为什么JDK1.8.0u121无法找到kerberos default_tkt_enctypes类型? (KrbException:default_tkt_enctypes没有支持的默认etypes)
以下是我的环境详情: -
KDC服务器:Windows Server 2012
目标计算机:Windows 7
JDK版本:Oracle 1.8.0_121(64位)
我在Windows 7计算机上运行Java的 kinit 命令时遇到以下异常: -
C:\Program Files\Java\jdk1.8.0_121\bin>kinit -k -t "C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab" HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM
Exception: krb_error 0 no supported default etypes for default_tkt_enctypes No error
KrbException: no supported default etypes for default_tkt_enctypes
at sun.security.krb5.Config.defaultEtype(Config.java:844)
at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:249)
at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:262)
at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
调试模式下的命令输出: -
C:\Program Files\Java\jdk1.8.0_121\bin>kinit -J-Dsun.security.krb5.debug=true -k -t "C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomca
t_ad.keytab" HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM
>>>KinitOptions cache name is C:\Users\devtcadmin\krb5cc_devtcadmin
Principal is HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM
>>> Kinit using keytab
>>> Kinit keytab file name: C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab
Java config name: null
LSA: Found Ticket
LSA: Made NewWeakGlobalRef
LSA: Found PrincipalName
LSA: Made NewWeakGlobalRef
LSA: Found DerValue
LSA: Made NewWeakGlobalRef
LSA: Found EncryptionKey
LSA: Made NewWeakGlobalRef
LSA: Found TicketFlags
LSA: Made NewWeakGlobalRef
LSA: Found KerberosTime
LSA: Made NewWeakGlobalRef
LSA: Found String
LSA: Made NewWeakGlobalRef
LSA: Found DerValue constructor
LSA: Found Ticket constructor
LSA: Found PrincipalName constructor
LSA: Found EncryptionKey constructor
LSA: Found TicketFlags constructor
LSA: Found KerberosTime constructor
LSA: Finished OnLoad processing
Native config name: C:\Windows\krb5.ini
Loaded from native config
>>> Kinit realm name is DEVDEVELOPMENT.COM
>>> Creating KrbAsReq
>>> KrbKdcReq local addresses for dev26 are:
dev26/192.168.1.229
IPv4 address
dev26/fe80:0:0:0:78ae:388f:4f63:3717%11
IPv6 address
>>> KdcAccessibility: reset
>>> KeyTabInputStream, readName(): DEVDEVELOPMENT.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): dev26.devdevelopment.com
>>> KeyTab: load() entry length: 99; type: 18
Looking for keys for: HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM
Added key: 18version: 3
Exception: krb_error 0 no supported default etypes for default_tkt_enctypes No error
KrbException: no supported default etypes for default_tkt_enctypes
at sun.security.krb5.Config.defaultEtype(Config.java:844)
at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:249)
at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:262)
at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
以下是KDC服务器(Windows Server 2012)上 ktpass 命令的输出,以生成tomcat_ad.keytab文件: -
C:\Users\Administrator>ktpass /out C:\tomcat_ad.keytab /mapuser devtcadmin@DEVDEVELOPMENT.COM /princ HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM /pass ****** /crypto AES256-SHA1 ptype KRB5_NT_PRINCIPAL
Targeting domain controller: dev.devdevelopment.com
Using legacy password setting method
Successfully mapped HTTP/dev26.devdevelopment.com to devtcadmin.
Key created.
Output keytab to C:\tomcat_ad.keytab:
Keytab version: 0x502
keysize 99 HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x12 (AES256-SHA1) keylength 32 (0xf20788d7c6f99c385fc91b53c7d9ef55591d314e5340ca1fb9acac1b178c8861)
以下是Windows 7计算机中 C:\ Windows 的 krb5.ini 文件的内容: -
[libdefaults]
default_realm=DEVDEVELOPMENT.COM
default_keytab_name=“C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab"
default_tkt_enctypes=aes256-cts-hmac-shal-96
default_tgs_enctypes=aes256-cts-hmac-shal-96
permitted_enctypes=aes256-cts-hmac-shal-96
udp_preference_limit=1
forwardable=true
[realms]
DEVDEVELOPMENT.COM={
kdc=dev.devdevelopment.com:88
}
[domain_realm]
devdevelopment.com=DEVDEVELOPMENT.COM
.devdevelopment.com=DEVDEVELOPMENT.COM
以下是Windows 7机器上Java的 ktab 命令的输出: -
C:\Program Files\Java\jdk1.8.0_121\bin>ktab -l -e -t -k "C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab"
Keytab name: C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab
KVNO Timestamp Principal
---- -------------- ---------------------------------------------------------------------------------------
3 1/1/70 5:30 AM HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM (18:AES256 CTS mode with HMAC SHA1-96)
我还更新了 C:\ Program Files \ Java \ jre1.8.0_121 \ lib \ security 和 C:\ Program下的 JCE jar文件Files \ Java \ jdk1.8.0_121 \ jre \ lib \ security 文件夹。
应该采取什么措施来克服这个例外?
编辑1 (从我的第3条评论继续): -
以下是第一个 knit 命令的输出, C:\ Program Files \ Java \ jre1.8.0_121中的 tomcat_ad.keytab 文件bin 文件夹: -
C:\Program Files\Java\jdk1.8.0_121\bin>kinit -k -t tomcat_ad.keytab HTTP/dev26.devdevelopment.com
New ticket is stored in cache file C:\Users\devtcadmin\krb5cc_devtcadmin
以下是 kinit 命令的输出, C:\ Program Files \ Apache Software Foundation \ Tomcat 8.0中的 tomcat_ad.keytab 文件\ conf \ tomcat_ad.keytab 文件夹,并在path环境变量中附加 C:\ Program Files \ Java \ jdk1.8.0_121 \ bin; 后: -
C:\Users\devtcadmin>kinit -k -t "C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab" HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM
New ticket is stored in cache file C:\Users\devtcadmin\krb5cc_devtcadmin
但是这次在调试模式下使用 kinit 命令会发出以下异常: -
C:\Users\devtcadmin>kinit -J-Dsun.security.krb5.debug=true -k -t "C:\Program Files\Apache Software Foundation\Tomcat 8.5\conf\tomcat_ad.keytab" HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM
>>>KinitOptions cache name is C:\Users\devtcadmin\krb5cc_devtcadmin
Principal is HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM
>>> Kinit using keytab
>>> Kinit keytab file name: C:\Program Files\Apache Software Foundation\Tomcat 8.5\conf\tomcat_ad.keytab
Java config name: null
LSA: Found Ticket
LSA: Made NewWeakGlobalRef
LSA: Found PrincipalName
LSA: Made NewWeakGlobalRef
LSA: Found DerValue
LSA: Made NewWeakGlobalRef
LSA: Found EncryptionKey
LSA: Made NewWeakGlobalRef
LSA: Found TicketFlags
LSA: Made NewWeakGlobalRef
LSA: Found KerberosTime
LSA: Made NewWeakGlobalRef
LSA: Found String
LSA: Made NewWeakGlobalRef
LSA: Found DerValue constructor
LSA: Found Ticket constructor
LSA: Found PrincipalName constructor
LSA: Found EncryptionKey constructor
LSA: Found TicketFlags constructor
LSA: Found KerberosTime constructor
LSA: Finished OnLoad processing
Native config name: C:\Windows\krb5.ini
Loaded from native config
>>> Kinit realm name is DEVDEVELOPMENT.COM
>>> Creating KrbAsReq
>>> KrbKdcReq local addresses for dev26 are:
dev26/192.168.1.229
IPv4 address
dev26/fe80:0:0:0:78ae:388f:4f63:3717%11
IPv6 address
>>> KdcAccessibility: reset
Looking for keys for: HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23.
Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type: No error
KrbException: Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type:
at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280)
at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
为了在 C:\ Windows \ krb5.ini 文件中注释这些行后,为什么上述命令有效?为什么调试模式中的 kinit 命令会输出上述异常?
3 个答案:
答案 0 :(得分:4)
我之前见过这个。试试这个。将密钥表复制到C:\ Program Files \ Java \ jdk1.8.0_121 \ bin目录中,然后使用下面显示的简单命令从该目录中再次尝试。您不需要将Kerberos域附加到SPN,因为您已经在krb5.conf中定义了域,因此我将其删除了。
kinit -k -t tomcat_ad.keytab HTTP/dev26.devdevelopment.com
如果它仍然无法正常工作,请确保您在\ lib \ security目录中确实拥有无限强度的JCE jar文件。虽然您说过,但Java JRE升级可以覆盖它们。
编辑:在AD用户帐户 devtcadmin 的帐户标签上,确保方框&#34; 此帐户支持Kerberos AES 256位加密&#34;检查。
如果它仍然不起作用,那么在Windows 7计算机上,在C:\ Windows \ krb5.conf中,注释掉下面的四行,如图所示。它们不是必需的,因为Kerberos无论如何都会使用尽可能高的加密类型,而在Windows 7/2008及更高版本中,默认使用TCP,因此您不需要设置UDP首选项限制。
#default_tkt_enctypes=aes256-cts-hmac-shal-96
#default_tgs_enctypes=aes256-cts-hmac-shal-96
#permitted_enctypes=aes256-cts-hmac-shal-96
#udp_preference_limit=1
快速浏览一下我的TechNet文章,以便进一步参考:Kerberos Keytabs – Explained
答案 1 :(得分:1)
在尝试使用Windows Server 2012R2中的JDK的Kerberos支持作为客户端时,我发现了一个类似的问题,Linux服务器仍然使用了传统的&#39;密钥表。我看到的错误是:
KrbException: no supported default etypes for default_tkt_enctypes
为了解决这个互操作性问题,我查看了OpenJDK源代码并在EType.java中找到了一个名为allow_weak_crypto的设置:
将此设置添加到我的krb5.conf为我解决了这个问题:
[libdefaults]
allow_weak_crypto = true
答案 2 :(得分:0)
这是一个古老的文章,但看起来一个问题是在加密类型中使用了“ l”对“ 1”-即,应使用“ aes256”代替“ aes256-cts-hmac-shal-96” -cts-hmac-sha1-96“
相关问题
- 在Debian Squeeze上没有受支持的加密类型NFSv4和Kerberos
- 无法找到vcvarsall.bat
- KrbException:指定的密钥版本不可用(44)
- 是WCF客户端`host / myhostname`或`http / myhostname`的默认默认SPN,为什么?
- 为什么JDK1.8.0u121无法找到kerberos default_tkt_enctypes类型? (KrbException:default_tkt_enctypes没有支持的默认etypes)
- 使用Zookeeper客户端连接到Hadoop集群的KrbException - UNKNOWN_SERVER
- 为什么ank是Kerberos中add_principal的别名?
- 更改kerberos的默认日志轮播配置
- 如何解决此Kerberos错误? “KrbException:KDC不支持加密类型(14) - BAD_ENCRYPTION_TYPE”
- Spring Boot和Kerberos-KrbException:default_tkt_enctypes不支持默认etypes
最新问题
- 我写了这段代码,但我无法理解我的错误
- 我无法从一个代码实例的列表中删除 None 值,但我可以在另一个实例中。为什么它适用于一个细分市场而不适用于另一个细分市场?
- 是否有可能使 loadstring 不可能等于打印?卢阿
- java中的random.expovariate()
- Appscript 通过会议在 Google 日历中发送电子邮件和创建活动
- 为什么我的 Onclick 箭头功能在 React 中不起作用?
- 在此代码中是否有使用“this”的替代方法?
- 在 SQL Server 和 PostgreSQL 上查询,我如何从第一个表获得第二个表的可视化
- 每千个数字得到
- 更新了城市边界 KML 文件的来源?