12

所以我有一些我正在测试的代码,以确保它可以很好地用于身份验证。它对直接 kerberos 效果很好,所以我认为 AD 应该只有一些小问题。不幸的是,我无法绕过 KrbException:KDC 不支持加密类型 (14)。

我知道错误是加密类型不匹配。但是我可以很好地启动,它只是在我遇到问题的代码中。我没有设置任何东西,所以我认为它应该继承与 kinit 相同的默认值,但显然情况并非如此。

编码-

System.setProperty("sun.security.krb5.debug", "true");
System.setProperty("java.security.krb5.realm", "TEST.SQRRL.COM");
System.setProperty("java.security.krb5.kdc", "172.16.101.128");
System.setProperty("java.security.auth.login.config", "./conf/jaas.conf");
System.setProperty("javax.security.auth.useSubjectCredsOnly", "true");

// "Client" references the JAAS configuration in the jaas.conf file.
LoginContext loginCtx = null;
loginCtx = new LoginContext("Server", new LoginCallbackHandler("test".toCharArray()));
loginCtx.login();
subject = loginCtx.getSubject();

和 jaas.conf

Server {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=false
storeKey=true
useTicketCache=true
principal="accumulo@test.SQRRL.COM";
};

而且,堆栈跟踪-

>>>KRBError:
     sTime is Tue Nov 27 18:16:36 EST 2012 1354058196000
     suSec is 257213
     error code is 14
     error Message is KDC has no support for encryption type
     realm is test.SQRRL.COM
     sname is krbtgt/test.SQRRL.COM
     msgType is 30
javax.security.auth.login.LoginException: KDC has no support for encryption type (14)
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696)
    at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
    at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
    at authenticators.KerberosAuthenticator.<init>(KerberosAuthenticator.java:37)
    at main.ServerImpl.<init>(ServerImpl.java:91)
    at main.PlugServer.run(PlugServer.java:22)
    at main.PlugServer.main(PlugServer.java:42)
Caused by: KrbException: KDC has no support for encryption type (14)
    at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:66)
    at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:446)
    at sun.security.krb5.Credentials.sendASRequest(Credentials.java:401)
    at sun.security.krb5.Credentials.acquireTGT(Credentials.java:373)
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:662)
    ... 15 more
Caused by: KrbException: Identifier doesn't match expected value (906)
    at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
    at sun.security.krb5.internal.ASRep.init(ASRep.java:58)
    at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53)
    at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50)
    ... 19 more
Exception in thread "main" java.lang.RuntimeException: javax.security.auth.login.LoginException: KDC has no support for encryption type (14)
    at main.PlugServer.run(PlugServer.java:36)
    at main.PlugServer.main(PlugServer.java:42)
Caused by: javax.security.auth.login.LoginException: KDC has no support for encryption type (14)
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696)
    at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
    at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
    at authenticators.KerberosAuthenticator.<init>(KerberosAuthenticator.java:37)
    at main.ServerImpl.<init>(ServerImpl.java:91)
    at main.PlugServer.run(PlugServer.java:22)
    ... 1 more
Caused by: KrbException: KDC has no support for encryption type (14)
    at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:66)
    at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:446)
    at sun.security.krb5.Credentials.sendASRequest(Credentials.java:401)
    at sun.security.krb5.Credentials.acquireTGT(Credentials.java:373)
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:662)
    ... 15 more
Caused by: KrbException: Identifier doesn't match expected value (906)
    at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
    at sun.security.krb5.internal.ASRep.init(ASRep.java:58)
    at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53)
    at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50)
    ... 19 more
4

3 回答 3

8

所以,我已经过了这个阶段。我只能猜测 Windows Server 2012 的活动目录中的 DES 支持被破坏了,因为我最终调整了我的 krb5.conf 文件并将两个默认票证类型和允许的类型设置为 aes256-cts-hmac-sha1-96 和它适用于一个用户。在 AD 中为其他用户启用 aes256 后,它继续工作。

于 2012-12-12T23:03:56.497 回答
3

您需要访问用户的帐户并选中“使用 kerberos DES 加密类型”复选框。

当然,您需要以管理员身份登录 DS 才能执行此操作。

于 2012-12-04T15:42:45.487 回答
1

查看init()KDCRep.java,唯一看起来可能会引发错误的部分是:

    150 if ((subDer.getTag() & 0x1F) == 0x00) {
    151 pvno = subDer.getData().getBigInteger().intValue();
    152如果(pvno!= Krb5.PVNO){
    153 抛出新的 KrbApErrException(Krb5.KRB_AP_ERR_BADVERSION);
    154 }
    第155章
    156 抛出新的 Asn1Exception(Krb5.ASN1_BAD_ID);
    第157章

错误被打印为 a 似乎有点奇怪KrbException,但它可以工作,因为它KrbApErrExceptionKrbException. init()但是,不能抛出任何其他子类KrbException

刮那个。更好的可能性是它是其中的Asn1Exceptions 之一,因为KrbAsRep.java 中的构造函数将这些错误捕获并重新抛出为s (使用与堆栈跟踪非常匹配KrbException的适当值)。initCause

"Identifier doesn't match expected value (906)"让我相信它在抛出 a Asn1Exception(Krb5.ASN1_BAD_ID)因为Krb5.ASN1_BAD_ID它的价值是 906。这并没有太大帮助,因为这似乎是init().

看看您是否可以生成DerValue与您的配置相对应的配置并手动检查它,看看哪里init()会拒绝它,然后从那里退后一步,看看您的配置的哪一部分创建了错误位。

经过进一步检查,该消息"KDC has no support for encryption type"使我相信Krb5.KDC_ERR_ETYPE_NOSUPP一定是使用过的。但是,由于这仅用于 的默认实例Etype,因此可能意义不大。

于 2012-11-29T13:40:34.783 回答