使用apache tomcat的Kerberos SSO异常

Question

我收到以下异常。尝试使用Kerberos执行SSO时：

GSSException: Failure unspecified at GSS-API level (Mechanism level: 
Invalid argument (400) - Cannot find key of appropriate type to 
decrypt AP REP - RC4 with HMAC) 

我正在使用Ktpass生成密钥。当我使用默认的加密选项时，它可以工作。 但是，当我加入“-crypto AES256-SHA1”的ktpass命令以下异常调用该函数org.ietf.jgss.GSSContext.acceptSecContext

我在Apache-tomact发展与Java 8时被抛出。

我的krb5.conf是

# Configuration snippets may be placed in this directory as well 
includedir /etc/krb5.conf.d/ 

[logging] 
default = FILE:/var/log/krb5libs.log 
kdc = FILE:/var/log/krb5kdc.log 
admin_server = FILE:/var/log/kadmind.log 

[libdefaults] 
dns_lookup_realm = false 
ticket_lifetime = 24h 
renew_lifetime = 7d 
forwardable = true 
rdns = false 
# default_realm = EXAMPLE.COM 
default_ccache_name = KEYRING:persistent:%{uid} 

[realms] 
# EXAMPLE.COM = { 
# kdc = kerberos.example.com 
# admin_server = kerberos.example.com 
# } 

[domain_realm] 
# .example.com = EXAMPLE.COM 
# example.com = EXAMPLE.COM 

Answer 1

你应该有默认TKT和TGS在您的krb5.conf enctypes地方

由于你的配置似乎工作，但不与加密选项= AES256-SHA1，添加下列值到您的krb5.conf（[libdefaults]下）：你可以分享你的krb5.conf

default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96 
default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96