[SOLVED] JDK 17 (Java 17) +Kerberos authentication fail

JDK 17 (Java 17) +Kerberos authentication fail

Facing a very annyoing issue with JDK 17 upgrade and new Kerberos auth that is supported.

Problem: JDK 17 Kerberos does not support rc4-hmac anymore, as is marked as non secured. INFO: Kerberos Deprecate 3DES and RC4 in Kerberos 3DES and RC4 Kerberos encryption types have now been disabled by default. Both 3DES and RC4 are weak encryption algorithms that should not be used. The Kerberos 3DES and RC4 encryption types are officially deprecated in RFC 8429.
What needs to be done:

generate new keytab files with the new supported encryption types:
aes128-cts-hmac-sha1-96 or aes128-cts-hmac-sha256-128
update the service user in AD (Active directory , 2 checkboxes to support the new encryption types.

Error that we cannot get out of:

Caused by: sun.security.krb5.KrbException: KDC has no support for encryption type (14)
at java.security.jgss/sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:69)
at java.security.jgss/sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:224)
at java.security.jgss/sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:235)
at java.security.jgss/sun.security.krb5.internal.CredentialsUtil.serviceCredsSingle(CredentialsUtil.java:482)
at java.security.jgss/sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:34
at java.security.jgss/sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:31
at java.security.jgss/sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:169)
at java.security.jgss/sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:493)
at java.security.jgss/sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:700)
... 39 common frames omitted
Caused by: sun.security.krb5.Asn1Exception: Identifier doesn't match expected value (906)
at java.security.jgss/sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
at java.security.jgss/sun.security.krb5.internal.TGSRep.init(TGSRep.java:65)
at java.security.jgss/sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60)
at java.security.jgss/sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:54)
... 47 common frames omitted

Are we missing something?

All on the pipe is updated to support the new encryption types+ the keytab.conf files.

Thank you!

Solution

The solution was to use a gMSA account for the MSSQL server connection.

JDK 17 app--> JDK17 aes128-cts-hmac-sha256-128 keytab--> call to MSSQL server with userid--> resolve via gMSA account.

So the MSSQL part did not accept firstly the new encryption type.