为什么JDK1.8.0u121无法找到kerberos default_tkt_enctypes类型? (KrbException:default_tkt_enctypes不支持默认的etypes) [英] Why is JDK1.8.0u121 unable to find the kerberos default_tkt_enctypes types? (KrbException: no supported default etypes for default_tkt_enctypes)

查看:1184
本文介绍了为什么JDK1.8.0u121无法找到kerberos default_tkt_enctypes类型? (KrbException:default_tkt_enctypes不支持默认的etypes)的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

以下是我的环境详细信息:-

Following are my environment details:-

KDC服务器:Windows Server 2012

KDC Server : Windows Server 2012

目标计算机:Windows 7

Target machine : Windows 7

JDK版本:Oracle 1.8.0_121(64位)

JDK Version : Oracle 1.8.0_121 (64 bit)

在Windows 7计算机上运行Java的 kinit 命令时,出现以下异常:-

I'm getting the following exception on running the Java's kinit command the on Windows 7 machine :-

C:\Program Files\Java\jdk1.8.0_121\bin>kinit -k -t "C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab" HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM
Exception: krb_error 0 no supported default etypes for default_tkt_enctypes No error
KrbException: no supported default etypes for default_tkt_enctypes
        at sun.security.krb5.Config.defaultEtype(Config.java:844)
        at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:249)
        at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:262)
        at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
        at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
        at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
        at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
        at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)

调试模式下的命令输出:-

Command output in debug mode:-

C:\Program Files\Java\jdk1.8.0_121\bin>kinit -J-Dsun.security.krb5.debug=true -k -t "C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomca
t_ad.keytab" HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM
>>>KinitOptions cache name is C:\Users\devtcadmin\krb5cc_devtcadmin
Principal is HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM
>>> Kinit using keytab
>>> Kinit keytab file name: C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab
Java config name: null
LSA: Found Ticket
LSA: Made NewWeakGlobalRef
LSA: Found PrincipalName
LSA: Made NewWeakGlobalRef
LSA: Found DerValue
LSA: Made NewWeakGlobalRef
LSA: Found EncryptionKey
LSA: Made NewWeakGlobalRef
LSA: Found TicketFlags
LSA: Made NewWeakGlobalRef
LSA: Found KerberosTime
LSA: Made NewWeakGlobalRef
LSA: Found String
LSA: Made NewWeakGlobalRef
LSA: Found DerValue constructor
LSA: Found Ticket constructor
LSA: Found PrincipalName constructor
LSA: Found EncryptionKey constructor
LSA: Found TicketFlags constructor
LSA: Found KerberosTime constructor
LSA: Finished OnLoad processing
Native config name: C:\Windows\krb5.ini
Loaded from native config
>>> Kinit realm name is DEVDEVELOPMENT.COM
>>> Creating KrbAsReq
>>> KrbKdcReq local addresses for dev26 are:

        dev26/192.168.1.229
IPv4 address

        dev26/fe80:0:0:0:78ae:388f:4f63:3717%11
IPv6 address
>>> KdcAccessibility: reset
>>> KeyTabInputStream, readName(): DEVDEVELOPMENT.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): dev26.devdevelopment.com
>>> KeyTab: load() entry length: 99; type: 18
Looking for keys for: HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM
Added key: 18version: 3
Exception: krb_error 0 no supported default etypes for default_tkt_enctypes No error
KrbException: no supported default etypes for default_tkt_enctypes
        at sun.security.krb5.Config.defaultEtype(Config.java:844)
        at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:249)
        at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:262)
        at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
        at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
        at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
        at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
        at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)

以下是KDC服务器(Windows Server 2012)上 ktpass 命令的输出,用于生成tomcat_ad.keytab文件:-

Following is the output of the ktpass command on the KDC server (Windows Server 2012) to generate the tomcat_ad.keytab file :-

C:\Users\Administrator>ktpass /out C:\tomcat_ad.keytab /mapuser devtcadmin@DEVDEVELOPMENT.COM /princ HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM /pass ****** /crypto AES256-SHA1 ptype KRB5_NT_PRINCIPAL
    Targeting domain controller: dev.devdevelopment.com
    Using legacy password setting method
    Successfully mapped HTTP/dev26.devdevelopment.com to devtcadmin.
    Key created.
    Output keytab to C:\tomcat_ad.keytab:
    Keytab version: 0x502
    keysize 99 HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x12 (AES256-SHA1) keylength 32 (0xf20788d7c6f99c385fc91b53c7d9ef55591d314e5340ca1fb9acac1b178c8861)

以下是Windows 7计算机中 C:\ Windows krb5.ini 文件的内容:-

Following is the content of the krb5.ini file that is at C:\Windows in Windows 7 machine :-

[libdefaults]
default_realm=DEVDEVELOPMENT.COM
default_keytab_name="C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab"
default_tkt_enctypes=aes256-cts-hmac-shal-96
default_tgs_enctypes=aes256-cts-hmac-shal-96
permitted_enctypes=aes256-cts-hmac-shal-96
udp_preference_limit=1
forwardable=true

[realms]
DEVDEVELOPMENT.COM={
    kdc=dev.devdevelopment.com:88
}

[domain_realm]
devdevelopment.com=DEVDEVELOPMENT.COM
.devdevelopment.com=DEVDEVELOPMENT.COM

以下是Windows 7计算机上Java的 ktab 命令的输出:-

Following is the output of Java's ktab command on Windows 7 machine :-

C:\Program Files\Java\jdk1.8.0_121\bin>ktab -l -e -t -k "C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab"
Keytab name: C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab
KVNO Timestamp      Principal
---- -------------- ---------------------------------------------------------------------------------------
   3 1/1/70 5:30 AM HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM (18:AES256 CTS mode with HMAC SHA1-96)

我还更新了 C:\ Program Files \ Java \ jre1.8.0_121 \ lib \ security C:\ Program下的 JCE jar文件Files \ Java \ jdk1.8.0_121 \ jre \ lib \ security 文件夹.

I have also updated the JCE jar files under C:\Program Files\Java\jre1.8.0_121\lib\security and C:\Program Files\Java\jdk1.8.0_121\jre\lib\security folders.

应采取什么措施来克服此异常?

What should be done to overcome this exception?

编辑1 (续我的第三条评论):-

EDIT 1 (continued from my 3rd comment) :-

以下是第一个 knit 命令的输出,该命令带有 C:\ Program Files \ Java \ jre1.8.0_121 \中的 tomcat_ad.keytab 文件. bin 文件夹:-

Following is the output of the first knit command with the tomcat_ad.keytab file in the C:\Program Files\Java\jre1.8.0_121\bin folder:-

C:\Program Files\Java\jdk1.8.0_121\bin>kinit -k -t tomcat_ad.keytab HTTP/dev26.devdevelopment.com
New ticket is stored in cache file C:\Users\devtcadmin\krb5cc_devtcadmin

并且,以下是 kinit 命令的输出以及 C:\ Program Files \ Apache Software Foundation \ Tomcat 8.0中的 tomcat_ad.keytab 文件\ conf \ tomcat_ad.keytab 文件夹,并在path环境变量中附加 C:\ Program Files \ Java \ jdk1.8.0_121 \ bin; 之后:-

And, following is the output of the kinit command with the tomcat_ad.keytab file in the C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab folder and after appending the C:\Program Files\Java\jdk1.8.0_121\bin; in the path environment variable:-

C:\Users\devtcadmin>kinit -k -t "C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab" HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM
New ticket is stored in cache file C:\Users\devtcadmin\krb5cc_devtcadmin

这次在调试模式下使用 kinit 命令会发出以下异常:-

BUT the kinit command in the debug mode this time gives out the following exception :-

C:\Users\devtcadmin>kinit -J-Dsun.security.krb5.debug=true -k -t "C:\Program Files\Apache Software Foundation\Tomcat 8.5\conf\tomcat_ad.keytab" HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM
>>>KinitOptions cache name is C:\Users\devtcadmin\krb5cc_devtcadmin
Principal is HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM
>>> Kinit using keytab
>>> Kinit keytab file name: C:\Program Files\Apache Software Foundation\Tomcat 8.5\conf\tomcat_ad.keytab
Java config name: null
LSA: Found Ticket
LSA: Made NewWeakGlobalRef
LSA: Found PrincipalName
LSA: Made NewWeakGlobalRef
LSA: Found DerValue
LSA: Made NewWeakGlobalRef
LSA: Found EncryptionKey
LSA: Made NewWeakGlobalRef
LSA: Found TicketFlags
LSA: Made NewWeakGlobalRef
LSA: Found KerberosTime
LSA: Made NewWeakGlobalRef
LSA: Found String
LSA: Made NewWeakGlobalRef
LSA: Found DerValue constructor
LSA: Found Ticket constructor
LSA: Found PrincipalName constructor
LSA: Found EncryptionKey constructor
LSA: Found TicketFlags constructor
LSA: Found KerberosTime constructor
LSA: Finished OnLoad processing
Native config name: C:\Windows\krb5.ini
Loaded from native config
>>> Kinit realm name is DEVDEVELOPMENT.COM
>>> Creating KrbAsReq
>>> KrbKdcReq local addresses for dev26 are:

        dev26/192.168.1.229
IPv4 address

        dev26/fe80:0:0:0:78ae:388f:4f63:3717%11
IPv6 address
>>> KdcAccessibility: reset
Looking for keys for: HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23.
Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type:  No error
KrbException: Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type:
        at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280)
        at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
        at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
        at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
        at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
        at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)

在注释 C:\ Windows \ krb5.ini 文件中的这些行后,为什么上面的命令起作用?为何在调试模式下 kinit 命令会输出上述异常?

Why do the above commands work after commenting those lines in the C:\Windows\krb5.ini file? And why the kinit command in the debug mode output the above exception?

推荐答案

我以前见过.试试这个.将密钥表复制到C:\ Program Files \ Java \ jdk1.8.0_121 \ bin目录,然后从该目录中使用下面显示的更简单的命令重试.您不需要将Kerberos领域附加到SPN,因为您已经在krb5.conf中定义了领域,因此我将其删除.

I've seen this before. Try this. Copy the keytab into the C:\Program Files\Java\jdk1.8.0_121\bin directory and try again with the simpler command shown below from within that directory. You don't need to append the Kerberos realm to the SPN since you have the realm defined already in krb5.conf, so I removed it. 

kinit -k -t tomcat_ad.keytab HTTP/dev26.devdevelopment.com

如果仍然无法使用,请确保您确实在\ lib \ security目录中具有无限强度的JCE jar文件.尽管您说过做到了,但是Java JRE升级可以覆盖它们.

If it still doesn't work, be sure you really do have the unlimited strength JCE jar files inside the \lib\security directory. Although you said you did, a Java JRE upgrade can overwrite them.

在AD用户帐户 devtcadmin 帐​​户"标签上,确保"此帐户支持Kerberos AES 256"框位加密".

On the Account tab of the AD user account devtcadmin, ensure the box "This account supports Kerberos AES 256 bit encryption" is checked.

如果仍然无法正常运行,则在Windows 7计算机上的C:\ Windows \ krb5.conf中,注释掉下面的四行,如图所示.不需要它们,因为Kerberos仍将使用尽可能高的加密类型,并且在Windows 7/2008及更高版本中,默认情况下使用TCP,因此您无需设置UDP首选项限制.

If it still doesn't work, then on the Windows 7 machine, in C:\Windows\krb5.conf, comment out the four below lines as shown. They are not required, as Kerberos is going to use the highest possible encrytpion types anyway, and in Windows 7/2008 and above, TCP is used by default so you do not need to set the UDP preference limit.

#default_tkt_enctypes=aes256-cts-hmac-shal-96
#default_tgs_enctypes=aes256-cts-hmac-shal-96
#permitted_enctypes=aes256-cts-hmac-shal-96
#udp_preference_limit=1

快速浏览一下我的TechNet文章,以获取有关此内容的进一步参考: Kerberos密钥表-解释

Take a quick glance at my TechNet article for further reference on this: Kerberos Keytabs – Explained

这篇关于为什么JDK1.8.0u121无法找到kerberos default_tkt_enctypes类型? (KrbException:default_tkt_enctypes不支持默认的etypes)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
Java开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆