针对Active Directory的Java身份验证，身份验证不匹配？

Question

So I have some code which I'm testing to make sure it works nicely for authentication. 所以我有一些代码，我正在测试，以确保它可以很好地进行身份验证。 It works fine against straight kerberos, so I figured there should only be some minor hiccups with AD. 它可以很好地对抗直接的kerberos，所以我认为应该只有一些与AD的轻微打嗝。 Unfortunately, I cannot get around a KrbException: KDC has no support for encryption type (14). 不幸的是，我无法解决KrbException：KDC不支持加密类型（14）。

I know the error is an encryption type mismatch. 我知道错误是加密类型不匹配。 But I can kinit just fine, it's only in the code that I hit an issue. 但我可以开得很好，这只是在我遇到问题的代码中。 I'm not setting anything, so I think it should be inheriting the same defaults as kinit, but that obviously isn't the case. 我没有设置任何东西，所以我认为它应该继承与kinit相同的默认值，但显然情况并非如此。

The code- 编码-

System.setProperty("sun.security.krb5.debug", "true");
System.setProperty("java.security.krb5.realm", "TEST.SQRRL.COM");
System.setProperty("java.security.krb5.kdc", "172.16.101.128");
System.setProperty("java.security.auth.login.config", "./conf/jaas.conf");
System.setProperty("javax.security.auth.useSubjectCredsOnly", "true");

// "Client" references the JAAS configuration in the jaas.conf file.
LoginContext loginCtx = null;
loginCtx = new LoginContext("Server", new LoginCallbackHandler("test".toCharArray()));
loginCtx.login();
subject = loginCtx.getSubject();

and the jaas.conf 和jaas.conf

Server {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=false
storeKey=true
useTicketCache=true
principal="accumulo@test.SQRRL.COM";
};

And, the stack trace- 并且，堆栈跟踪 -

>>>KRBError:
     sTime is Tue Nov 27 18:16:36 EST 2012 1354058196000
     suSec is 257213
     error code is 14
     error Message is KDC has no support for encryption type
     realm is test.SQRRL.COM
     sname is krbtgt/test.SQRRL.COM
     msgType is 30
javax.security.auth.login.LoginException: KDC has no support for encryption type (14)
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696)
    at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
    at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
    at authenticators.KerberosAuthenticator.<init>(KerberosAuthenticator.java:37)
    at main.ServerImpl.<init>(ServerImpl.java:91)
    at main.PlugServer.run(PlugServer.java:22)
    at main.PlugServer.main(PlugServer.java:42)
Caused by: KrbException: KDC has no support for encryption type (14)
    at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:66)
    at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:446)
    at sun.security.krb5.Credentials.sendASRequest(Credentials.java:401)
    at sun.security.krb5.Credentials.acquireTGT(Credentials.java:373)
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:662)
    ... 15 more
Caused by: KrbException: Identifier doesn't match expected value (906)
    at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
    at sun.security.krb5.internal.ASRep.init(ASRep.java:58)
    at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53)
    at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50)
    ... 19 more
Exception in thread "main" java.lang.RuntimeException: javax.security.auth.login.LoginException: KDC has no support for encryption type (14)
    at main.PlugServer.run(PlugServer.java:36)
    at main.PlugServer.main(PlugServer.java:42)
Caused by: javax.security.auth.login.LoginException: KDC has no support for encryption type (14)
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696)
    at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
    at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
    at authenticators.KerberosAuthenticator.<init>(KerberosAuthenticator.java:37)
    at main.ServerImpl.<init>(ServerImpl.java:91)
    at main.PlugServer.run(PlugServer.java:22)
    ... 1 more
Caused by: KrbException: KDC has no support for encryption type (14)
    at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:66)
    at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:446)
    at sun.security.krb5.Credentials.sendASRequest(Credentials.java:401)
    at sun.security.krb5.Credentials.acquireTGT(Credentials.java:373)
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:662)
    ... 15 more
Caused by: KrbException: Identifier doesn't match expected value (906)
    at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
    at sun.security.krb5.internal.ASRep.init(ASRep.java:58)
    at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53)
    at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50)
    ... 19 more

Answer 1

So, I got it past this stage. 所以，我已经超越了这个阶段。 I can only guess that the DES support in active directory for Windows Server 2012 is broken, as I ended up tweaking my krb5.conf file and setting the two default ticket types and permitted types to just aes256-cts-hmac-sha1-96 and it worked for the one user. 我只能猜测Windows Server 2012的活动目录中的DES支持被破坏了，因为我最终调整了我的krb5.conf文件，并将两个默认的票证类型和允许的类型设置为aes256-cts-hmac-sha1-96和它适用于一个用户。 After enabling aes256 for other users in AD, it continued to work. 在AD中为其他用户启用aes256后，它继续工作。

Answer 2

You need to access the user's account and check the 'use kerberos DES encryption types' checkbox. 您需要访问用户的帐户并选中“使用kerberos DES加密类型”复选框。

You'll need to login to your DS as an admin to do this of course. 当然，您需要以管理员身份登录DS才能执行此操作。

Answer 3

~~Looking at init() in KDCRep.java , the only part that looks it could be throwing your error is:~~ ~~在KDCRep.java中查看init() ，看起来可能抛出错误的唯一部分是：~~


    150           if ((subDer.getTag() & 0x1F) == 0x00) {
    151               pvno = subDer.getData().getBigInteger().intValue();
    152               if (pvno != Krb5.PVNO) {
    153                   throw new KrbApErrException(Krb5.KRB_AP_ERR_BADVERSION);
    154               }
    155           } else {
    156               throw new Asn1Exception(Krb5.ASN1_BAD_ID);
    157           }

~~It does seem a bit odd that the error's being printed as a KrbException , but it could work since KrbApErrException is a subclass of KrbException .~~ ~~它似乎有些奇怪的是，被打印成错误的KrbException ，但它可以工作，因为KrbApErrException是的子类KrbException 。~~ ~~init() can't throw any other subclasses of KrbException , though.~~ ~~init()不能抛出任何其他KrbException子类。~~

Scratch that. 抓一点。 A better possibility is that it's one of the Asn1Exception s in there, since the constructor in KrbAsRep.java catches and rethrows those errors as KrbException s (with an appropriate initCause that would match up pretty well with the stack trace). 更好的可能性是它是Asn1Exception的一个，因为Asn1Exception中的构造函数捕获并重新抛出这些错误为KrbException （具有与堆栈跟踪相匹配的适当initCause ）。

"Identifier doesn't match expected value (906)" leads me to believe it's throwing a Asn1Exception(Krb5.ASN1_BAD_ID) , since Krb5.ASN1_BAD_ID has value 906 . "Identifier doesn't match expected value (906)"让我相信它正在抛出Asn1Exception(Krb5.ASN1_BAD_ID) ，因为Krb5.ASN1_BAD_ID值为906 。 That's not overly helpful, since that seems to be the default error in init() . 这并没有太大的帮助，因为这似乎是init()的默认错误。

See if you can generate the DerValue corresponding to your configuration and inspect it manually, seeing where init() would reject it, then step backward from there, looking at what part of your configuration created the erroneous bits. 看看你是否可以生成与你的配置相对应的DerValue并手动检查它，看看init()拒绝它的位置，然后从那里向后退一步，查看配置的哪个部分创建了错误的位。

Upon further inspection, the message "KDC has no support for encryption type" leads me to believe Krb5.KDC_ERR_ETYPE_NOSUPP must have been used. 在进一步检查时，消息"KDC has no support for encryption type"使我相信必须使用Krb5.KDC_ERR_ETYPE_NOSUPP 。 But, as that's only used for the default instance of Etype , that might not mean much. 但是，因为它仅用于Etype的默认实例，这可能并不重要。

针对Active Directory的Java身份验证，身份验证不匹配？

问题描述

3 个解决方案

解决方案1
7 已采纳 2012-12-12 23:03:56

解决方案2
2 2012-12-04 15:42:45

解决方案3
0 2012-11-29 13:40:34

针对Active Directory的Java身份验证，身份验证不匹配？

问题描述

3 个解决方案

解决方案1 7 已采纳 2012-12-12 23:03:56

解决方案2 2 2012-12-04 15:42:45

解决方案3 0 2012-11-29 13:40:34

解决方案1
7 已采纳 2012-12-12 23:03:56

解决方案2
2 2012-12-04 15:42:45

解决方案3
0 2012-11-29 13:40:34