Skip to Main Content
Forums

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Error SPNEGO - cant find key of appropriate type to decrypt AP REP - RC4

843810Jan 30 2007 — edited May 10 2007
Hi,
excuse me to disturb but i'm with a problem
I can't resolve by myself and the prevoious post on the forum is not of a big help on it ...

I have to struggle with SPNEGO
So after reading back the tutorials on security stuff
(obviously there was a lot I had to learn and understand about security APIs before i can deal with this)
So after reading this I went into the lab exercise ,
I've downloaded the source in jgss-sample.zip. ,

i do change the realm, usernames etc.. with convenient items form my network
(MS Windowws 2003 server; 2 laptops one on Win XP (as server) one under w2000 as the client.)
I run Java 1.6

Like that , out of the box with no changes in the code, just adapting the config parameters,
I got a GSSException Mechanism level: Invalid argument (400)
Since then i've tried many things :
-I have set on every computer the allowtgtsessionkey
-I touched my default_tkt_enctypes / default_tgs_enctypes and permitted_enctypes to the value
aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
for trying (to force jaas/gss not to use rc4-hmac)
-I had made myself sure that the MS 2003 server has DES checked on the password
That to say I have read through the forum and tried every tips that I found was concerning my trouble...


One thing rerally disturbing is that my sessions keys as displayed in the Tickets are not empty and are bof of type 3 wich is DES,
so why is java annoying me with this rc4-hmac even if i put it OUT of my krb5 config files ???


Here is the error (server side output (the client just say that the peer had reseted the connection)) 
 
"C:\Program Files\Java\jdk1.6.0\bin\java" -Djava.security.auth.login.config=C:\x_KVxJava.Jvm_policies\jaas-krb5.conf -Djava.security.krb5.conf=C:\x_KVxJava.Jvm_policies\krb5.conf -Djavax.security.auth.useSubjectCredsOnly=true -Didea.launcher.port=7535 "-Didea.launcher.bin.path=T:\IntelliJ IDEA 5.0\bin" -Dfile.encoding=windows-1252 -classpath "C:\Program Files\Java\jdk1.6.0\jre\lib\charsets.jar;C:\Program Files\Java\jdk1.6.0\jre\lib\deploy.jar;C:\Program Files\Java\jdk1.6.0\jre\lib\javaws.jar;C:\Program Files\Java\jdk1.6.0\jre\lib\jce.jar;C:\Program Files\Java\jdk1.6.0\jre\lib\jsse.jar;C:\Program Files\Java\jdk1.6.0\jre\lib\management-agent.jar;C:\Program Files\Java\jdk1.6.0\jre\lib\plugin.jar;C:\Program Files\Java\jdk1.6.0\jre\lib\resources.jar;C:\Program Files\Java\jdk1.6.0\jre\lib\rt.jar;C:\Program Files\Java\jdk1.6.0\jre\lib\ext\dnsns.jar;C:\Program Files\Java\jdk1.6.0\jre\lib\ext\localedata.jar;C:\Program Files\Java\jdk1.6.0\jre\lib\ext\sunjce_provider.jar;C:\Program Files\Java\jdk1.6.0\jre\lib\ext\sunmscapi.jar;C:\Program Files\Java\jdk1.6.0\jre\lib\ext\sunpkcs11.jar;R:\Projet KV\Drafts\SPNEGO_Sample\classes;T:\IntelliJ IDEA 5.0\lib\idea_rt.jar" com.intellij.rt.execution.application.AppMain GssSpNegoServer
Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is C://x_KVxJava.Jvm_policies//myuser_dell.HTTP.keytab refreshKrb5Config is false principal is HTTP/myuser_dell.mycomp.local@MYCOMP.LOCAL tryFirstPass is false useFirstPass is false storePass is false clearPass is false
principal's key obtained from the keytab
Acquire TGT using AS Exchange
principal is HTTP/myuser_dell.mycomp.local@MYCOMP.LOCAL
EncryptionKey: keyType=1 keyBytes (hex dump)=0000: E6 2C 7A 2C 26 E5 DC 9D  
Added server's keyKerberos Principal HTTP/myuser_dell.mycomp.local@MYCOMP.LOCALKey Version 1key EncryptionKey: keyType=1 keyBytes (hex dump)=
0000: E6 2C 7A 2C 26 E5 DC 9D  

        [Krb5LoginModule] added Krb5Principal  HTTP/myuser_dell.mycomp.local@MYCOMP.LOCAL to Subject
Commit Succeeded

Objet :
    Principal : HTTP/myuser_dell.mycomp.local@MYCOMP.LOCAL
    Identit� priv�e : Ticket (hex) =
..............
..........
Client Principal = HTTP/myuser_dell.mycomp.local@MYCOMP.LOCAL
Server Principal = krbtgt/MYCOMP.LOCAL@MYCOMP.LOCAL
Session Key = EncryptionKey: keyType=3 keyBytes (hex dump)=
0000: 25 19 2C A2 8A E6 67 80  

Forwardable Ticket true
Forwarded Ticket false
Proxiable Ticket false
Proxy Ticket false
Postdated Ticket false
Renewable Ticket false
Initial Ticket false
Auth Time = Tue Jan 30 12:46:11 CET 2007
Start Time = Tue Jan 30 12:46:11 CET 2007
End Time = Tue Jan 30 22:46:11 CET 2007
Renew Till = null
Client Addresses  Null , Kerberos Principal HTTP/myuser_dell.mycomp.local@MYCOMP.LOCALKey Version 1key EncryptionKey: keyType=1 keyBytes (hex dump)=
0000: E6 2C 7A 2C 26 E5 DC 9D  
]

Waiting for incoming connection...

Got connection from client /10.1.1.166
Reading ...
Will read input token of size 1247 for processing by acceptSecContext
Token = 60 82 04 db 06 06 2b 06 01 05 05 02 a0 82 04 cf 30 82 04 cb a0 0d 30 0b 06 09 2a 86 48 86 f7 12 01 02 02 a1 04 03 02 00 3e a2 82 04 b2 04 82 04 ae 60 82 04 aa 06 09 2a 86 48 86 f7 12 01 02 02 01 00 6e 82 04 99 30 82 04 95 a0 03 02 01 05 a1 03 02 01 0e a2 07 03 05 00 20 00 00 00 a3 82 03 bd 61 82 03 b9 30 82 03 b5 a0 03 02 01 05 a1 11 1b 0f 47 42 43 4f 4e 43 45 50 54 2e 4c 4f 43 41 4c a2 1d 30 1b a0 03 02 01 00 a1 14 30 12 1b 04 48 54 54 50 1b 0a 68 65 6e 6f 63 5f 64 65 6c 6c a3 82 03 7a 30 82 03 76 a0 03 02 01 17 a1 03 02 01 0e a2 82 03 68 04 82 03 64 37 8b 01 4f 47 c3 dc 1e 77 96 52 d5 d8 11 f8 9a d6 3e 23 2e 37 ff 34 57 a9 f2 39 ff 75 ad 75 89 7e c1 62 7d 0e 89 ef b7 04 e7 13 3a 6e 05 4b ac 5f fd 8f 68 84 a0 c3 d6 ba b5 b8 ec 61 73 3a ac b8 75 51 d6 e4 df 5c a3 ea 1b 72 f4 2b 83 55 3c 67 2b 04 a9 44 3e 61 e0 b6 a2 d6 f7 b4 01 b2 1f b4 e5 03 b8 02 48 98 6f ce b3 47 29 66 59 8f d6 52 4b 72 f0 1f 11 b1 7d 9d ce 7d 0a d0 d0 25 36 fe 30 bd 9f 30 7a 8f 8e 5f e5 87 09 dd 27 6c 30 80 d9 1e 15 d4 42 cb 0f 3d 50 c2 33 6e 48 73 13 d5 96 7d 5b f7 c4 36 e9 8f 2f 75 0c a4 c1 75 e3 d9 15 a3 30 e9 8b 9e 8d 0d ec 53 ae ad 62 b8 29 3a 3d 4b fe 17 6d b7 e9 05 d9 ac 52 75 ca 38 7a fd c4 99 b8 8d b7 28 5a ee 6c 4a 73 ad dc 6f b4 97 3e db f1 aa c9 86 65 4b dc 9a 39 f7 4c be aa 70 17 42 9a 2d 17 90 3b 98 ff 2a b9 4a cf 5e d2 dd 8b f4 69 70 e0 6f 18 e9 6d 5c d6 47 9e ca b7 d7 ab 35 3c 2e 60 51 b6 8f 8f 9a 33 38 58 4e 98 2b 71 2a 2f ef 0d 20 04 37 3d b7 1c 49 09 aa 25 19 0b 68 b4 2d 67 c8 db e3 81 7f 57 18 31 91 d7 62 ea 90 a2 72 d3 ff 66 26 e2 71 65 f5 19 5d 04 ec c5 5b 9a 0b e3 a4 c2 19 b0 28 54 1c 1c 08 e3 93 9e 30 9f ff b8 15 9d 4b 15 d5 e1 a1 17 f4 e6 58 a6 a7 86 18 e6 87 d2 5f fd 04 38 d7 c7 91 fe 11 b3 60 07 98 a8 7b b6 19 71 0f 1d 12 1d 73 13 0b a3 84 a8 93 1c 45 84 94 fd 0a 00 fe a8 1c 4c d5 2a 16 98 08 66 04 ed 90 c6 51 ee b4 a4 fe 9c cb 18 89 8c 9a 76 ac 1c b8 ee 45 12 5e 1d 27 d7 1e 00 5e 18 66 a7 c9 7d 46 80 a8 2f d3 3a a1 e7 17 8d f3 cf 30 5b cb 03 c9 0c e4 9e 47 d0 33 ad 3a 97 b1 19 cb 5c c5 18 6c 33 a3 a1 b9 4f e8 c3 b0 d6 35 cb 97 59 04 ef 07 a7 3a 22 62 d7 cc d2 8d 63 47 dc d0 c5 31 3b 04 6d ec 80 60 53 e2 24 eb 8e ef 75 ac a1 e4 c4 f0 78 69 79 42 c9 08 16 fa 6f 7c 82 88 06 16 d1 f5 73 d2 0e 8a 82 89 6b ff 99 fc 40 e1 6c 71 13 1a 28 05 b0 da 99 dd 58 28 f4 01 24 a3 71 0f 01 1f 2f 1d b0 dc 73 42 0f 1d 83 e4 c2 83 04 3c 7c d9 03 32 88 80 1a 02 46 67 44 af 82 09 ce 94 c9 42 c6 2a cc 3f 69 b5 ba c6 f7 34 64 4e 35 8a 03 33 7d 3d 55 95 93 20 b5 10 3a fb da 9d e3 5a 15 c0 71 f0 44 e8 a1 84 7e 00 a8 2f be 69 ed b5 39 25 e0 9c 00 7f 2d a8 43 36 26 76 9d c6 87 49 cb 88 07 e5 b9 a2 b7 7c 06 40 10 46 0e c4 f3 42 73 bf b3 36 ad 02 ba a7 41 a2 7a b8 07 40 a9 c1 16 4c 19 81 df d1 d4 55 c9 57 cb f5 d2 ff e0 8b 0d 32 a7 5a 9f 3d 9e 5a 4f 38 4e cd 10 76 e5 36 eb 64 9b 64 3e bf 1d 02 97 59 2d 49 34 25 fb 14 84 2a d9 ff 4d a6 d8 56 81 3b a5 b4 7a 48 8c 5d 36 41 b2 a4 b5 84 ab 0d 06 25 3c f3 5c b1 e1 1f 4f ae 36 df 7b a0 c6 31 77 1b 99 e9 b2 be 94 fb 8c 63 27 c8 fd 4e 37 80 c4 46 32 2f a4 bd 70 fb d9 d3 a2 a1 ee f2 3c eb 05 68 74 60 43 ce 2d 0e e6 79 23 fd 22 f9 fd ef c1 71 cb aa 7a ce b2 b1 af 01 4d 5b e2 08 21 5f 96 e8 67 78 e4 a4 81 be 30 81 bb a0 03 02 01 03 a2 81 b3 04 81 b0 e1 dc f0 16 03 36 b2 71 b4 51 8f ff 98 0c dd 44 ce bf 78 a6 05 6c 90 24 c0 db 01 9e 27 4a 0b 99 eb c8 08 8d 05 44 6d d5 e1 f9 79 d5 62 83 5d 95 ae c2 12 7b dd 4d f1 4b 33 f6 f0 68 33 4d 07 d0 8e a9 8d 22 aa e5 71 76 1f a4 4f 30 24 ac d5 77 a4 1e 50 88 a5 2e 59 8b a6 a9 c4 ad 22 e2 ba 9b 30 72 8d 79 98 c0 fa 7c 08 24 43 49 c1 df bb 6a 34 ef db a4 80 c4 fa 4d 3d 03 ce 82 1d 78 96 b6 0c 39 d6 0c 89 64 ad 72 48 89 89 6f 83 70 ba ac 29 01 84 6d f1 32 d9 d6 8d e7 c4 b6 52 97 7b ca 7d 0f 65 91 14 a0 88 b8 7b 91 08 90 0c a7 df d4
acceptSecContext..
Exception in thread "main" java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAs(Subject.java:396)
    at Jaas.loginAndAction(Jaas.java:105)
    at GssSpNegoServer.main(GssSpNegoServer.java:88)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at com.intellij.rt.execution.application.AppMain.main(AppMain.java:86)
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
    at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
    at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:869)
    at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:536)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
    at GssSpNegoServer$GssServerAction.run(GssSpNegoServer.java:178)
    ... 9 more
Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC
    at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:262)
    at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
    at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
    at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
    ... 16 more
On client side i got this
 
 --------------------
 Authenticated principal: [ztestha@MYCOMP.LOCAL]
 --------------------
 PublicCredentials: []
 --------------------
 getPrivateCredentials: [Ticket (hex) =
0000: 61 82 03 C0 30 82 03 BC   
...................
....................
03C0: 59 0E B1 1D                                        Y...

Client Principal = ztestha@MYCOMP.LOCAL
Server Principal = krbtgt/MYCOMP.LOCAL@MYCOMP.LOCAL
Session Key = EncryptionKey: keyType=3 keyBytes (hex dump)=
0000: 1A BC C4 64 4F 97 EF 4C  

Forwardable Ticket true
Forwarded Ticket false
Proxiable Ticket false
Proxy Ticket false
Postdated Ticket false
Renewable Ticket false
Initial Ticket false
Auth Time = Tue Jan 30 12:46:28 CET 2007
Start Time = Tue Jan 30 12:46:28 CET 2007
End Time = Tue Jan 30 22:46:28 CET 2007
Renew Till = null
Client Addresses  Null ]

Connected to address myuser_dell/10.1.1.66
Will send token of size 1247 from initSecContext.
writing token = 60 82 04 db 06 06
If one of you know what all this is about...?
Thanks
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Jun 7 2007
Added on Jan 30 2007
#kerberos-java-gss-jgss
3 comments
4,802 views