Kerberos - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC

Question

I\'m trying to setup SSO for Java WebApp using Kerberos/SpNego. I\'m using:

• Java 1.7u67
• org.springframework.security.kerberos 1.0.0.RELEASE

Answer 1

It turned out the error above resulted from two problems:

1. The service principal in the spring configuration was wrong. It was lxdetstpksvc01.mydomain.de@MYREALM.DE, but HTTP/lxdetstpksvc01.mydomain.de@MYREALM.DE is correct.

2. The Kvno in the keytab was not identical with the Kvno stored in the active directory. As stated on https://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html Active Directory is raising the Kvno with every execution of ktpass. However I wasn't able to find the value (msDS-KeyVersionNumber) for it in our AD and could only grap it from the request.

Summarized the 'Cannot find key of appropriate type to decrypt ...' error can result from one of the following problems:

1. The service prinicpal in the spring security configuration is not identical with that from the keytab (param /princ from ktpass).
2. There is no key for the enctype the AD has send the ticket with (param /crypto from ktpass and set in the krb5.conf/permitted_enctypes+default_tkt_enctypes).
3. The Kvno from the ticket is different then the Kvno in the keytab (param /kvno from ktpass).
4. The path to the keytab is wrong (see answer from Xavier Portebois)
5. The process does not have permissions to read the keytab (See comment from user7610)