0 Replies Latest reply on Nov 26, 2014 3:47 PM by dwj

    Kerberos SPNEGO Authentication failure - Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC

    dwj
    dwj Nov 26, 2014 3:47 PM

      We are using Kerberos to authenticate from JBoss7 on RH Linux --> Kerberos --> Windows AD and have been unable to successfully finalize the security around our application.  I have exhausted my troubleshooting and would greatly appreciate any assistance you can share.  I went to the extent of patching the jdk with Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7. Here is the Error I am getting after attempting to access my application in a browser:

       

      13:43:35,682 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--10.170.111.100-8340-2) Login failure: javax.security.auth.login.LoginException: Continuation Required.

              at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:174) [jboss-negotiation-spnego-2.2.0.SP1.jar:2.2.0.SP1]

              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_55]

              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_55]

              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_55]

              at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_55]

              at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762) [rt.jar:1.7.0_55]

              at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [rt.jar:1.7.0_55]

              at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690) [rt.jar:1.7.0_55]

              at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688) [rt.jar:1.7.0_55]

              at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_55]

              at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687) [rt.jar:1.7.0_55]

              at javax.security.auth.login.LoginContext.login(LoginContext.java:595) [rt.jar:1.7.0_55]

              at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.6.final.jar:4.0.6.final]

              at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:383) [picketbox-infinispan-4.0.6.final.jar:4.0.6.final]

              at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:371) [picketbox-infinispan-4.0.6.final.jar:4.0.6.final]

              at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:160) [picketbox-infinispan-4.0.6.final.jar:4.0.6.final]

              at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:215) [jboss-as-web-7.1.0.Final.jar:7.1.0.Final]

              at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:187) [jboss-negotiation-common-2.2.0.SP1.jar:2.2.0.SP1]

              at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:455) [jbossweb-7.0.10.Final.jar:]

              at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:154) [jboss-as-web-7.1.0.Final.jar:7.1.0.Final]

              at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.10.Final.jar:]

              at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.10.Final.jar:]

              at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.10.Final.jar:]

              at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.10.Final.jar:]

              at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.10.Final.jar:]

              at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.10.Final.jar:]

              at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.10.Final.jar:]

              at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_55]

       

       

      13:43:35,791 ERROR [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http--10.170.111.100-8340-2) Unable to authenticate: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)

              at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:788) [rt.jar:1.7.0_55]

              at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342) [rt.jar:1.7.0_55]

              at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) [rt.jar:1.7.0_55]

              at org.jboss.security.negotiation.spnego.SPNEGOLoginModule$AcceptSecContext.run(SPNEGOLoginModule.java:396) [jboss-negotiation-spnego-2.2.0.SP1.jar:2.2.0.SP1]

              at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_55]

              at javax.security.auth.Subject.doAs(Subject.java:356) [rt.jar:1.7.0_55]

              at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.spnegoLogin(SPNEGOLoginModule.java:237) [jboss-negotiation-spnego-2.2.0.SP1.jar:2.2.0.SP1]

              at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.innerLogin(SPNEGOLoginModule.java:194) [jboss-negotiation-spnego-2.2.0.SP1.jar:2.2.0.SP1]

              at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:137) [jboss-negotiation-spnego-2.2.0.SP1.jar:2.2.0.SP1]

              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_55]

              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_55]

              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_55]

              at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_55]

              at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762) [rt.jar:1.7.0_55]

              at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [rt.jar:1.7.0_55]

              at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690) [rt.jar:1.7.0_55]

              at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688) [rt.jar:1.7.0_55]

              at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_55]

              at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687) [rt.jar:1.7.0_55]

              at javax.security.auth.login.LoginContext.login(LoginContext.java:595) [rt.jar:1.7.0_55]

              at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.6.final.jar:4.0.6.final]

              at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:383) [picketbox-infinispan-4.0.6.final.jar:4.0.6.final]

              at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:371) [picketbox-infinispan-4.0.6.final.jar:4.0.6.final]

              at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:160) [picketbox-infinispan-4.0.6.final.jar:4.0.6.final]

              at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:215) [jboss-as-web-7.1.0.Final.jar:7.1.0.Final]

              at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:187) [jboss-negotiation-common-2.2.0.SP1.jar:2.2.0.SP1]

              at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:455) [jbossweb-7.0.10.Final.jar:]

              at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:154) [jboss-as-web-7.1.0.Final.jar:7.1.0.Final]

              at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.10.Final.jar:]

              at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.10.Final.jar:]

              at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.10.Final.jar:]

              at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.10.Final.jar:]

              at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.10.Final.jar:]

              at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.10.Final.jar:]

              at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.10.Final.jar:]

              at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_55]

      Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC

              at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:273) [rt.jar:1.7.0_55]

              at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:144) [rt.jar:1.7.0_55]

              at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108) [rt.jar:1.7.0_55]

              at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:771) [rt.jar:1.7.0_55]

              ... 35 more

       

       

      13:43:35,799 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--10.170.111.100-8340-2) Login failure: javax.security.auth.login.LoginException: Unable to authenticate - Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)

              at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:163) [jboss-negotiation-spnego-2.2.0.SP1.jar:2.2.0.SP1]

              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_55]

              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_55]

              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_55]

              at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_55]

              at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762) [rt.jar:1.7.0_55]

              at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [rt.jar:1.7.0_55]

              at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690) [rt.jar:1.7.0_55]

              at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688) [rt.jar:1.7.0_55]

              at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_55]

              at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687) [rt.jar:1.7.0_55]

              at javax.security.auth.login.LoginContext.login(LoginContext.java:595) [rt.jar:1.7.0_55]

              at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.6.final.jar:4.0.6.final]

              at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:383) [picketbox-infinispan-4.0.6.final.jar:4.0.6.final]

              at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:371) [picketbox-infinispan-4.0.6.final.jar:4.0.6.final]

              at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:160) [picketbox-infinispan-4.0.6.final.jar:4.0.6.final]

              at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:215) [jboss-as-web-7.1.0.Final.jar:7.1.0.Final]

              at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:187) [jboss-negotiation-common-2.2.0.SP1.jar:2.2.0.SP1]

              at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:455) [jbossweb-7.0.10.Final.jar:]

              at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:154) [jboss-as-web-7.1.0.Final.jar:7.1.0.Final]

              at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.10.Final.jar:]

              at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.10.Final.jar:]

              at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.10.Final.jar:]

              at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.10.Final.jar:]

              at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.10.Final.jar:]

              at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.10.Final.jar:]

              at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.10.Final.jar:]

              at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_55]