使用apache tomcat的Kerberos SSO異常

Question

我收到以下異常。嘗試使用Kerberos執行SSO時：

GSSException: Failure unspecified at GSS-API level (Mechanism level: 
Invalid argument (400) - Cannot find key of appropriate type to 
decrypt AP REP - RC4 with HMAC) 

我正在使用Ktpass生成密鑰。當我使用默認的加密選項時，它可以工作。 但是，當我加入「-crypto AES256-SHA1」的ktpass命令以下異常調用該函數org.ietf.jgss.GSSContext.acceptSecContext

我在Apache-tomact發展與Java 8時被拋出。

我的krb5.conf是

# Configuration snippets may be placed in this directory as well 
includedir /etc/krb5.conf.d/ 

[logging] 
default = FILE:/var/log/krb5libs.log 
kdc = FILE:/var/log/krb5kdc.log 
admin_server = FILE:/var/log/kadmind.log 

[libdefaults] 
dns_lookup_realm = false 
ticket_lifetime = 24h 
renew_lifetime = 7d 
forwardable = true 
rdns = false 
# default_realm = EXAMPLE.COM 
default_ccache_name = KEYRING:persistent:%{uid} 

[realms] 
# EXAMPLE.COM = { 
# kdc = kerberos.example.com 
# admin_server = kerberos.example.com 
# } 

[domain_realm] 
# .example.com = EXAMPLE.COM 
# example.com = EXAMPLE.COM 

Answer 1

你應該有默認TKT和TGS在您的krb5.conf enctypes地方

由於你的配置似乎工作，但不與加密選項= AES256-SHA1，添加下列值到您的krb5.conf（[libdefaults]下）：你可以分享你的krb5.conf

default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 
default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96