It appears that your application is looking for
"host/[EMAIL PROTECTED]" service principal, but you have setup keytab
with keys for "HTTP/[EMAIL PROTECTED]" service principal. Please update
your application with the expected service principal
"HTTP/[EMAIL PROTECTED]"
Seema
david.turing wrote On 11/09/05 16:46,:
hi, I have dealing the problem for long time and no response in bea forum.
I feel very exhausted when checking mit's kerberos mailist and sun
security forum.
The problem is "KDC has no support for encryption type (14)" when i
doing the SSO between MS domain and Weblogic.
I had set Account to use DES Encryption type for the host but have
nothing change .
My Steps are as below :
1)
first Generate the DES Encryption Type User Account for the weblogic
server, namely "weblogic" on Windows AD.
2)
then, I generate the keytab using w2k's ktpass on the AD SERVER:
c:\>ktpass -princ HTTP/[EMAIL PROTECTED] -mapuser weblogic
-pass weblogic -out dlsvr_keytab -crypto des-cbc-crc
and it turn out to be successful.
c:\>ktab -k dlsvr_keytab -a HTTP/[EMAIL PROTECTED]
and I place the dlsvr_keytab to the weblogic server[weblogic]
I use the kinit to check the keytab
kinit -k -t dlsvr_keytab HTTP/[EMAIL PROTECTED]
output is £ºNew ticket is store in cache file C:\Documents and Setting ........
3) I modify the KDC Config file in c:\winnt
My W2KSP4 KDC Config is:
c:\winnt\krb5.ini-----------------------------
[libdefaults]
default_realm = DLSVR.COM
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
ticket_lifetime = 600
[realms]
DLSVR.COM = {
kdc = 192.168.2.231
admin_server = dlserver
default_domain = DLSVR.COM
}
[domain_realm]
.dlsvr.com= DLSVR.COM
[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true
The Log is shown in Weblogic, it told me that KDC has no support for
encryption type (14)
I try to modify the regstry entry as SUN mention in JGSS, changing the
allowtgtsessionkey
which locate in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
set allowtgtsessionkey=1, but nothing help to prevent the KDC has no
support for encryption type (14)
The Log in weblogic is as below£º
------------------------------------
<2005-11-8 ....... CST> <Debug> <SecurityDebug> <000000> <Found
Negotiate with SPNEGO token>
KeyTab: load() entry length: 50
KeyTabInputStream, readName(): DLSVR.COM
KeyTabInputStream, readName(): host
KeyTabInputStream, readName(): weblogic
KeyTab: load() entry length: 44
KeyTabInputStream, readName(): dlsvr.com
KeyTabInputStream, readName(): weblogic
EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
crc32: e9889c7a
crc32: 11101001100010001001110001111010
KrbAsReq calling createMessage
KrbAsReq in createMessage
KrbAsReq etypes are: 1
KrbKdcReq send: kdc=192.168.2.231 UDP:88, timeout=30000, number of
retries =3, #bytes=216
KDCCommunication: kdc=192.168.2.231 UDP:88, timeout=30000,Attempt
=1, #bytes=216
KrbKdcReq send: #bytes read=1217
KrbKdcReq send: #bytes read=1217
EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
crc32: 54c176ae
crc32: 1010100110000010111011010101110
KrbAsRep cons in KrbAsReq.getReply host/weblogic
Found key for host/[EMAIL PROTECTED]
Entered Krb5Context.acceptSecContext with state=STATE_NEW
<2005-11-8 ........ CST> <Debug> <SecurityDebug> <000000> <GSS
exception GSSException: Failure unspecified at GSS-API level
(Mechanism level: KDC has no support for encryption type (14))
GSSException: Failure unspecified at GSS-API level (Mechanism level:
KDC has no support for encryption type (14))
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:734)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:300)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246)
at
weblogic.security.providers.utils.SPNEGONegotiateToken.getUsername(SPNEGONegotiateToken.java:371)
at
weblogic.security.providers.authentication.SinglePassNegotiateIdentityAsserterProviderImpl.assertIdentity(SinglePassNegotiateIdentityAsserterProvider
Impl.java:201)
at weblogic.security.service.PrincipalAuthenticator
.assertIdentity(PrincipalAuthenticator.java:553)
at
weblogic.servlet.security.internal.CertSecurityModule.checkUserPerm(CertSecurityModule.java:104)
at
weblogic.servlet.security.internal.SecurityModule.beginCheck(SecurityModule.java:199)
at
weblogic.servlet.security.internal.CertSecurityModule.checkA(CertSecurityModule.java:86)
at
weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:145)
at
weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3685)
at
weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2644)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)
Any Help or Advice woud be highly appreciated!
david.turing
------------------------------------------------------------------------
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos