Kerberos, SSO authentication doubt
I have an internal Java 17 spring-boot application with SSO validation using Kerberos and SPNEGO. Our setup includes the following:
AD: Azure AD
KDC: Multiple (Local)
Application Host Server: Azure cloud
Application Server: Tomcat 10.1
For kerberos validation I've created a unique user in AD with admin privileges and enabled AES encryption types (AES-256, AES-128, RC-HMAC) for both the user and the computer. Also generated a keytab file, configured Tomcat with the appropriate credentials, and set up the krb5.ini and jass.conf.ini files.
Despite these configurations, I keep encountering the error: "Unable to decrypt AES-256." No matter what changes I make, the issue persists.
Can anybody guide me on configuring SSO?
7 Replies
⌛
This post has been reserved for your question.
Hey @Bhuvi! Please useTIP: Narrow down your issue to simple and precise questions to maximize the chance that others will reply in here./close
or theClose Post
button above when your problem is solved. Please remember to follow the help guidelines. This post will be automatically closed after 300 minutes of inactivity.
💤
Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived.
If your question was not answered yet, feel free to re-open this post or create a new one.
In case your post is not getting any attention, you can try to use /help ping
.
Warning: abusing this will result in moderative actions taken against you.
💤
Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived.
If your question was not answered yet, feel free to re-open this post or create a new one.
In case your post is not getting any attention, you can try to use /help ping
.
Warning: abusing this will result in moderative actions taken against you.
Can you show the relevant code and the full stack trace?
💤
Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived.
If your question was not answered yet, feel free to re-open this post or create a new one.
In case your post is not getting any attention, you can try to use /help ping
.
Warning: abusing this will result in moderative actions taken against you.
Sure.
💤
Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived.
If your question was not answered yet, feel free to re-open this post or create a new one.
In case your post is not getting any attention, you can try to use /help ping
.
Warning: abusing this will result in moderative actions taken against you.
@dan1st | Daniel
I've attached the error message as a text file. We have configured GPM -> Forest:test.local -> Domains -> test.local -> Default domain configurations\ In right side, delegation, include KERBEROS_USER.
Included the same in security filtering. Right-click -> Edit <----> (Will open GPM Editor).
In GPM Editor, Computer Configuration -> Policies -> Windows Settings -> Security Settings -> 1) --> Account Policies -> Kerberos, 2) --> Local Policies -> Security Options -> Network security: Configure encryption types allowed for Kerberos (Enable: RC4-HMAC, AES128 & AES256).
💤
Post marked as dormant
This post has been inactive for over 300 minutes, thus, it has been archived.
If your question was not answered yet, feel free to re-open this post or create a new one.
In case your post is not getting any attention, you can try to use /help ping
.
Warning: abusing this will result in moderative actions taken against you.