Kerberos - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC

Question

I\'m trying to setup SSO for Java WebApp using Kerberos/SpNego. I\'m using:

• Java 1.7u67
• org.springframework.security.kerberos 1.0.0.RELEASE

Answer 1

I've been struggling with this during 4 hours

the parameter "storeKey" set to true in the jaas file resolved the issue

Answer 2

We also got a Invalid argument (400) - Cannot find key of appropriate type to decrypt ... error.

This can simply be thrown if the path to the keytab is wrong (in our case, we forgot we got a docker volume mapping there).

So, be sure the keytab path is the right one, as this could fire this weird exception.

Answer 3

This can also be thrown if your using Active Directory as the KDC and the keytab user is configured for a different encryption setting than your keytab is using. In my case AES 128 was configured and I was expecting AES 256. A simple change of the configuration within AD resolved the issue.

Answer 4

In my case, the jaas config file of the server needed the parameter "storeKey" set to true.

Answer 5

The service prinicpal in the spring security configuration is not identical with that from the keytab (param /princ from ktpass).

In my case they were the same, but param /princ was not correct. HTTP and domain part must be uppercase.

Correct example:

HTTP/service.example.lan@EXAMPLE.LAN

Incorrect example:

http/service.example.lan@Eexample.lan

Answer 6

It turned out the error above resulted from two problems:

1. The service principal in the spring configuration was wrong. It was lxdetstpksvc01.mydomain.de@MYREALM.DE, but HTTP/lxdetstpksvc01.mydomain.de@MYREALM.DE is correct.

2. The Kvno in the keytab was not identical with the Kvno stored in the active directory. As stated on https://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html Active Directory is raising the Kvno with every execution of ktpass. However I wasn't able to find the value (msDS-KeyVersionNumber) for it in our AD and could only grap it from the request.

Summarized the 'Cannot find key of appropriate type to decrypt ...' error can result from one of the following problems:

1. The service prinicpal in the spring security configuration is not identical with that from the keytab (param /princ from ktpass).
2. There is no key for the enctype the AD has send the ticket with (param /crypto from ktpass and set in the krb5.conf/permitted_enctypes+default_tkt_enctypes).
3. The Kvno from the ticket is different then the Kvno in the keytab (param /kvno from ktpass).
4. The path to the keytab is wrong (see answer from Xavier Portebois)
5. The process does not have permissions to read the keytab (See comment from user7610)