Java 17 Update - Cannot find key of appropriate type to decrypt AP-REQ - RC4 with HMAC
I have a productive Java application using Kerberos for SSO.
After I update Java from version 16 to 17, I run into the following Error:
Cannot find key of appropriate type to decrypt AP-REQ - RC4 with HMAC
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP-REQ - RC4 with HMAC)
at java.security.jgss/sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
at java.security.jgss/sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at java.security.jgss/sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at java.security.jgss/sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source)
at java.security.jgss/sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source)
at java.security.jgss/sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at java.security.jgss/sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.establishContext(SPNEGOAuthenticator.java:169)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:132)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:122)
... 73 more
Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP-REQ - RC4 with HMAC
at java.security.jgss/sun.security.krb5.KrbApReq.authenticate(Unknown Source)
at java.security.jgss/sun.security.krb5.KrbApReq.<init>(Unknown Source)
at java.security.jgss/sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
... 83 more
ktpass /crypto ALL was used to create the keytab file.
Error Cause
After a bit of research I came across the following JDK 17 Security Enhancements:
Deprecate 3DES and RC4 in Kerberos
3DES and RC4 Kerberos encryption types have now been disabled by default. Both 3DES and RC4 are weak encryption algorithms that should not be used. The Kerberos 3DES and RC4 encryption types are officially deprecated in RFC 8429.
By default the des3-hmac-sha1 and rc4-hmac encryption types are now disabled, but can be re-enabled, at your own risk, by setting the allow_weak_crypto property to true in the krb5.conf configuration file. However, note that will also re-enable other weak encryption types that are already disabled such as des-cbc-crc and des-cbc-md5. Alternatively, set the default_tkt_enctypes, default_tgs_enctypes, and permitted_enctypes properties to the encryption types that are allowed.
Issue: JDK-8139348
Solution 1 - use AES 128/256 encryption:
The preferred solution is, to configure the AD/Kerberos to use AES 128 or 256 bit encryption.
Mostly the following seems to be enough, but there can be other configurations in the AD or GPOs that block AES encryption:
The service-user configured for kerberos (used to create the keytab file) needs the following configuration:
Afterwards on the machine running the java application, run:
klist purge
Solution 2 - workaround -> allow weak encryption
For I quick workaround (maybe you are not the admin of the AD or need to wait for a maintenance window) the following worked for me:
Create or use the existing krb5.conf file, add:
[libdefaults]
allow_weak_crypto=true
Start the java application using:
-Djava.security.krb5.conf=%CONF_LOCATION%/krb5.conf
- Replacement for the deprecated URL(URL context, String spec) constructor that also works with older Java versions
- How to use WebClient to execute synchronous request?
- SpringBoot 2 the elements were left unbound
- Manually converting a string to an integer in Java
- Java is asking to return a value even when the value is returned in the if-else ladder
- Bounded PriorityBlockingQueue
- HSEARCH000151: Unable to get input stream from object of type byte
- How to get a resources path after jlink-ing?
- Error - trustAnchors parameter must be non-empty
- Build WHERE clause dynamically based on filter in queryDSL
- Best practice to select data using Spring JdbcTemplate
- Doubling each letter in a String
- To find the next work day
- Create advanced search in JPA through user defined dynamic where clause conditions
- Flink task manager does not unload classes
- Implicit casts in Java (passing value type wrappers to methods expecting a regular Integer or Long)
- How do I send an e-mail in Java?
- In Java Failing to invoke method with parameters even though seems to match the getMethod() call
- SQL server hanged suddenly - all DB connections are active but no response - SQL server 2016
- In Java how to synchronize cache read and write operations
- Unable to connect to the remote Cassandra datacenter with the options provided in error
- Creating a hierarchy of Java subclasses
- how to return a list of employee's names with the highest pay rate in java
- "Unsupported class file error" on a Vaadin 14 project
- Does Spring @Transactional attribute work on a private method?
- How to create a BKS (BouncyCastle) format Java Keystore that contains a client certificate chain
- Prevent Kafka Streams Consumer from writing offsets / wait for one stream to consume all records before starting the second stream
- Why does my SQL while(set.next()) skips the first element?
- Combine multiple lists in Java
- How to map from Page<ObjectOne> to Page<ObjectTwo> in Spring Data 2?