AW: Crypto with the Kerberos Login Handler

Ristow Rodrigo rodrigo.ristow at fhnw.ch
Tue Jan 3 15:36:47 GMT 2012 

Hi Frederic,

We have the kerberos Idp working in our organization with:
- Win Server 2003 - AD and win7 - clients

- The "use DES encryption type" is not enabled for the user.
- java version "1.6.0_20"  OpenJDK Runtime Environment (IcedTea6 1.9.10) (rhel-1.23.1.9.10.el5_7-i386)

The principal/keytab were created with:

ktpass -princ HTTP/aai-logon.dev.fhnw.ch at DOMAIN.DS.FHNW.CH<mailto:HTTP/aai-logon.dev.fhnw.ch at DOMAIN.DS.FHNW.CH>

          -mapuser DOMAIN\serviceadmin.aaidevsso

          -crypto rc4-hmac-nt

          -ptype KRB5_NT_SRV_HST

          -pass HIDDEN

          -out c:\aaidevsso.edu.keytab




I suggest you the following steps to verify the problem:

1 - Check once more the ticket in the client-side:  you can use the klist  from MSDK (http://msdn.microsoft.com/de-de/windowsserver/bb980924).
The "HTTP/idp at DOMAIN" ticket must to be present (try to login again if not). Check again the encryption type, in my case:

C:\Program Files\Microsoft SDKs\Windows\v7.0>klist
Aktuelle Anmelde-ID ist 0:0xxxx
Zwischengespeicherte Tickets: (xx)
(...)
#x>     Client: myname @ DOMAIN.DS.FHNW.CH
        Server: HTTP/aai-logon.fhnw.ch @ ADM.DS.FHNW.CH
        KerbTicket (Verschlüsselungstyp): RSADSI RC4-HMAC(NT)
        Ticketkennzeichen 0xxxxxxxx -> forwardable renewable pre_authent
        Sitzungsschlüsseltyp: RSADSI RC4-HMAC(NT)
...

2 - Check the Ticket in the Idp. Maybe is better do not use the keytab file now. e.g.

[root@]# kinit HTTP/aai-logon.fhnw.ch at ADM.DS.FHNW.CH
Password: xxxx
[root@]# klist -e -5
Ticket cache: FILE:/tmp/xxxx_0
Default principal: HTTP/aai-logon.fhnw.ch at ADM.DS.FHNW.CH
Valid starting     Expires            Service principal
01/03/xxxx:08:04  01/04/xx 01:08:05  krbtgt/ADM.DS.FHNW.CH at ADM.DS.FHNW.CH
        renew until 01/04/xxxx:xx:04, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5

3 - Check the Key Version Number (KVNO). I saw that you are informing "kvno 0" with ktpass, if the ticket has a kvno it must match with the keytab file.

[root at aai-logon shibboleth-idp]# kvno HTTP/aai-logon.fhnw.ch at ADM.DS.FHNW.CH
HTTP/aai-logon.fhnw.ch at ADM.DS.FHNW.CH: kvno = x

4 - Try to configure the Kerberos Idp with the options: kerberosCfg  and password  (without keytab). e.g.

    <ph:LoginHandler xsi:type="krb:KERBEROS"
...
                  kerberosCfg="/etc/krb5.conf">
        <krb:Realm domain=" DOMAIN.FHNW.CH">
            <krb:principal>HTTP/aai-logon.test.fhnw.ch at ADM.DS.FHNW.CH</krb:principal>
            <krb:password>xxx</krb:password>
        </krb:Realm>

5 - Inform the allowed  enctypes (http://docs.oracle.com/javase/6/docs/technotes/guides/security/jgss/jgss-features.html) in the krb.ini, e.g.
[libdefaults]

default_tgt_enctypes = rc4-hmac

 default_tgs_enctypes= rc4-hmac

permitted_enctypes = rc4-hmac

...


I hope that helps,

Rodrigo

Von: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] Im Auftrag von MOTTE Frederic
Gesendet: Dienstag, 20. Dezember 2011 08:09
An: users at shibboleth.net
Betreff: Crypto with the Kerberos Login Handler

Hi,

I have a AD on a windows 2008R2 and the idp is on a debian (jdk 1.6.0_29-b11)

I have some problem using the kerberos login handler.
My first test was to create a keytab using the RC4-HMAC crypto.
C:\Users\Administrateur>ktpass -princ HTTP/idp.cersso.com at CERSSO.COM<mailto:HTTP/idp.cersso.com at CERSSO.COM> -pass Master2008 -mapuser idp -out c:\temp\idp.http.keytab  -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT  kvno 0

When I use it on the debian platform to realise the kinit, it's OK but when I use is into the loginHandler configuration, I have a checksum exception. In the wiki, the possible solutions are to activate the DES into the user profil or update the JKD version (if under 1.5.xxx)

consequently, I try to realise a keytab with the DES-CBC-MD5 crypto option, and  when I realise the kinit in order to validate the keytab, I have the following error :

kinit (v5), KDC has no support for encrytpion type while getting initial credentials.

Can you help me in order to solve the crypto problem?

Thanks for any help.

Frederic

[@@THALES GROUP RESTRICTED@@]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20120103/c4f15ac3/attachment-0001.html

More information about the users mailing list