为什么JDK1.8.0u121无法找到kerberos default_tkt_enctypes类型? (KrbException:default_tkt_enctypes没有支持的默认etypes)
以下是我的环境细节: –
KDC服务器 :Windows Server 2012
目标机器 :Windows 7
JDK版本 :Oracle 1.8.0_121(64位)
我在Windows 7机器上运行Java的kinit命令时遇到以下exception: –
C:\Program Files\Java\jdk1.8.0_121\bin>kinit -k -t "C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab" HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM Exception: krb_error 0 no supported default etypes for default_tkt_enctypes No error KrbException: no supported default etypes for default_tkt_enctypes at sun.security.krb5.Config.defaultEtype(Config.java:844) at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:249) at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:262) at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261) at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315) at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361) at sun.security.krb5.internal.tools.Kinit.(Kinit.java:219) at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113) 调试模式下的命令输出: –
C:\Program Files\Java\jdk1.8.0_121\bin>kinit -J-Dsun.security.krb5.debug=true -k -t "C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomca t_ad.keytab" HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM >>>KinitOptions cache name is C:\Users\devtcadmin\krb5cc_devtcadmin Principal is HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM >>> Kinit using keytab >>> Kinit keytab file name: C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab Java config name: null LSA: Found Ticket LSA: Made NewWeakGlobalRef LSA: Found PrincipalName LSA: Made NewWeakGlobalRef LSA: Found DerValue LSA: Made NewWeakGlobalRef LSA: Found EncryptionKey LSA: Made NewWeakGlobalRef LSA: Found TicketFlags LSA: Made NewWeakGlobalRef LSA: Found KerberosTime LSA: Made NewWeakGlobalRef LSA: Found String LSA: Made NewWeakGlobalRef LSA: Found DerValue constructor LSA: Found Ticket constructor LSA: Found PrincipalName constructor LSA: Found EncryptionKey constructor LSA: Found TicketFlags constructor LSA: Found KerberosTime constructor LSA: Finished OnLoad processing Native config name: C:\Windows\krb5.ini Loaded from native config >>> Kinit realm name is DEVDEVELOPMENT.COM >>> Creating KrbAsReq >>> KrbKdcReq local addresses for dev26 are: dev26/192.168.1.229 IPv4 address dev26/fe80:0:0:0:78ae:388f:4f63:3717%11 IPv6 address >>> KdcAccessibility: reset >>> KeyTabInputStream, readName(): DEVDEVELOPMENT.COM >>> KeyTabInputStream, readName(): HTTP >>> KeyTabInputStream, readName(): dev26.devdevelopment.com >>> KeyTab: load() entry length: 99; type: 18 Looking for keys for: HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM Added key: 18version: 3 Exception: krb_error 0 no supported default etypes for default_tkt_enctypes No error KrbException: no supported default etypes for default_tkt_enctypes at sun.security.krb5.Config.defaultEtype(Config.java:844) at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:249) at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:262) at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261) at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315) at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361) at sun.security.krb5.internal.tools.Kinit.(Kinit.java:219) at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
以下是KDC服务器(Windows Server 2012)上的ktpass命令的输出,以生成tomcat_ad.keytab文件: –
C:\Users\Administrator>ktpass /out C:\tomcat_ad.keytab /mapuser devtcadmin@DEVDEVELOPMENT.COM /princ HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM /pass ****** /crypto AES256-SHA1 ptype KRB5_NT_PRINCIPAL Targeting domain controller: dev.devdevelopment.com Using legacy password setting method Successfully mapped HTTP/dev26.devdevelopment.com to devtcadmin. Key created. Output keytab to C:\tomcat_ad.keytab: Keytab version: 0x502 keysize 99 HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x12 (AES256-SHA1) keylength 32 (0xf20788d7c6f99c385fc91b53c7d9ef55591d314e5340ca1fb9acac1b178c8861)
以下是Windows 7机器中C:\ Windows下的krb5.ini文件的内容: –
[libdefaults] default_realm=DEVDEVELOPMENT.COM default_keytab_name=“C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab" default_tkt_enctypes=aes256-cts-hmac-shal-96 default_tgs_enctypes=aes256-cts-hmac-shal-96 permitted_enctypes=aes256-cts-hmac-shal-96 udp_preference_limit=1 forwardable=true [realms] DEVDEVELOPMENT.COM={ kdc=dev.devdevelopment.com:88 } [domain_realm] devdevelopment.com=DEVDEVELOPMENT.COM .devdevelopment.com=DEVDEVELOPMENT.COM
以下是Windows 7机器上Java的ktab命令的输出: –
C:\Program Files\Java\jdk1.8.0_121\bin>ktab -l -e -t -k "C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab" Keytab name: C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab KVNO Timestamp Principal ---- -------------- --------------------------------------------------------------------------------------- 3 1/1/70 5:30 AM HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM (18:AES256 CTS mode with HMAC SHA1-96)
我还更新了C:\ Program Files \ Java \ jre1.8.0_121 \ lib \ security和C:\ Program Files \ Java \ jdk1.8.0_121 \ jre \ lib \ security文件夹下的JCE jar文件。
应该怎么做才能克服这个例外?
编辑1 (继续我的第3条评论): –
以下是第一个knit命令与C:\ Program Files \ Java \ jre1.8.0_121 \ bin文件夹中的tomcat_ad.keytab文件的输出: –
C:\Program Files\Java\jdk1.8.0_121\bin>kinit -k -t tomcat_ad.keytab HTTP/dev26.devdevelopment.com New ticket is stored in cache file C:\Users\devtcadmin\krb5cc_devtcadmin
并且,以下是带有tomcat_ad.keytab文件的kinit命令的输出,该文件位于C:\ Program Files \ Apache Software Foundation \ Tomcat 8.0 \ conf \ tomcat_ad.keytab文件夹中,并且在附加C:\ Program Files \ Java \ jdk1之后.8.0_121 \ BIN; 在path环境变量中: –
C:\Users\devtcadmin>kinit -k -t "C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab" HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM New ticket is stored in cache file C:\Users\devtcadmin\krb5cc_devtcadmin
但是这次调试模式中的kinit命令给出了以下exception: –
C:\Users\devtcadmin>kinit -J-Dsun.security.krb5.debug=true -k -t "C:\Program Files\Apache Software Foundation\Tomcat 8.5\conf\tomcat_ad.keytab" HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM >>>KinitOptions cache name is C:\Users\devtcadmin\krb5cc_devtcadmin Principal is HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM >>> Kinit using keytab >>> Kinit keytab file name: C:\Program Files\Apache Software Foundation\Tomcat 8.5\conf\tomcat_ad.keytab Java config name: null LSA: Found Ticket LSA: Made NewWeakGlobalRef LSA: Found PrincipalName LSA: Made NewWeakGlobalRef LSA: Found DerValue LSA: Made NewWeakGlobalRef LSA: Found EncryptionKey LSA: Made NewWeakGlobalRef LSA: Found TicketFlags LSA: Made NewWeakGlobalRef LSA: Found KerberosTime LSA: Made NewWeakGlobalRef LSA: Found String LSA: Made NewWeakGlobalRef LSA: Found DerValue constructor LSA: Found Ticket constructor LSA: Found PrincipalName constructor LSA: Found EncryptionKey constructor LSA: Found TicketFlags constructor LSA: Found KerberosTime constructor LSA: Finished OnLoad processing Native config name: C:\Windows\krb5.ini Loaded from native config >>> Kinit realm name is DEVDEVELOPMENT.COM >>> Creating KrbAsReq >>> KrbKdcReq local addresses for dev26 are: dev26/192.168.1.229 IPv4 address dev26/fe80:0:0:0:78ae:388f:4f63:3717%11 IPv6 address >>> KdcAccessibility: reset Looking for keys for: HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM Using builtin default etypes for default_tkt_enctypes default etypes for default_tkt_enctypes: 18 17 16 23. Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type: No error KrbException: Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type: at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280) at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261) at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315) at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361) at sun.security.krb5.internal.tools.Kinit.(Kinit.java:219) at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
为什么在C:\ Windows \ krb5.ini文件中注释这些行后,上述命令是否有效? 为什么调试模式下的kinit命令输出上述exception?
我以前见过这个。 尝试这个。 将密钥表复制到C:\ Program Files \ Java \ jdk1.8.0_121 \ bin目录中,然后使用下面显示的简单命令从该目录中再次尝试。 您不需要将Kerberos域附加到SPN,因为您已经在krb5.conf中定义了域,因此我将其删除了。
kinit -k -t tomcat_ad.keytab HTTP/dev26.devdevelopment.com
如果它仍然不起作用,请确保您在\ lib \ security目录中确实拥有无限强度的JCE jar文件。 虽然您说过,但Java JRE升级可以覆盖它们。
编辑:在AD用户帐户devtcadmin的“ 帐户”选项卡上,确保选中“ 此帐户支持Kerberos AES 256位加密 ”复选框。
如果它仍然不起作用,那么在Windows 7机器上,在C:\ Windows \ krb5.conf中,注释掉下面的四行,如图所示。 它们不是必需的,因为Kerberos无论如何都会使用尽可能高的加密类型,而在Windows 7/2008及更高版本中,默认使用TCP,因此您无需设置UDP首选项限制。
#default_tkt_enctypes=aes256-cts-hmac-shal-96 #default_tgs_enctypes=aes256-cts-hmac-shal-96 #permitted_enctypes=aes256-cts-hmac-shal-96 #udp_preference_limit=1
快速浏览一下我的TechNet文章,以便进一步参考: Kerberos Keytabs – 解释
在尝试使用Windows Server 2012R2中的JDK Kerberos支持作为客户端时,我看到了类似的问题,Linux服务器仍在使用“遗留”密钥表。 我看到的错误是:
KrbException: no supported default etypes for default_tkt_enctypes
为了解决这个互操作性问题,我查看了OpenJDK源代码,并在EType.java中找到了一个名为allow_weak_crypto的设置:
将此设置添加到我的krb5.conf为我解决了这个问题:
[libdefaults] allow_weak_crypto = true
- 使用Spring Security 3.2,Spring Ldap 2.0和JavaConfig进行Active Directory身份validation
- 如何使用Spring Security对Active Directory服务器进行身份validation?
- 每次从Ldap连接池返回新连接时
- 检测使用Java登录计算机的用户
- 在ssl(ldaps)的支持下连接活动目录
- 带有Active Directory的JNDI PartialResultException
- 在Java中使用LDAP的最简单方法(Eclipse)
- 如何将Java连接到Active Directory
- 如何配置JDBC连接以使用与当前用户不同的AD用户?