Kerberos, SSO authentication doubt
I have an internal Java 17 spring-boot application with SSO validation using Kerberos and SPNEGO. Our setup includes the following:
AD: Azure AD
KDC: Multiple (Local)
Application Host Server: Azure cloud
Application Server: Tomcat 10.1
For kerberos validation I've created a unique user in AD with admin privileges and enabled AES encryption types (AES-256, AES-128, RC-HMAC) for both the user and the computer. Also generated a keytab file, configured Tomcat with the appropriate credentials, and set up the krb5.ini and jass.conf.ini files.
Despite these configurations, I keep encountering the error: "Unable to decrypt AES-256." No matter what changes I make, the issue persists.
Can anybody guide me on configuring SSO?
14 Replies
⌛ This post has been reserved for your question.
Hey @Bhuvi! Please useTIP: Narrow down your issue to simple and precise questions to maximize the chance that others will reply in here./closeor theClose Postbutton above when your problem is solved. Please remember to follow the help guidelines. This post will be automatically closed after 300 minutes of inactivity.
💤 Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived.
If your question was not answered yet, feel free to re-open this post or create a new one.
In case your post is not getting any attention, you can try to use /help ping.
Warning: abusing this will result in moderative actions taken against you.
💤 Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived.
If your question was not answered yet, feel free to re-open this post or create a new one.
In case your post is not getting any attention, you can try to use /help ping.
Warning: abusing this will result in moderative actions taken against you.Can you show the relevant code and the full stack trace?
💤 Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived.
If your question was not answered yet, feel free to re-open this post or create a new one.
In case your post is not getting any attention, you can try to use /help ping.
Warning: abusing this will result in moderative actions taken against you.Sure.
💤 Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived.
If your question was not answered yet, feel free to re-open this post or create a new one.
In case your post is not getting any attention, you can try to use /help ping.
Warning: abusing this will result in moderative actions taken against you.@dan1st | Daniel
I've attached the error message as a text file. We have configured GPM -> Forest:test.local -> Domains -> test.local -> Default domain configurations\ In right side, delegation, include KERBEROS_USER.
Included the same in security filtering. Right-click -> Edit <----> (Will open GPM Editor).
In GPM Editor, Computer Configuration -> Policies -> Windows Settings -> Security Settings -> 1) --> Account Policies -> Kerberos, 2) --> Local Policies -> Security Options -> Network security: Configure encryption types allowed for Kerberos (Enable: RC4-HMAC, AES128 & AES256).
💤 Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived.
If your question was not answered yet, feel free to re-open this post or create a new one.
In case your post is not getting any attention, you can try to use /help ping.
Warning: abusing this will result in moderative actions taken against you.
💤 Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived.
If your question was not answered yet, feel free to re-open this post or create a new one.
In case your post is not getting any attention, you can try to use /help ping.
Warning: abusing this will result in moderative actions taken against you.Maybe check https://stackoverflow.com/q/31877027/10871900 (there are multiple answers, some may be more relevant than others)
Stack Overflow
Kerberos - Cannot find key of appropriate type to decrypt AP REP - ...
I'm trying to setup SSO for Java WebApp using Kerberos/SpNego.
I'm using:
Java 1.7u67
org.springframework.security.kerberos 1.0.0.RELEASE
Active Directory
Tomcat 7 on Linux
After overcoming the
and then also https://stackoverflow.com/a/70362746/10871900
Stack Overflow
Cannot find key of appropriate type to decrypt AP REP - AES256 CTS ...
I had a tomcat server with Spnego SSO setting, it works well with no issues.
Now I want to add an Apache server in front of it to enable SSL. The Apache server use AJP to communicate with it:
<
Also why are you using SHA1?
💤 Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived.
If your question was not answered yet, feel free to re-open this post or create a new one.
In case your post is not getting any attention, you can try to use /help ping.
Warning: abusing this will result in moderative actions taken against you.Thanks for the links. Since the Kerberos Authentication SHA-1 is used for integrity verification. Since we began we used it as it was available on default. I'm also planning to move to SAML based SSO.
Regarding this issue. It seems we have missed to configure the users to the GPO. Now its working.
If you are finished with your post, please close it.
If you are not, please ignore this message.
Note that you will not be able to send further messages here after this post have been closed but you will be able to create new posts.
Post Closed
This post has been closed by <@1247867957149958154>.