2 Replies Latest reply on Oct 24, 2012 8:20 PM by deshi xiao

    SPNGEO error: decryption key is of type NULL

    Stephan Windmüller Newbie

      Hello!

       

      I am currently trying to connect a JBoss 7.1.1 server to a Kerberos server using the jboss-negotiation-toolkit. The general authentication seems to work, since I have two valid tickets after opening the "secured" area:

       

      % klist -e

      Ticket cache: FILE:/tmp/krb5cc_1000

      Default principal: user@MYREALM

       

      Valid starting       Expires              Service principal

      28.08.2012 09:57:09  28.08.2012 19:57:09  krbtgt/MYREALM.TLD@MYREALM.TLD

              renew until 29.08.2012 09:57:07, Etype (skey, tkt): des3-cbc-sha1, des3-cbc-sha1

      28.08.2012 09:57:14  28.08.2012 19:57:09  HTTP/host@myrealm.tld@MYREALM.TLD

              renew until 29.08.2012 09:57:07, Etype (skey, tkt): des3-cbc-sha1, des3-cbc-sha1

       

      The basic and host check of the toolkit also work as expected. Unfortunately the authentication does not seem to work in JBoss, I receive a HTTP 401 code (authentication required).

       

      The JBoss log show this error:

       

      ERROR [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http--0.0.0.0-8080-1) Unable to authenticate: GSSException: Failure unspecified at GSS-API level (Mechanism level: EncryptedData is encrypted using keytype DES3 CBC mode with SHA1-KD but decryption key is of type NULL)

              at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:788) [rt.jar:1.7.0_06]

              at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342) [rt.jar:1.7.0_06]

              at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) [rt.jar:1.7.0_06]

              at org.jboss.security.negotiation.spnego.SPNEGOLoginModule$AcceptSecContext.run(SPNEGOLoginModule.java:396) [jboss-negotiation-spnego-2.2.0.SP1.jar:2.2.0.SP1]

              at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_06]

              at javax.security.auth.Subject.doAs(Subject.java:356) [rt.jar:1.7.0_06]

              at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.spnegoLogin(SPNEGOLoginModule.java:237) [jboss-negotiation-spnego-2.2.0.SP1.jar:2.2.0.SP1]

              at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.innerLogin(SPNEGOLoginModule.java:194) [jboss-negotiation-spnego-2.2.0.SP1.jar:2.2.0.SP1]

              at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:137) [jboss-negotiation-spnego-2.2.0.SP1.jar:2.2.0.SP1]

      [...]

      Caused by: KrbException: EncryptedData is encrypted using keytype DES3 CBC mode with SHA1-KD but decryption key is of type NULL

              at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:169) [rt.jar:1.7.0_06]

              at sun.security.krb5.KrbCred.<init>(KrbCred.java:131) [rt.jar:1.7.0_06]

              at sun.security.jgss.krb5.InitialToken$OverloadedChecksum.<init>(InitialToken.java:282) [rt.jar:1.7.0_06]

              at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:130) [rt.jar:1.7.0_06]

              at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:771) [rt.jar:1.7.0_06]

              ... 35 more

       

      Is there an decrytion key missing? Why? The keytab file for JBoss is exactly the same (md5sum) as /etc/krb5.keytab.