java 为什么JDK1.8.0u121 找不到kerberos default_tkt_enctypes 类型?(KrbException:不支持 default_tkt_enctypes 的默认 etypes)
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/42998255/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Why is JDK1.8.0u121 unable to find the kerberos default_tkt_enctypes types? (KrbException: no supported default etypes for default_tkt_enctypes)
提问by Shiva
Following are my environment details:-
以下是我的环境详细信息:-
KDC Server: Windows Server 2012
KDC 服务器:Windows Server 2012
Target machine: Windows 7
目标机器:Windows 7
JDK Version: Oracle 1.8.0_121 (64 bit)
JDK 版本:Oracle 1.8.0_121(64 位)
I'm getting the following exception on running the Java's kinitcommand the on Windows 7 machine :-
在 Windows 7 机器上运行 Java 的kinit命令时出现以下异常:-
C:\Program Files\Java\jdk1.8.0_121\bin>kinit -k -t "C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab" HTTP/[email protected]
Exception: krb_error 0 no supported default etypes for default_tkt_enctypes No error
KrbException: no supported default etypes for default_tkt_enctypes
at sun.security.krb5.Config.defaultEtype(Config.java:844)
at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:249)
at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:262)
at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
Command output in debug mode:-
调试模式下的命令输出:-
C:\Program Files\Java\jdk1.8.0_121\bin>kinit -J-Dsun.security.krb5.debug=true -k -t "C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomca
t_ad.keytab" HTTP/[email protected]
>>>KinitOptions cache name is C:\Users\devtcadmin\krb5cc_devtcadmin
Principal is HTTP/[email protected]
>>> Kinit using keytab
>>> Kinit keytab file name: C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab
Java config name: null
LSA: Found Ticket
LSA: Made NewWeakGlobalRef
LSA: Found PrincipalName
LSA: Made NewWeakGlobalRef
LSA: Found DerValue
LSA: Made NewWeakGlobalRef
LSA: Found EncryptionKey
LSA: Made NewWeakGlobalRef
LSA: Found TicketFlags
LSA: Made NewWeakGlobalRef
LSA: Found KerberosTime
LSA: Made NewWeakGlobalRef
LSA: Found String
LSA: Made NewWeakGlobalRef
LSA: Found DerValue constructor
LSA: Found Ticket constructor
LSA: Found PrincipalName constructor
LSA: Found EncryptionKey constructor
LSA: Found TicketFlags constructor
LSA: Found KerberosTime constructor
LSA: Finished OnLoad processing
Native config name: C:\Windows\krb5.ini
Loaded from native config
>>> Kinit realm name is DEVDEVELOPMENT.COM
>>> Creating KrbAsReq
>>> KrbKdcReq local addresses for dev26 are:
dev26/192.168.1.229
IPv4 address
dev26/fe80:0:0:0:78ae:388f:4f63:3717%11
IPv6 address
>>> KdcAccessibility: reset
>>> KeyTabInputStream, readName(): DEVDEVELOPMENT.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): dev26.devdevelopment.com
>>> KeyTab: load() entry length: 99; type: 18
Looking for keys for: HTTP/[email protected]
Added key: 18version: 3
Exception: krb_error 0 no supported default etypes for default_tkt_enctypes No error
KrbException: no supported default etypes for default_tkt_enctypes
at sun.security.krb5.Config.defaultEtype(Config.java:844)
at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:249)
at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:262)
at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
Following is the output of the ktpasscommand on the KDC server (Windows Server 2012) to generate the tomcat_ad.keytabfile :-
以下是KDC 服务器 (Windows Server 2012) 上ktpass命令的输出以生成tomcat_ad.keytab文件:-
C:\Users\Administrator>ktpass /out C:\tomcat_ad.keytab /mapuser [email protected] /princ HTTP/[email protected] /pass ****** /crypto AES256-SHA1 ptype KRB5_NT_PRINCIPAL
Targeting domain controller: dev.devdevelopment.com
Using legacy password setting method
Successfully mapped HTTP/dev26.devdevelopment.com to devtcadmin.
Key created.
Output keytab to C:\tomcat_ad.keytab:
Keytab version: 0x502
keysize 99 HTTP/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x12 (AES256-SHA1) keylength 32 (0xf20788d7c6f99c385fc91b53c7d9ef55591d314e5340ca1fb9acac1b178c8861)
Following is the content of the krb5.inifile that is at C:\Windowsin Windows 7 machine :-
以下是Windows 7 机器中位于C:\Windows的krb5.ini文件的内容:-
[libdefaults]
default_realm=DEVDEVELOPMENT.COM
default_keytab_name=“C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab"
default_tkt_enctypes=aes256-cts-hmac-shal-96
default_tgs_enctypes=aes256-cts-hmac-shal-96
permitted_enctypes=aes256-cts-hmac-shal-96
udp_preference_limit=1
forwardable=true
[realms]
DEVDEVELOPMENT.COM={
kdc=dev.devdevelopment.com:88
}
[domain_realm]
devdevelopment.com=DEVDEVELOPMENT.COM
.devdevelopment.com=DEVDEVELOPMENT.COM
Following is the output of Java's ktabcommand on Windows 7 machine :-
以下是Windows 7 机器上Java 的ktab命令的输出:-
C:\Program Files\Java\jdk1.8.0_121\bin>ktab -l -e -t -k "C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab"
Keytab name: C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab
KVNO Timestamp Principal
---- -------------- ---------------------------------------------------------------------------------------
3 1/1/70 5:30 AM HTTP/[email protected] (18:AES256 CTS mode with HMAC SHA1-96)
I have also updated the JCEjar files under C:\Program Files\Java\jre1.8.0_121\lib\securityand C:\Program Files\Java\jdk1.8.0_121\jre\lib\securityfolders.
我还更新了C:\Program Files\Java\jre1.8.0_121\lib\security和C:\Program Files\Java\jdk1.8.0_121\jre\lib\security文件夹下的JCEjar 文件。
What should be done to overcome this exception?
应该怎么做才能克服这个异常?
EDIT 1(continued from my 3rd comment) :-
编辑 1(从我的第三条评论继续):-
Following is the output of the first knitcommand with the tomcat_ad.keytabfile in the C:\Program Files\Java\jre1.8.0_121\binfolder:-
以下是C:\Program Files\Java\jre1.8.0_121\bin文件夹中带有tomcat_ad.keytab文件的第一个knit命令的输出:-
C:\Program Files\Java\jdk1.8.0_121\bin>kinit -k -t tomcat_ad.keytab HTTP/dev26.devdevelopment.com
New ticket is stored in cache file C:\Users\devtcadmin\krb5cc_devtcadmin
And, following is the output of the kinitcommand with the tomcat_ad.keytabfile in the C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytabfolder and after appending the C:\Program Files\Java\jdk1.8.0_121\bin;in the pathenvironment variable:-
并且,以下是输出的kinit命令与tomcat_ad.keytab在文件C:\ Program Files文件\ Apache软件基金会\ Tomcat的8.0 \的conf \ tomcat_ad.keytab文件夹,并追加后C:\ Program Files文件\的Java \ jdk1 .8.0_121\bin; 在path环境变量中:-
C:\Users\devtcadmin>kinit -k -t "C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab" HTTP/[email protected]
New ticket is stored in cache file C:\Users\devtcadmin\krb5cc_devtcadmin
BUT the kinitcommand in the debug mode this time gives out the following exception :-
但是这次在调试模式下的kinit命令给出了以下异常:-
C:\Users\devtcadmin>kinit -J-Dsun.security.krb5.debug=true -k -t "C:\Program Files\Apache Software Foundation\Tomcat 8.5\conf\tomcat_ad.keytab" HTTP/[email protected]
>>>KinitOptions cache name is C:\Users\devtcadmin\krb5cc_devtcadmin
Principal is HTTP/[email protected]
>>> Kinit using keytab
>>> Kinit keytab file name: C:\Program Files\Apache Software Foundation\Tomcat 8.5\conf\tomcat_ad.keytab
Java config name: null
LSA: Found Ticket
LSA: Made NewWeakGlobalRef
LSA: Found PrincipalName
LSA: Made NewWeakGlobalRef
LSA: Found DerValue
LSA: Made NewWeakGlobalRef
LSA: Found EncryptionKey
LSA: Made NewWeakGlobalRef
LSA: Found TicketFlags
LSA: Made NewWeakGlobalRef
LSA: Found KerberosTime
LSA: Made NewWeakGlobalRef
LSA: Found String
LSA: Made NewWeakGlobalRef
LSA: Found DerValue constructor
LSA: Found Ticket constructor
LSA: Found PrincipalName constructor
LSA: Found EncryptionKey constructor
LSA: Found TicketFlags constructor
LSA: Found KerberosTime constructor
LSA: Finished OnLoad processing
Native config name: C:\Windows\krb5.ini
Loaded from native config
>>> Kinit realm name is DEVDEVELOPMENT.COM
>>> Creating KrbAsReq
>>> KrbKdcReq local addresses for dev26 are:
dev26/192.168.1.229
IPv4 address
dev26/fe80:0:0:0:78ae:388f:4f63:3717%11
IPv6 address
>>> KdcAccessibility: reset
Looking for keys for: HTTP/[email protected]
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23.
Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type: No error
KrbException: Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type:
at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280)
at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
Why do the above commands work after commenting those lines in the C:\Windows\krb5.inifile? And why the kinitcommand in the debug mode output the above exception?
为什么在对C:\Windows\krb5.ini文件中的这些行进行注释后,上述命令会起作用?为什么在debug模式下kinit命令会输出上述异常呢?
采纳答案by T-Heron
I've seen this before. Try this. Copy the keytab into the C:\Program Files\Java\jdk1.8.0_121\bin directory and try again with the simpler command shown below from within that directory. You don't need to append the Kerberos realm to the SPN since you have the realm defined already in krb5.conf, so I removed it.
我以前见过这个。试试这个。将密钥表复制到 C:\Program Files\Java\jdk1.8.0_121\bin 目录中,然后在该目录中使用下面显示的更简单的命令重试。您不需要将 Kerberos 领域附加到 SPN,因为您已经在 krb5.conf 中定义了领域,因此我将其删除。
kinit -k -t tomcat_ad.keytab HTTP/dev26.devdevelopment.com
If it still doesn't work, be sure you really do have the unlimited strength JCE jar files inside the \lib\security directory. Although you said you did, a Java JRE upgrade can overwrite them.
如果它仍然不起作用,请确保您确实在 \lib\security 目录中有无限强度的 JCE jar 文件。尽管您说过确实如此,但 Java JRE 升级可能会覆盖它们。
EDIT: On the Account tabof the AD user account devtcadmin, ensure the box "This account supports Kerberos AES 256 bit encryption" is checked.
编辑:在AD 用户帐户devtcadmin的帐户选项卡上,确保选中“此帐户支持 Kerberos AES 256 位加密”框。
If it still doesn't work, then on the Windows 7 machine, in C:\Windows\krb5.conf, comment out the four below lines as shown. They are not required, as Kerberos is going to use the highest possible encrytpion types anyway, and in Windows 7/2008 and above, TCP is used by default so you do not need to set the UDP preference limit.
如果它仍然不起作用,那么在 Windows 7 机器上,在 C:\Windows\krb5.conf 中,注释掉以下四行,如图所示。它们不是必需的,因为 Kerberos 无论如何都会使用尽可能高的加密类型,并且在 Windows 7/2008 及更高版本中,默认使用 TCP,因此您无需设置 UDP 首选项限制。
#default_tkt_enctypes=aes256-cts-hmac-shal-96
#default_tgs_enctypes=aes256-cts-hmac-shal-96
#permitted_enctypes=aes256-cts-hmac-shal-96
#udp_preference_limit=1
Take a quick glance at my TechNet article for further reference on this: Kerberos Keytabs – Explained
快速浏览一下我的 TechNet 文章以进一步参考:Kerberos Keytabs – Explained
回答by Gerhard Poul
I saw a similar issue when trying to use the JDK's Kerberos support from a Windows Server 2012R2 as a client with a Linux server that was still using a 'legacy' keytab. The error I was seeing was:
在尝试使用来自 Windows Server 2012R2 的 JDK 的 Kerberos 支持作为客户端时,我看到了类似的问题,而 Linux 服务器仍在使用“传统”密钥表。我看到的错误是:
KrbException: no supported default etypes for default_tkt_enctypes
To fix this interoperability issue I looked at the OpenJDK source and found a setting in EType.java called allow_weak_crypto:
为了解决这个互操作性问题,我查看了 OpenJDK 源代码并在 EType.java 中找到了一个名为allow_weak_crypto:
Adding this setting to my krb5.conf solved the issue for me:
将此设置添加到我的 krb5.conf 为我解决了这个问题:
[libdefaults]
allow_weak_crypto = true
