Skip to Main Content

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Kerberos SSO Error: "Cannot find key of appropriate type to decrypt"

rrdavis07Dec 2 2019 — edited Dec 2 2019

I have an environment with several instances (PROD, Dev, UAT, Sandbox, etc) of a Weblogic-based application that have been set up with Kerberos SSO. All servers are essentially identical. Keytab files have been created using the KTPASS command. One of the instances is generating an error during SSO login. The pertinent section of the log:

(Nov 19 2019 15:22:45:[[ACTIVE] ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)']: ERROR com.deltek.enterprise.DEServer.system.security.authentication ) CPLogger.java - GSS-API error occured during Kerberos token processing

GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)

(Nov 19 2019 15:22:45:[[ACTIVE] ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)']: ERROR Deltek.enterprise.DEServer.system.security.authentication) CPFilterPostKerberos.java - Invalid login information provided: Kerberos single sign-on authentication failed: Failed to retrieve User Principal Name from Kerberos token.

As far as error regarding: "Failed to retrieve UPN...", I've confirmed using SETSPN -L that the UPN does indeed exist.

Just to be clear, the instance of the application is a new instance and the keytab file was created at a different time than the other instances. However, the same command structure was used:

ktpass -princ HTTP/cname.domain.com@DOMAIN.COM -mapuser sso_sand1@DOMAIN.COM -pass XXXXXXXX -crypto ALL -ptype KRB5_NT_PRINCIPAL -out c:\keytabfile.keytab

Does anyone have any thoughts as to why SSO is not working on just this one instance?

Comments
Post Details
Added on Dec 2 2019
0 comments
198 views