Skip to Main Content
Forums

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

"Cannot find key of appropriate type to decrypt" error again - W2k8

843810Apr 5 2010 — edited Jul 22 2010
Getting "Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96" when working with a Java (using JDK 1.6.0_18) application that is mimicking what is happening within OpenSSO's WindowsSSO module (where the problem started). I have searched the forum and whilst there are similar questions, none of the solutions fit. I have tried a lot of different permutations of the ktpass command and most lead back to here. When using the /crypto ALL param in ktpass the problem switches to checksum errors.

The keytab file was generated using the following parameters: 
ktpass /mapuser OPENSSOHOST@CONTOSO.LOCAL /out c:\temp\openssohost.HTTP.keytab /princ HTTP/OPENSSOHOST.contoso.local@CONTOSO.LOCAL /ptype KRB5_NT_PRINCIPAL /pass Passw0rd
Targeting domain controller: DC1W.contoso.local
Using legacy password setting method
Successfully mapped HTTP/OPENSSOHOST.contoso.local to openssohost.
Key created.
Output keytab to c:\temp\openssohost.HTTP.keytab:
Keytab version: 0x502
keysize 79 HTTP/OPENSSOHOST.contoso.local@CONTOSO.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x17 (RC4-HMAC) keylength 16 0xa87f3a337d73085c45f9416be5787d86)
I created a standalone application to save me time when trying different permutations of keytab file generation using different ktpass parameters. The Java app is running against a Windows 2008 Server SP2 AD/KDC. Here is the exception/debug output from the application using the -Dsun.security.spnego.debug=true and -Dsun.security.krb5.debug=true flags: 
Config name: C:\Windows\krb5.ini
     KeyTabInputStream, readName(): CONTOSO.LOCAL
     KeyTabInputStream, readName(): HTTP
     KeyTabInputStream, readName(): OPENSSOHOST.contoso.local
     KeyTab: load() entry length: 79; type: 23
Added key: 23version: 3
Ordering keys wrt default_tkt_enctypes list
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17 18.
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17 18.
    KrbAsReq calling createMessage
    KrbAsReq in createMessage
    KrbKdcReq send: kdc=dc1w.contoso.local UDP:88, timeout=30000, number of retries =3, #bytes=164
    KDCCommunication: kdc=dc1w.contoso.local UDP:88, timeout=30000,Attempt =1, #bytes=164
    KrbKdcReq send: #bytes read=183
    KrbKdcReq send: #bytes read=183
    KDCRep: init() encoding tag is 126 req type is 11
    KRBError:
         sTime is Tue Apr 06 11:56:54 NZST 2010 1270511814000
         suSec is 686624
         error code is 25
         error Message is Additional pre-authentication required
         realm is CONTOSO.LOCAL
         sname is krbtgt/CONTOSO.LOCAL
         eData provided.
         msgType is 30
    Pre-Authentication Data:
         PA-DATA type = 11
         PA-ETYPE-INFO etype = 23
    Pre-Authentication Data:
         PA-DATA type = 19
         PA-ETYPE-INFO2 etype = 23
    Pre-Authentication Data:
         PA-DATA type = 2
         PA-ENC-TIMESTAMP
    Pre-Authentication Data:
         PA-DATA type = 16
    Pre-Authentication Data:
         PA-DATA type = 15
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
    KrbAsReq salt is CONTOSO.LOCALHTTPopenssohost.contoso.local
Pre-Authenticaton: find key for etype = 23
AS-REQ: Add PA_ENC_TIMESTAMP now
     EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
     KrbAsReq calling createMessage
     KrbAsReq in createMessage
     KrbKdcReq send: kdc=dc1w.contoso.local UDP:88, timeout=30000, number of retries =3, #bytes=247
     KDCCommunication: kdc=dc1w.contoso.local UDP:88, timeout=30000,Attempt =1, #bytes=247
     KrbKdcReq send: #bytes read=98
     KrbKdcReq send: #bytes read=98
     KDCRep: init() encoding tag is 126 req type is 11
      KRBError:
         sTime is Tue Apr 06 11:56:54 NZST 2010 1270511814000
         suSec is 811624
         error code is 52
         error Message is Response too big for UDP, retry with TCP
         realm is CONTOSO.LOCAL
         sname is krbtgt/CONTOSO.LOCAL
         msgType is 30
     KrbKdcReq send: kdc=dc1w.contoso.local TCP:88, timeout=30000, number of retries =3, #bytes=247
     DEBUG: TCPClient reading 1472 bytes
     KrbKdcReq send: #bytes read=1472
     KrbKdcReq send: #bytes read=1472
     EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
     KrbAsRep cons in KrbAsReq.getReply HTTP/openssohost.contoso.local
Service Subject:HTTP/openssohost.contoso.local@CONTOSO.LOCAL
Entered SpNegoContext.acceptSecContext with state=STATE_NEW
SpNegoContext.acceptSecContext: receiving token = a0 82..
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.48018.1.2.2
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.113554.1.2.2
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.30
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.10
SpNegoToken NegTokenInit: reading Mech Token
SpNegoToken NegTokenInit : no MIC token included
SpNegoContext.acceptSecContext: received token of type = SPNEGO NegTokenInit
SpNegoContext: negotiated mechanism = 1.2.840.113554.1.2.2
Found key for HTTP/openssohost.contoso.local@CONTOSO.LOCAL(23)
Entered Krb5Context.acceptSecContext with state=STATE_NEW
java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:396)
        at kerberostest.Main.doSubjectCall(Main.java:54)
        at kerberostest.Main.main(Main.java:44)
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)
        at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
        at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:874)
        at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:541)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
        at kerberostest.Main$1.run(Main.java:58)
Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96
        at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:262)
        at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
        at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
        at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Aug 19 2010
Added on Apr 5 2010
#kerberos-java-gss-jgss
4 comments
34,186 views