SSO has stopped working in our Spring App. since we upgraded to Java 17 with upgraded Spring libraries. I am getting following error during authentication which relates to the fact that Java 17 disabled RC4.
SSO works fine for me only if i set allow_weak_crypto to "true", I am looking for custom settings to make SSO work without setting allow_weak_crypto to "true".
I tried below without luck, do you have any suggestions ?.
Caused by: sun.security.krb5.KrbException: Encryption type RC4 with HMAC is not supported/enabled
at java.security.jgss/sun.security.krb5.EncryptionKey.findKey(EncryptionKey.java:544) ~[java.security.jgss:na]
at java.security.jgss/sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:273) ~[java.security.jgss:na]
at java.security.jgss/sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149) ~[java.security.jgss:na]
at java.security.jgss/sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:139) ~[java.security.jgss:na]
at java.security.jgss/sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:837) ~[java.security.jgss:na]
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4 rc4 arcfour-hmac rc4-hmac arcfour-hmac-md5 arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4 rc4 arcfour-hmac rc4-hmac arcfour-hmac-md5 arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4 rc4 arcfour-hmac rc4-hmac arcfour-hmac-md5 arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp
Allow RC4 HMAC while keeping allow_weak_crypto as false
Don't do that. That's a self-contradictory requirement, as rc4-hmac
literally is "weak crypto".
KrbException: Encryption type RC4 with HMAC is not supported/enabled
When you're getting this message, it means that either the service or the client only have weak keys available, but the solution isn't to allow the weak keys – the solution is to add strong keys.
I would first remove the enctype-related settings from krb5.conf. I'm not sure if they're needed on Java Kerberos, but they're definitely not needed for MIT Kerberos nor Heimdal Kerberos.
Then run klist -ket <file>
against your service's keytab to check what service keys you have. If there's no AES in the list – rotate the service account's password, reissue the keytab, then have the user run klist purge
(Windows) or kinit -R
(Linux) to flush any old tickets they may have.
Then, if you're on AD, check the service's AD account to verify that it has the "Enable AES128" and "Enable AES256" checkboxes set under advanced account settings. (This corresponds to msDS-SupportedEncryptionTypes
of 28
.) If changes were made, again have the user flush their tickets.
Finally, if that did not help (or if your service already had AES keys), then change the client's password so that the KDC would store new keys for the user account.
(With AD, the "Enable AES" checkboxes are not needed for client accounts – the client system already tells the KDC what enctypes it supports, so the AD KDC just always stores all key types.)