| Back | Main view
User authentication fails when using Kerberos authentication type
| Product: | IMiS/ARChive |
| Release: | 9.7.x.x |
| Date: | 03/12/2018 |
Case:
Kerberos authentication fails with unsupported encryption type. The content of log (/var/log/iarc/iarc.log) file may looks like:
03/06/18 10:41:21.424 [iarcd:17547:2529160000] ERR[3] Error occurred while authenticating user with Kerberos TGS. Reason: 'Error occurred while calling method 'authenticate'. Reason: com.imis.imisarc.server.aaa.AuthenticationException: java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)
com.imis.imisarc.server.aaa.impl.ActiveDirectory.authenticateKRBTGSv1(ActiveDirectory.java:380)
com.imis.imisarc.server.aaa.impl.LdapDirectory.authenticate(LdapDirectory.java:387)
com.imis.imisarc.server.aaa.impl.ActiveDirectory.authenticate(ActiveDirectory.java:19)
Caused by: java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)
java.security.AccessController.doPrivileged(Native Method)
javax.security.auth.Subject.doAs(Subject.java:422)
com.imis.imisarc.server.aaa.impl.KerberosTicketValidator.validate(KerberosTicketValidator.java:58)
com.imis.imisarc.server.aaa.impl.ActiveDirectory.authenticateKRBTGSv1(ActiveDirectory.java:363)
com.imis.imisarc.server.aaa.impl.LdapDirectory.authenticate(LdapDirectory.java:387)
com.imis.imisarc.server.aaa.impl.ActiveDirectory.authenticate(ActiveDirectory.java:19)
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)
sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:856)
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
com.imis.imisarc.server.aaa.impl.KerberosValidateAction.run(KerberosValidateAction.java:26)
com.imis.imisarc.server.aaa.impl.KerberosValidateAction.run(KerberosValidateAction.java:10)
java.security.AccessController.doPrivileged(Native Method)
javax.security.auth.Subject.doAs(Subject.java:422)
com.imis.imisarc.server.aaa.impl.KerberosTicketValidator.validate(KerberosTicketValidator.java:58)
com.imis.imisarc.server.aaa.impl.ActiveDirectory.authenticateKRBTGSv1(ActiveDirectory.java:363)
com.imis.imisarc.server.aaa.impl.LdapDirectory.authenticate(LdapDirectory.java:387)
com.imis.imisarc.server.aaa.impl.ActiveDirectory.authenticate(ActiveDirectory.java:19)
Caused by: KrbException: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled
sun.security.krb5.EncryptionKey.findKey(EncryptionKey.java:522)
sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:273)
sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149)
sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829)
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
com.imis.imisarc.server.aaa.impl.KerberosValidateAction.run(KerberosValidateAction.java:26)
com.imis.imisarc.server.aaa.impl.KerberosValidateAction.run(KerberosValidateAction.java:10)
java.security.AccessController.doPrivileged(Native Method)
javax.security.auth.Subject.doAs(Subject.java:422)
com.imis.imisarc.server.aaa.impl.KerberosTicketValidator.validate(KerberosTicketValidator.java:58)
com.imis.imisarc.server.aaa.impl.ActiveDirectory.authenticateKRBTGSv1(ActiveDirectory.java:363)
com.imis.imisarc.server.aaa.impl.LdapDirectory.authenticate(LdapDirectory.java:387)
com.imis.imisarc.server.aaa.impl.ActiveDirectory.authenticate(ActiveDirectory.java:19)'.
Description:
Default java installation comes with limited JCE jurisdiction policy files which does not support AES256. Download JCE unlimited strength jurisdiction policy files for Java 1.8 and install included jars. Server must be restarted for the changes to take effect.
Java 1.8 JCE unlimited strength jurisdiction policy files link: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
Related Documents:
| Back | Main view