, 2015 1:14 PM
To: Tomcat Users List
Subject: Re: KrbException: Do not have keys of types listed in
default_tkt_enctypes available
On 15/05/2015 08:34, Ravindhar Konka wrote:
> Hi All
> I am trying to use SSO functionality for my app
>
> apache-tomcat-7.0.61
> windows server 2008 R2
> java 1.8.0_25
> active directory machine ( DOMAIN-ad)
> tomcat instance machine (windows-sso-demo) username
> (ss0ad...@domain.com) password (XXXXXX)
>
>
> krb5.ini
>
>
> [libdefaults]
> default_realm = DOMAIN.COM
> default_keytab_name = FILE:c:\apache-tomcat-7.0.61\conf\test.keytab
> default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES3-CBC-SHA1
> DES-CBC-MD5 DES-CBC-CRC default_tgs_enctypes = AES256-CTS AES128-CTS
> RC4-HMAC DES3-CBC-SHA1 DES-CBC-MD5 DES-CBC-CRC permitted_enctypes =
> AES256-CTS AES128-CTS RC4-HMAC DES3-CBC-SHA1 DES-CBC-MD5 DES-CBC-CRC
> forwardable=true
>
> [realms]
> DOMAIN.COM= {
> kdc = DOMAIN-ad:88
> default_domain = DOMAIN.com }
>
> [domain_realm]
> domain.com=DOMAIN.COM
> .domain.com= DOMAIN.COM
>
> [appdefaults]
> autologin = true
> forward = true
> forwardable = true
> encrypt = true
>
> test.keytab
>
> C:\Users\Administrator>ktpass -princ
> HTTP/windows-sso-demo.domain.com@DOMAIN
> .COM -mapuser ssoadmin -pass P@ssw0rd -crypto all -kvno 0 -ptype
> KRB5_NT_PRINCIP AL -out test.keytab
>
>
> C:\Users\ssoadmin>kinit ssoadmin
> Password for ssoad...@domain.com:
> New ticket is stored in cache file C:\Users\ssoadmin\krb5cc_ssoadmin
>
>
> C:\Users\ssoadmin>kinit -k -t test.keytab
> Exception: krb_error 0 Do not have keys of types listed in
> default_tkt_enctypes available; only have keys of following type: No
> error
> KrbException: Do not have keys of types listed in default_tkt_enctypes
> available ; only have keys of following type:
> at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280)
> at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
> at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
> at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
> at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
> at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
>
>
> CAN YOU PLEASE HELP ME
http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html
Follow those steps *exactly* and you will have a working configuration.
Note there is a known issue with SPNEGO and Java 8u40 onwards. Stick to an
earlier Java version until we have a workaround in place.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the
property of Persistent Systems Ltd. It is intended only for the use of the
individual or entity to which it is addressed. If you are not the intended
recipient, you are not authorized to read, retain, copy, print, distribute or
use this message. If you have received this communication in error, please
notify the sender and delete all copies of this message. Persistent Systems
Ltd. does not accept any liability for virus infected mails.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the
property of Persistent Systems Ltd. It is intended only for the use of the
individual or entity to which it is addressed. If you are not the intended
recipient, you are not authorized to read, retain, copy, print, distribute or
use this message. If you have received this communication in error, please
notify the sender and delete all copies of this message. Persistent Systems
Ltd. does not accept any liability for virus infected mails.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
