| Back | Main view

User authentication failes when using Kerberos authentication type

Product:IMiS/ARChive
Release:9.7.x.x
Date:03/12/2018

Case: Kerberos authentication fails with unsupported encryption type. The content of log (/var/log/iarc/iarc.log) file may looks like:

03/06/18 10:41:21.424 [iarcd:17547:2529160000] ERR[3] Error occurred while authenticating user with Kerberos TGS. Reason: 'Error occurred while calling method 'authenticate'. Reason: com.imis.imisarc.server.aaa.AuthenticationException: java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)
  com.imis.imisarc.server.aaa.impl.ActiveDirectory.authenticateKRBTGSv1(ActiveDirectory.java:380)
  com.imis.imisarc.server.aaa.impl.LdapDirectory.authenticate(LdapDirectory.java:387)
  com.imis.imisarc.server.aaa.impl.ActiveDirectory.authenticate(ActiveDirectory.java:19)
Caused by: java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)
  java.security.AccessController.doPrivileged(Native Method)
  javax.security.auth.Subject.doAs(Subject.java:422)
  com.imis.imisarc.server.aaa.impl.KerberosTicketValidator.validate(KerberosTicketValidator.java:58)
  com.imis.imisarc.server.aaa.impl.ActiveDirectory.authenticateKRBTGSv1(ActiveDirectory.java:363)
  com.imis.imisarc.server.aaa.impl.LdapDirectory.authenticate(LdapDirectory.java:387)
  com.imis.imisarc.server.aaa.impl.ActiveDirectory.authenticate(ActiveDirectory.java:19)
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)
  sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:856)
  sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
  sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
  com.imis.imisarc.server.aaa.impl.KerberosValidateAction.run(KerberosValidateAction.java:26)
  com.imis.imisarc.server.aaa.impl.KerberosValidateAction.run(KerberosValidateAction.java:10)
  java.security.AccessController.doPrivileged(Native Method)
  javax.security.auth.Subject.doAs(Subject.java:422)
  com.imis.imisarc.server.aaa.impl.KerberosTicketValidator.validate(KerberosTicketValidator.java:58)
  com.imis.imisarc.server.aaa.impl.ActiveDirectory.authenticateKRBTGSv1(ActiveDirectory.java:363)
  com.imis.imisarc.server.aaa.impl.LdapDirectory.authenticate(LdapDirectory.java:387)
  com.imis.imisarc.server.aaa.impl.ActiveDirectory.authenticate(ActiveDirectory.java:19)
Caused by: KrbException: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled
  sun.security.krb5.EncryptionKey.findKey(EncryptionKey.java:522)
  sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:273)
  sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149)
  sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
  sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829)
  sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
  sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
  com.imis.imisarc.server.aaa.impl.KerberosValidateAction.run(KerberosValidateAction.java:26)
  com.imis.imisarc.server.aaa.impl.KerberosValidateAction.run(KerberosValidateAction.java:10)
  java.security.AccessController.doPrivileged(Native Method)
  javax.security.auth.Subject.doAs(Subject.java:422)
  com.imis.imisarc.server.aaa.impl.KerberosTicketValidator.validate(KerberosTicketValidator.java:58)
  com.imis.imisarc.server.aaa.impl.ActiveDirectory.authenticateKRBTGSv1(ActiveDirectory.java:363)
  com.imis.imisarc.server.aaa.impl.LdapDirectory.authenticate(LdapDirectory.java:387)
  com.imis.imisarc.server.aaa.impl.ActiveDirectory.authenticate(ActiveDirectory.java:19)'.

Description:

Default java installation comes with limited JCE jurisdiction policy files which does not support AES256. Download JCE unlimited strength jurisdiction policy files for Java 1.8 and install included jars. Server must be restarted for the changes to take effect.

Java 1.8 JCE unlimited strength jurisdiction policy files link: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html

Related Documents:



| Back | Main view