2 Replies Latest reply on Oct 24, 2012 8:20 PM by xds2000

SPNGEO error: decryption key is of type NULL

windy Aug 28, 2012 4:36 AM

Hello!

I am currently trying to connect a JBoss 7.1.1 server to a Kerberos server using the jboss-negotiation-toolkit. The general authentication seems to work, since I have two valid tickets after opening the "secured" area:

% klist -e

Ticket cache: FILE:/tmp/krb5cc_1000

Default principal: user@MYREALM

Valid starting Expires Service principal

28.08.2012 09:57:09 28.08.2012 19:57:09 krbtgt/MYREALM.TLD@MYREALM.TLD

renew until 29.08.2012 09:57:07, Etype (skey, tkt): des3-cbc-sha1, des3-cbc-sha1

28.08.2012 09:57:14 28.08.2012 19:57:09 HTTP/host@myrealm.tld@MYREALM.TLD

renew until 29.08.2012 09:57:07, Etype (skey, tkt): des3-cbc-sha1, des3-cbc-sha1

The basic and host check of the toolkit also work as expected. Unfortunately the authentication does not seem to work in JBoss, I receive a HTTP 401 code (authentication required).

The JBoss log show this error:

ERROR [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http--0.0.0.0-8080-1) Unable to authenticate: GSSException: Failure unspecified at GSS-API level (Mechanism level: EncryptedData is encrypted using keytype DES3 CBC mode with SHA1-KD but decryption key is of type NULL)

at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:788) [rt.jar:1.7.0_06]

at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342) [rt.jar:1.7.0_06]

at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) [rt.jar:1.7.0_06]

at org.jboss.security.negotiation.spnego.SPNEGOLoginModule$AcceptSecContext.run(SPNEGOLoginModule.java:396) [jboss-negotiation-spnego-2.2.0.SP1.jar:2.2.0.SP1]

at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_06]

at javax.security.auth.Subject.doAs(Subject.java:356) [rt.jar:1.7.0_06]

at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.spnegoLogin(SPNEGOLoginModule.java:237) [jboss-negotiation-spnego-2.2.0.SP1.jar:2.2.0.SP1]

at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.innerLogin(SPNEGOLoginModule.java:194) [jboss-negotiation-spnego-2.2.0.SP1.jar:2.2.0.SP1]

at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:137) [jboss-negotiation-spnego-2.2.0.SP1.jar:2.2.0.SP1]

[...]

Caused by: KrbException: EncryptedData is encrypted using keytype DES3 CBC mode with SHA1-KD but decryption key is of type NULL

at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:169) [rt.jar:1.7.0_06]

at sun.security.krb5.KrbCred.<init>(KrbCred.java:131) [rt.jar:1.7.0_06]

at sun.security.jgss.krb5.InitialToken$OverloadedChecksum.<init>(InitialToken.java:282) [rt.jar:1.7.0_06]

at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:130) [rt.jar:1.7.0_06]

at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:771) [rt.jar:1.7.0_06]

... 35 more

Is there an decrytion key missing? Why? The keytab file for JBoss is exactly the same (md5sum) as /etc/krb5.keytab.

1. Re: SPNGEO error: decryption key is of type NULL

puneet82 Sep 4, 2012 6:17 AM (in response to windy)

Hi Stephan,

Were you able to solve your problem.

I am also trying to setup SPNEGO based Authentication but facing some issues. Could you please look into the discussion which I started at below link: https://community.jboss.org/thread/204876?tstart=0

Any suggestion would be helpful.

Thanks,
Puneet
Actions
2. Re: SPNGEO error: decryption key is of type NULL

xds2000 Oct 24, 2012 8:20 PM (in response to windy)

@Stephan your issues is caused by java jdk version. please use openjdk 1.7. thanks a lot.
Actions

Go to original post