为什么 JDK1.8.0u121 找不到 kerberos default_tkt_enctypes 类型? (KrbException:default_tkt_enctypes 不支持默认 etype)
Why is JDK1.8.0u121 unable to find the kerberos default_tkt_enctypes types? (KrbException: no supported default etypes for default_tkt_enctypes)
以下是我的环境详细信息:-
KDC 服务器 : Windows 服务器 2012
目标机器 : Windows 7
JDK 版本:Oracle 1.8.0_121(64 位)
我在 运行 Java 的 kinit 命令 Windows 7 机器上收到以下异常:-
C:\Program Files\Java\jdk1.8.0_121\bin>kinit -k -t "C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab" HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM
Exception: krb_error 0 no supported default etypes for default_tkt_enctypes No error
KrbException: no supported default etypes for default_tkt_enctypes
at sun.security.krb5.Config.defaultEtype(Config.java:844)
at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:249)
at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:262)
at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
调试模式下的命令输出:-
C:\Program Files\Java\jdk1.8.0_121\bin>kinit -J-Dsun.security.krb5.debug=true -k -t "C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomca
t_ad.keytab" HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM
>>>KinitOptions cache name is C:\Users\devtcadmin\krb5cc_devtcadmin
Principal is HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM
>>> Kinit using keytab
>>> Kinit keytab file name: C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab
Java config name: null
LSA: Found Ticket
LSA: Made NewWeakGlobalRef
LSA: Found PrincipalName
LSA: Made NewWeakGlobalRef
LSA: Found DerValue
LSA: Made NewWeakGlobalRef
LSA: Found EncryptionKey
LSA: Made NewWeakGlobalRef
LSA: Found TicketFlags
LSA: Made NewWeakGlobalRef
LSA: Found KerberosTime
LSA: Made NewWeakGlobalRef
LSA: Found String
LSA: Made NewWeakGlobalRef
LSA: Found DerValue constructor
LSA: Found Ticket constructor
LSA: Found PrincipalName constructor
LSA: Found EncryptionKey constructor
LSA: Found TicketFlags constructor
LSA: Found KerberosTime constructor
LSA: Finished OnLoad processing
Native config name: C:\Windows\krb5.ini
Loaded from native config
>>> Kinit realm name is DEVDEVELOPMENT.COM
>>> Creating KrbAsReq
>>> KrbKdcReq local addresses for dev26 are:
dev26/192.168.1.229
IPv4 address
dev26/fe80:0:0:0:78ae:388f:4f63:3717%11
IPv6 address
>>> KdcAccessibility: reset
>>> KeyTabInputStream, readName(): DEVDEVELOPMENT.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): dev26.devdevelopment.com
>>> KeyTab: load() entry length: 99; type: 18
Looking for keys for: HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM
Added key: 18version: 3
Exception: krb_error 0 no supported default etypes for default_tkt_enctypes No error
KrbException: no supported default etypes for default_tkt_enctypes
at sun.security.krb5.Config.defaultEtype(Config.java:844)
at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:249)
at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:262)
at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
以下是在 KDC 服务器(Windows Server 2012)上执行 ktpass 命令以生成 tomcat_ad.keytab 文件的输出:-
C:\Users\Administrator>ktpass /out C:\tomcat_ad.keytab /mapuser devtcadmin@DEVDEVELOPMENT.COM /princ HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM /pass ****** /crypto AES256-SHA1 ptype KRB5_NT_PRINCIPAL
Targeting domain controller: dev.devdevelopment.com
Using legacy password setting method
Successfully mapped HTTP/dev26.devdevelopment.com to devtcadmin.
Key created.
Output keytab to C:\tomcat_ad.keytab:
Keytab version: 0x502
keysize 99 HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x12 (AES256-SHA1) keylength 32 (0xf20788d7c6f99c385fc91b53c7d9ef55591d314e5340ca1fb9acac1b178c8861)
以下是 krb5.ini 文件的内容 C:\Windows in Windows 7台机器:-
[libdefaults]
default_realm=DEVDEVELOPMENT.COM
default_keytab_name=“C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab"
default_tkt_enctypes=aes256-cts-hmac-shal-96
default_tgs_enctypes=aes256-cts-hmac-shal-96
permitted_enctypes=aes256-cts-hmac-shal-96
udp_preference_limit=1
forwardable=true
[realms]
DEVDEVELOPMENT.COM={
kdc=dev.devdevelopment.com:88
}
[domain_realm]
devdevelopment.com=DEVDEVELOPMENT.COM
.devdevelopment.com=DEVDEVELOPMENT.COM
以下是 Java 的 ktab 命令在 Windows 7 机器上的输出:-
C:\Program Files\Java\jdk1.8.0_121\bin>ktab -l -e -t -k "C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab"
Keytab name: C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab
KVNO Timestamp Principal
---- -------------- ---------------------------------------------------------------------------------------
3 1/1/70 5:30 AM HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM (18:AES256 CTS mode with HMAC SHA1-96)
我还更新了 C:\Program Files\Java\jre1.8.0_121\lib\security[=76= 下的 JCE jar 文件] 和 C:\Program Files\Java\jdk1.8.0_121\jre\lib\security 文件夹。
应该如何克服这个异常?
编辑 1(接我的第 3 条评论):-
以下是第一个 knit 命令与 tomcat_ad.keytab 文件在 C 中的输出:\程序Files\Java\jre1.8.0_121\bin 文件夹:-
C:\Program Files\Java\jdk1.8.0_121\bin>kinit -k -t tomcat_ad.keytab HTTP/dev26.devdevelopment.com
New ticket is stored in cache file C:\Users\devtcadmin\krb5cc_devtcadmin
并且,以下是 kinit 命令与 tomcat_ad.keytab 文件的输出 C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab 文件夹并添加 C:\Program Files\Java\jdk1.8 .0_121\bin;在path环境变量中:-
C:\Users\devtcadmin>kinit -k -t "C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab" HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM
New ticket is stored in cache file C:\Users\devtcadmin\krb5cc_devtcadmin
但是这次在调试模式下的 kinit 命令给出了以下异常:-
C:\Users\devtcadmin>kinit -J-Dsun.security.krb5.debug=true -k -t "C:\Program Files\Apache Software Foundation\Tomcat 8.5\conf\tomcat_ad.keytab" HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM
>>>KinitOptions cache name is C:\Users\devtcadmin\krb5cc_devtcadmin
Principal is HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM
>>> Kinit using keytab
>>> Kinit keytab file name: C:\Program Files\Apache Software Foundation\Tomcat 8.5\conf\tomcat_ad.keytab
Java config name: null
LSA: Found Ticket
LSA: Made NewWeakGlobalRef
LSA: Found PrincipalName
LSA: Made NewWeakGlobalRef
LSA: Found DerValue
LSA: Made NewWeakGlobalRef
LSA: Found EncryptionKey
LSA: Made NewWeakGlobalRef
LSA: Found TicketFlags
LSA: Made NewWeakGlobalRef
LSA: Found KerberosTime
LSA: Made NewWeakGlobalRef
LSA: Found String
LSA: Made NewWeakGlobalRef
LSA: Found DerValue constructor
LSA: Found Ticket constructor
LSA: Found PrincipalName constructor
LSA: Found EncryptionKey constructor
LSA: Found TicketFlags constructor
LSA: Found KerberosTime constructor
LSA: Finished OnLoad processing
Native config name: C:\Windows\krb5.ini
Loaded from native config
>>> Kinit realm name is DEVDEVELOPMENT.COM
>>> Creating KrbAsReq
>>> KrbKdcReq local addresses for dev26 are:
dev26/192.168.1.229
IPv4 address
dev26/fe80:0:0:0:78ae:388f:4f63:3717%11
IPv6 address
>>> KdcAccessibility: reset
Looking for keys for: HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23.
Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type: No error
KrbException: Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type:
at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280)
at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
为什么在 C:\Windows\krb5.ini 文件中注释了这些行后,上述命令会起作用?还有为什么debug模式下的kinit命令会输出上面的异常?
我以前见过这个。试试这个。将 keytab 复制到 C:\Program Files\Java\jdk1.8.0_121\bin 目录中,然后从该目录中使用下面显示的更简单的命令重试。您不需要将 Kerberos 领域附加到 SPN,因为您已经在 krb5.conf 中定义了领域,因此我将其删除。
kinit -k -t tomcat_ad.keytab HTTP/dev26.devdevelopment.com
如果它仍然不起作用,请确保您确实在 \lib\security 目录中拥有无限强度的 JCE jar 文件。尽管您说过,但 Java JRE 升级可以覆盖它们。
编辑:在 AD 用户帐户 devtcadmin 的 帐户选项卡 上,确保框“此帐户支持 Kerberos AES 256 位加密”已选中。
如果还是不行,那么在Windows7的机器上,在C:\Windows\krb5.conf中,把下面四行注释掉,如图。它们不是必需的,因为 Kerberos 无论如何都会使用尽可能高的加密类型,并且在 Windows 7/2008 及更高版本中,默认使用 TCP,因此您无需设置 UDP 首选项限制。
#default_tkt_enctypes=aes256-cts-hmac-shal-96
#default_tgs_enctypes=aes256-cts-hmac-shal-96
#permitted_enctypes=aes256-cts-hmac-shal-96
#udp_preference_limit=1
快速浏览一下我的 TechNet 文章以进一步参考:Kerberos Keytabs – Explained
我在尝试使用来自 Windows Server 2012R2 的 JDK 的 Kerberos 支持作为客户端时遇到了类似的问题,而 Linux 服务器仍在使用 'legacy' 密钥表。我看到的错误是:
KrbException: no supported default etypes for default_tkt_enctypes
为了解决这个互操作性问题,我查看了 OpenJDK 源代码并在 EType.java 中找到了一个名为 allow_weak_crypto:
的设置
将此设置添加到我的 krb5.conf 解决了我的问题:
[libdefaults]
allow_weak_crypto = true
这是一个旧的 post,但看起来有一个问题是在加密类型中使用 'l' 而不是“1”——即代替“aes256-cts-hmac- shal-96”应该有“aes256-cts-hmac-sha1-96”
以下是我的环境详细信息:-
KDC 服务器 : Windows 服务器 2012
目标机器 : Windows 7
JDK 版本:Oracle 1.8.0_121(64 位)
我在 运行 Java 的 kinit 命令 Windows 7 机器上收到以下异常:-
C:\Program Files\Java\jdk1.8.0_121\bin>kinit -k -t "C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab" HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM
Exception: krb_error 0 no supported default etypes for default_tkt_enctypes No error
KrbException: no supported default etypes for default_tkt_enctypes
at sun.security.krb5.Config.defaultEtype(Config.java:844)
at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:249)
at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:262)
at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
调试模式下的命令输出:-
C:\Program Files\Java\jdk1.8.0_121\bin>kinit -J-Dsun.security.krb5.debug=true -k -t "C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomca
t_ad.keytab" HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM
>>>KinitOptions cache name is C:\Users\devtcadmin\krb5cc_devtcadmin
Principal is HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM
>>> Kinit using keytab
>>> Kinit keytab file name: C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab
Java config name: null
LSA: Found Ticket
LSA: Made NewWeakGlobalRef
LSA: Found PrincipalName
LSA: Made NewWeakGlobalRef
LSA: Found DerValue
LSA: Made NewWeakGlobalRef
LSA: Found EncryptionKey
LSA: Made NewWeakGlobalRef
LSA: Found TicketFlags
LSA: Made NewWeakGlobalRef
LSA: Found KerberosTime
LSA: Made NewWeakGlobalRef
LSA: Found String
LSA: Made NewWeakGlobalRef
LSA: Found DerValue constructor
LSA: Found Ticket constructor
LSA: Found PrincipalName constructor
LSA: Found EncryptionKey constructor
LSA: Found TicketFlags constructor
LSA: Found KerberosTime constructor
LSA: Finished OnLoad processing
Native config name: C:\Windows\krb5.ini
Loaded from native config
>>> Kinit realm name is DEVDEVELOPMENT.COM
>>> Creating KrbAsReq
>>> KrbKdcReq local addresses for dev26 are:
dev26/192.168.1.229
IPv4 address
dev26/fe80:0:0:0:78ae:388f:4f63:3717%11
IPv6 address
>>> KdcAccessibility: reset
>>> KeyTabInputStream, readName(): DEVDEVELOPMENT.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): dev26.devdevelopment.com
>>> KeyTab: load() entry length: 99; type: 18
Looking for keys for: HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM
Added key: 18version: 3
Exception: krb_error 0 no supported default etypes for default_tkt_enctypes No error
KrbException: no supported default etypes for default_tkt_enctypes
at sun.security.krb5.Config.defaultEtype(Config.java:844)
at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:249)
at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:262)
at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
以下是在 KDC 服务器(Windows Server 2012)上执行 ktpass 命令以生成 tomcat_ad.keytab 文件的输出:-
C:\Users\Administrator>ktpass /out C:\tomcat_ad.keytab /mapuser devtcadmin@DEVDEVELOPMENT.COM /princ HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM /pass ****** /crypto AES256-SHA1 ptype KRB5_NT_PRINCIPAL
Targeting domain controller: dev.devdevelopment.com
Using legacy password setting method
Successfully mapped HTTP/dev26.devdevelopment.com to devtcadmin.
Key created.
Output keytab to C:\tomcat_ad.keytab:
Keytab version: 0x502
keysize 99 HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x12 (AES256-SHA1) keylength 32 (0xf20788d7c6f99c385fc91b53c7d9ef55591d314e5340ca1fb9acac1b178c8861)
以下是 krb5.ini 文件的内容 C:\Windows in Windows 7台机器:-
[libdefaults]
default_realm=DEVDEVELOPMENT.COM
default_keytab_name=“C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab"
default_tkt_enctypes=aes256-cts-hmac-shal-96
default_tgs_enctypes=aes256-cts-hmac-shal-96
permitted_enctypes=aes256-cts-hmac-shal-96
udp_preference_limit=1
forwardable=true
[realms]
DEVDEVELOPMENT.COM={
kdc=dev.devdevelopment.com:88
}
[domain_realm]
devdevelopment.com=DEVDEVELOPMENT.COM
.devdevelopment.com=DEVDEVELOPMENT.COM
以下是 Java 的 ktab 命令在 Windows 7 机器上的输出:-
C:\Program Files\Java\jdk1.8.0_121\bin>ktab -l -e -t -k "C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab"
Keytab name: C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab
KVNO Timestamp Principal
---- -------------- ---------------------------------------------------------------------------------------
3 1/1/70 5:30 AM HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM (18:AES256 CTS mode with HMAC SHA1-96)
我还更新了 C:\Program Files\Java\jre1.8.0_121\lib\security[=76= 下的 JCE jar 文件] 和 C:\Program Files\Java\jdk1.8.0_121\jre\lib\security 文件夹。
应该如何克服这个异常?
编辑 1(接我的第 3 条评论):-
以下是第一个 knit 命令与 tomcat_ad.keytab 文件在 C 中的输出:\程序Files\Java\jre1.8.0_121\bin 文件夹:-
C:\Program Files\Java\jdk1.8.0_121\bin>kinit -k -t tomcat_ad.keytab HTTP/dev26.devdevelopment.com
New ticket is stored in cache file C:\Users\devtcadmin\krb5cc_devtcadmin
并且,以下是 kinit 命令与 tomcat_ad.keytab 文件的输出 C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab 文件夹并添加 C:\Program Files\Java\jdk1.8 .0_121\bin;在path环境变量中:-
C:\Users\devtcadmin>kinit -k -t "C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab" HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM
New ticket is stored in cache file C:\Users\devtcadmin\krb5cc_devtcadmin
但是这次在调试模式下的 kinit 命令给出了以下异常:-
C:\Users\devtcadmin>kinit -J-Dsun.security.krb5.debug=true -k -t "C:\Program Files\Apache Software Foundation\Tomcat 8.5\conf\tomcat_ad.keytab" HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM
>>>KinitOptions cache name is C:\Users\devtcadmin\krb5cc_devtcadmin
Principal is HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM
>>> Kinit using keytab
>>> Kinit keytab file name: C:\Program Files\Apache Software Foundation\Tomcat 8.5\conf\tomcat_ad.keytab
Java config name: null
LSA: Found Ticket
LSA: Made NewWeakGlobalRef
LSA: Found PrincipalName
LSA: Made NewWeakGlobalRef
LSA: Found DerValue
LSA: Made NewWeakGlobalRef
LSA: Found EncryptionKey
LSA: Made NewWeakGlobalRef
LSA: Found TicketFlags
LSA: Made NewWeakGlobalRef
LSA: Found KerberosTime
LSA: Made NewWeakGlobalRef
LSA: Found String
LSA: Made NewWeakGlobalRef
LSA: Found DerValue constructor
LSA: Found Ticket constructor
LSA: Found PrincipalName constructor
LSA: Found EncryptionKey constructor
LSA: Found TicketFlags constructor
LSA: Found KerberosTime constructor
LSA: Finished OnLoad processing
Native config name: C:\Windows\krb5.ini
Loaded from native config
>>> Kinit realm name is DEVDEVELOPMENT.COM
>>> Creating KrbAsReq
>>> KrbKdcReq local addresses for dev26 are:
dev26/192.168.1.229
IPv4 address
dev26/fe80:0:0:0:78ae:388f:4f63:3717%11
IPv6 address
>>> KdcAccessibility: reset
Looking for keys for: HTTP/dev26.devdevelopment.com@DEVDEVELOPMENT.COM
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23.
Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type: No error
KrbException: Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type:
at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280)
at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
为什么在 C:\Windows\krb5.ini 文件中注释了这些行后,上述命令会起作用?还有为什么debug模式下的kinit命令会输出上面的异常?
我以前见过这个。试试这个。将 keytab 复制到 C:\Program Files\Java\jdk1.8.0_121\bin 目录中,然后从该目录中使用下面显示的更简单的命令重试。您不需要将 Kerberos 领域附加到 SPN,因为您已经在 krb5.conf 中定义了领域,因此我将其删除。
kinit -k -t tomcat_ad.keytab HTTP/dev26.devdevelopment.com
如果它仍然不起作用,请确保您确实在 \lib\security 目录中拥有无限强度的 JCE jar 文件。尽管您说过,但 Java JRE 升级可以覆盖它们。
编辑:在 AD 用户帐户 devtcadmin 的 帐户选项卡 上,确保框“此帐户支持 Kerberos AES 256 位加密”已选中。
如果还是不行,那么在Windows7的机器上,在C:\Windows\krb5.conf中,把下面四行注释掉,如图。它们不是必需的,因为 Kerberos 无论如何都会使用尽可能高的加密类型,并且在 Windows 7/2008 及更高版本中,默认使用 TCP,因此您无需设置 UDP 首选项限制。
#default_tkt_enctypes=aes256-cts-hmac-shal-96
#default_tgs_enctypes=aes256-cts-hmac-shal-96
#permitted_enctypes=aes256-cts-hmac-shal-96
#udp_preference_limit=1
快速浏览一下我的 TechNet 文章以进一步参考:Kerberos Keytabs – Explained
我在尝试使用来自 Windows Server 2012R2 的 JDK 的 Kerberos 支持作为客户端时遇到了类似的问题,而 Linux 服务器仍在使用 'legacy' 密钥表。我看到的错误是:
KrbException: no supported default etypes for default_tkt_enctypes
为了解决这个互操作性问题,我查看了 OpenJDK 源代码并在 EType.java 中找到了一个名为 allow_weak_crypto:
将此设置添加到我的 krb5.conf 解决了我的问题:
[libdefaults]
allow_weak_crypto = true
这是一个旧的 post,但看起来有一个问题是在加密类型中使用 'l' 而不是“1”——即代替“aes256-cts-hmac- shal-96”应该有“aes256-cts-hmac-sha1-96”