You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Ravindhar Konka <ra...@persistent.com> on 2015/05/15 09:34:53 UTC
KrbException: Do not have keys of types listed in
default_tkt_enctypes available
Hi All
I am trying to use SSO functionality for my app
apache-tomcat-7.0.61
windows server 2008 R2
java 1.8.0_25
active directory machine ( DOMAIN-ad)
tomcat instance machine (windows-sso-demo)
username (ss0admin@domain.com)
password (XXXXXX)
krb5.ini
[libdefaults]
default_realm = DOMAIN.COM
default_keytab_name = FILE:c:\apache-tomcat-7.0.61\conf\test.keytab
default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES3-CBC-SHA1 DES-CBC-MD5 DES-CBC-CRC
default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES3-CBC-SHA1 DES-CBC-MD5 DES-CBC-CRC
permitted_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES3-CBC-SHA1 DES-CBC-MD5 DES-CBC-CRC
forwardable=true
[realms]
DOMAIN.COM= {
kdc = DOMAIN-ad:88
default_domain = DOMAIN.com
}
[domain_realm]
domain.com=DOMAIN.COM
.domain.com= DOMAIN.COM
[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true
test.keytab
C:\Users\Administrator>ktpass -princ HTTP/windows-sso-demo.domain.com@DOMAIN
.COM -mapuser ssoadmin -pass P@ssw0rd -crypto all -kvno 0 -ptype KRB5_NT_PRINCIP
AL -out test.keytab
C:\Users\ssoadmin>kinit ssoadmin
Password for ssoadmin@DOMAIN.COM:
New ticket is stored in cache file C:\Users\ssoadmin\krb5cc_ssoadmin
C:\Users\ssoadmin>kinit -k -t test.keytab
Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes
available; only have keys of following type: No error
KrbException: Do not have keys of types listed in default_tkt_enctypes available
; only have keys of following type:
at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280)
at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
CAN YOU PLEASE HELP ME
DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.
RE: KrbException: Do not have keys of types listed in
default_tkt_enctypes available
Posted by Ravindhar Konka <ra...@persistent.com>.
[libdefaults]
default_realm = DOMAIN.COM
default_keytab_name = FILE:c:\apache-tomcat-7.0.61\conf\test.keytab
default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
forwardable=true
[realms]
DOMAIN.COM= {
kdc = domain-ad.DOMAIN.com:88
default_domain = DOMAIN.com
}
[domain_realm]
domain.com=DOMAIN.COM
.domain.com= DOMAIN.COM
[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true
C:\Users\Administrator>ktpass /out c:\test.keytab /mapuser ssoadmin@DOMAIN.COM
/princ HTTP/windows-sso-demo.domain.com@DOMAIN.COM /pass P@ssw0rd /kvno 0
C:\Users\ssoadmin>kinit -k -t test.keytab
Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes
available; only have keys of following type: No error
KrbException: Do not have keys of types listed in default_tkt_enctypes available
; only have keys of following type:
at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280)
at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
C:\Users\ssoadmin>
-----Original Message-----
From: Ravindhar Konka [mailto:ravindhar_konka@persistent.com]
Sent: Friday, May 15, 2015 1:38 PM
To: Tomcat Users List
Subject: RE: KrbException: Do not have keys of types listed in default_tkt_enctypes available
Hey Mark
thanks for quick reply ,I followed same doc. Which you provided
-----Original Message-----
From: Mark Thomas [mailto:markt@apache.org]
Sent: Friday, May 15, 2015 1:14 PM
To: Tomcat Users List
Subject: Re: KrbException: Do not have keys of types listed in default_tkt_enctypes available
On 15/05/2015 08:34, Ravindhar Konka wrote:
> Hi All
> I am trying to use SSO functionality for my app
>
> apache-tomcat-7.0.61
> windows server 2008 R2
> java 1.8.0_25
> active directory machine ( DOMAIN-ad)
> tomcat instance machine (windows-sso-demo) username
> (ss0admin@domain.com) password (XXXXXX)
>
>
> krb5.ini
>
>
> [libdefaults]
> default_realm = DOMAIN.COM
> default_keytab_name = FILE:c:\apache-tomcat-7.0.61\conf\test.keytab
> default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES3-CBC-SHA1
> DES-CBC-MD5 DES-CBC-CRC default_tgs_enctypes = AES256-CTS AES128-CTS
> RC4-HMAC DES3-CBC-SHA1 DES-CBC-MD5 DES-CBC-CRC permitted_enctypes =
> AES256-CTS AES128-CTS RC4-HMAC DES3-CBC-SHA1 DES-CBC-MD5 DES-CBC-CRC
> forwardable=true
>
> [realms]
> DOMAIN.COM= {
> kdc = DOMAIN-ad:88
> default_domain = DOMAIN.com }
>
> [domain_realm]
> domain.com=DOMAIN.COM
> .domain.com= DOMAIN.COM
>
> [appdefaults]
> autologin = true
> forward = true
> forwardable = true
> encrypt = true
>
> test.keytab
>
> C:\Users\Administrator>ktpass -princ
> HTTP/windows-sso-demo.domain.com@DOMAIN
> .COM -mapuser ssoadmin -pass P@ssw0rd -crypto all -kvno 0 -ptype
> KRB5_NT_PRINCIP AL -out test.keytab
>
>
> C:\Users\ssoadmin>kinit ssoadmin
> Password for ssoadmin@DOMAIN.COM:
> New ticket is stored in cache file C:\Users\ssoadmin\krb5cc_ssoadmin
>
>
> C:\Users\ssoadmin>kinit -k -t test.keytab
> Exception: krb_error 0 Do not have keys of types listed in
> default_tkt_enctypes available; only have keys of following type: No
> error
> KrbException: Do not have keys of types listed in default_tkt_enctypes
> available ; only have keys of following type:
> at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280)
> at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
> at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
> at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
> at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
> at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
>
>
> CAN YOU PLEASE HELP ME
http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html
Follow those steps *exactly* and you will have a working configuration.
Note there is a known issue with SPNEGO and Java 8u40 onwards. Stick to an earlier Java version until we have a workaround in place.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: KrbException: Do not have keys of types listed in
default_tkt_enctypes available
Posted by Ravindhar Konka <ra...@persistent.com>.
Hey Mark
thanks for quick reply ,I followed same doc. Which you provided
-----Original Message-----
From: Mark Thomas [mailto:markt@apache.org]
Sent: Friday, May 15, 2015 1:14 PM
To: Tomcat Users List
Subject: Re: KrbException: Do not have keys of types listed in default_tkt_enctypes available
On 15/05/2015 08:34, Ravindhar Konka wrote:
> Hi All
> I am trying to use SSO functionality for my app
>
> apache-tomcat-7.0.61
> windows server 2008 R2
> java 1.8.0_25
> active directory machine ( DOMAIN-ad)
> tomcat instance machine (windows-sso-demo) username
> (ss0admin@domain.com) password (XXXXXX)
>
>
> krb5.ini
>
>
> [libdefaults]
> default_realm = DOMAIN.COM
> default_keytab_name = FILE:c:\apache-tomcat-7.0.61\conf\test.keytab
> default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES3-CBC-SHA1
> DES-CBC-MD5 DES-CBC-CRC default_tgs_enctypes = AES256-CTS AES128-CTS
> RC4-HMAC DES3-CBC-SHA1 DES-CBC-MD5 DES-CBC-CRC permitted_enctypes =
> AES256-CTS AES128-CTS RC4-HMAC DES3-CBC-SHA1 DES-CBC-MD5 DES-CBC-CRC
> forwardable=true
>
> [realms]
> DOMAIN.COM= {
> kdc = DOMAIN-ad:88
> default_domain = DOMAIN.com }
>
> [domain_realm]
> domain.com=DOMAIN.COM
> .domain.com= DOMAIN.COM
>
> [appdefaults]
> autologin = true
> forward = true
> forwardable = true
> encrypt = true
>
> test.keytab
>
> C:\Users\Administrator>ktpass -princ
> HTTP/windows-sso-demo.domain.com@DOMAIN
> .COM -mapuser ssoadmin -pass P@ssw0rd -crypto all -kvno 0 -ptype
> KRB5_NT_PRINCIP AL -out test.keytab
>
>
> C:\Users\ssoadmin>kinit ssoadmin
> Password for ssoadmin@DOMAIN.COM:
> New ticket is stored in cache file C:\Users\ssoadmin\krb5cc_ssoadmin
>
>
> C:\Users\ssoadmin>kinit -k -t test.keytab
> Exception: krb_error 0 Do not have keys of types listed in
> default_tkt_enctypes available; only have keys of following type: No
> error
> KrbException: Do not have keys of types listed in default_tkt_enctypes
> available ; only have keys of following type:
> at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280)
> at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
> at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
> at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
> at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
> at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
>
>
> CAN YOU PLEASE HELP ME
http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html
Follow those steps *exactly* and you will have a working configuration.
Note there is a known issue with SPNEGO and Java 8u40 onwards. Stick to an earlier Java version until we have a workaround in place.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: KrbException: Do not have keys of types listed in default_tkt_enctypes
available
Posted by Mark Thomas <ma...@apache.org>.
On 15/05/2015 08:34, Ravindhar Konka wrote:
> Hi All
> I am trying to use SSO functionality for my app
>
> apache-tomcat-7.0.61
> windows server 2008 R2
> java 1.8.0_25
> active directory machine ( DOMAIN-ad)
> tomcat instance machine (windows-sso-demo)
> username (ss0admin@domain.com)
> password (XXXXXX)
>
>
> krb5.ini
>
>
> [libdefaults]
> default_realm = DOMAIN.COM
> default_keytab_name = FILE:c:\apache-tomcat-7.0.61\conf\test.keytab
> default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES3-CBC-SHA1 DES-CBC-MD5 DES-CBC-CRC
> default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES3-CBC-SHA1 DES-CBC-MD5 DES-CBC-CRC
> permitted_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES3-CBC-SHA1 DES-CBC-MD5 DES-CBC-CRC
> forwardable=true
>
> [realms]
> DOMAIN.COM= {
> kdc = DOMAIN-ad:88
> default_domain = DOMAIN.com
> }
>
> [domain_realm]
> domain.com=DOMAIN.COM
> .domain.com= DOMAIN.COM
>
> [appdefaults]
> autologin = true
> forward = true
> forwardable = true
> encrypt = true
>
> test.keytab
>
> C:\Users\Administrator>ktpass -princ HTTP/windows-sso-demo.domain.com@DOMAIN
> .COM -mapuser ssoadmin -pass P@ssw0rd -crypto all -kvno 0 -ptype KRB5_NT_PRINCIP
> AL -out test.keytab
>
>
> C:\Users\ssoadmin>kinit ssoadmin
> Password for ssoadmin@DOMAIN.COM:
> New ticket is stored in cache file C:\Users\ssoadmin\krb5cc_ssoadmin
>
>
> C:\Users\ssoadmin>kinit -k -t test.keytab
> Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes
> available; only have keys of following type: No error
> KrbException: Do not have keys of types listed in default_tkt_enctypes available
> ; only have keys of following type:
> at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280)
> at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
> at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
> at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
> at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
> at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
>
>
> CAN YOU PLEASE HELP ME
http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html
Follow those steps *exactly* and you will have a working configuration.
Note there is a known issue with SPNEGO and Java 8u40 onwards. Stick to
an earlier Java version until we have a workaround in place.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org