'Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96

I had a tomcat server with Spnego SSO setting, it works well with no issues. Now I want to add an Apache server in front of it to enable SSL. The Apache server use AJP to communicate with it:

<VirtualHost *:58443>
  SSLEngine on
  ServerName ca09417d.global.local:58443
  SSLCertificateFile "${SRVROOT}/conf/ssl/ca09417d.server.cer"
  SSLCertificateKeyFile "${SRVROOT}/conf/ssl/ca09417d.server.key"
 ...
  ProxyRequests off
  ProxyPreserveHost On
  ProxyPass /vcaps3 ajp://cavcdbdev02:58009/vcaps3
  ProxyPassReverse /vcaps3 ajp://cavcdbdev02:58009/vcaps3   
</virtualhost>

After that, the server complains this error:

KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96
sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:278)
sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149)
sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829)
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:906)
sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:556)
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:444)
net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:283)
net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:229)

So I tried those things:

  • To make sure my JDK can do AES 256
  • Login on the local of Apache, it succeed because I have this setting:
    spnego.allow.localhost =true
  • Check the both server log and found nothing
  • I still can use SSO on tomcat server directly after Apache failed

Now I have no idea what I should do to fix it.

  • My tomcat version is 8.5.32
  • My JDK version is 1.8.0_151
  • My Apache version is httpd-2.4.33-o110h-x86-vc14-r2
  • My Spnego version is 7

This is the main part of my krb5.conf:

[libdefaults]
default_tkt_enctypes = rc4-hmac aes256-cts aes128-cts
default_tgs_enctypes = rc4-hmac aes256-cts aes128-cts
permitted_enctypes   = rc4-hmac aes256-cts aes128-cts

Could you help me?

Thanks very much!

Justin



Solution 1:[1]

Solution 1:

I had a similar error because the keytab file was generated with the wrong /crypto configuration.

Cannot find key of appropriate type to decrypt AP-REQ - RC4 with HMAC)

Generate a new keytab file using /crypto ALL with the ktpass command:

ktpass /out "server.keytab" /crypto ALL /princ HTTP/server@REALM /mapuser KERBEROS_SERVICEUSER /pass PASSWORD /ptype KRB5_NT_PRINCIPAL

Replace HTTP/server@REALM, KERBEROS_SERVICEUSER and PASSWORD with according values.

Solution 2:

Make sure the Kerberos-Service user has the following options checked:

  • this account supports kerberos AES 128 bit encryption
  • this account supports kerberos AES 256 bit encryption

enter image description here

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1