Keycloak + Kerberos authentication: Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC
Asked Answered
F

1

3

I have the following

  1. spring web application on JBoss EAP 7.2.2 - Machine CentOs
  2. Keycloak 3.3.4 on CentOs
  3. Active directory

We run on OpenJDK 8

Users login from Windows machines using their Active directory accounts.

Keycloak is configured with a kerberos use federation. On CentOs machines a kerberos client is installed using

yum install krb5-user krb5-doc
yum install krb5-pkinit krb5-workstation
yum install krb5-libs krb5-devel
yum install krb5-server krb5-workstation pam_krb5

In keycloak user federation, the keytab file path an other configrations are correct. This is confirmed by the keycloak log file. Realm: XYZ.COM Server principal HTTP/principal-name@REALM

Keytab file is generated using

ktpass.exe /out file.keytab /mapuser user-name@REALM /mapop set /princ HTTP/principal-name@REALM /ptype KRB5_NT_PRINCIPAL /pass XXXXXX /crypto RC4-HMAC-NT

in krb5.conf the following is entered

default_tgs_enctypes = arcfour-hmac
default_tkt_enctypes = arcfour-hmac
permitted_enctypes = arcfour-hmac

Problem is while login we get the exception

Looking for keys for: HTTP/principal-name@REALM
2020-02-24 09:34:06,327 WARN  [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (default task-13) SPNEGO login failed: java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:68)
at org.keycloak.storage.ldap.LDAPStorageProvider.authenticate(LDAPStorageProvider.java:677)
at org.keycloak.credential.UserCredentialStoreManager.authenticate(UserCredentialStoreManager.java:296)
at org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:89)
at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:200)
at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:853)
at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:722)
at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:145)

at ...
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:856)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:906)
at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:556)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.establishContext(SPNEGOAuthenticator.java:169)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:132)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:122)
... 72 more
Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:278)
at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149)
at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829)
... 81 more

2020-02-24 09:34:06,328 INFO  [stdout] (default task-13)        [Krb5LoginModule]: Entering logout
2020-02-24 09:34:06,328 INFO  [stdout] (default task-13)        [Krb5LoginModule]: logged out Subject

I already made a lot of research and unforunately excluded all possible reasons. The following tests were done: klist -k {path to keytab file} -e

Result 4 HTTP/principal-name@REALM arcfour-hmac In Active directory the msDS-KeyVersionNumber = 4

kinit HTTP/principal-name@REALM klist -e

Result: ... Etype (skey, TKT) arcfour-hmac, aes256-cts-hmac-sha1-96

In summary Keycloak is able to read the keytab, but it fails to lookup a decryption key.

Anyone can help?

I already viewed this post Kerberos - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC

And the following link: https://bugs.openjdk.java.net/browse/JDK-8193855

and many other posts, but no success.

Flyleaf answered 24/2, 2020 at 17:2 Comment(1)
Facing same issue. Did you manage to fix? @Rasha ElsayedGoatsucker
B
0

You are using the following configuration: /crypto RC4-HMAC-NT

I had the same error because the keytab file was generated with the wrong /crypto configuration.

Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400)
Cannot find key of appropriate type to decrypt AP-REQ - RC4 with HMAC)

You could try to generate a new keytab file using /crypto ALL with the ktpass command.

Bulter answered 15/12, 2021 at 13:16 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.