SSO not working: "Do not have keys of types listed in default_tkt_enctypes"

Hi,

this drives me crazy! :frowning: Since one week Iā€™m trying to get SSO work. I reinstall the whole Windows Server several times. I tried Windows Server 2008 R2 and Windows Server 2012. I installed them in a Virtual Box VM. I only installed Active Directoy (incl. DNS) and then Iā€™m trying to get SSO work.

So I installed Openfire (3.7.x and also 3.8.x). I tried the included Java version of Openfire and also the latest version of Java.

I used this tutorial: http://community.igniterealtime.org/docs/DOC-1060

And also this one: http://community.igniterealtime.org/docs/DOC-1362

When I call: **kinit xmpp/servername.mydomain@REALM -t -k xmpp.keytab **I alway get the following error:

Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes

available; only have keys of following type: No error

KrbException: Do not have keys of types listed in default_tkt_enctypes available

; only have keys of following type:

at sun.security.krb5.internal.crypto.EType.getDefaults(Unknown Source)

at sun.security.krb5.KrbAsReqBuilder.build(Unknown Source)

at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source)

at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source)

at sun.security.krb5.internal.tools.Kinit.(Unknown Source)

at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)

Why is no type listed in the error message?

If I open my xmpp.keytab with ktab it shows the xmpp principal, so the keytab file seems to be correct.

I donā€™t know what to do know, because I canā€™t find any solution for this error with Google, etc.

Best regards,

Sascha

whats your domain level set to? if its 2008r2, then youā€™ll need to enabled DES encyrption types, as DES is disabled by default

On Windows Server 2008R2 I set it to Windows Server 2008R2 and on Windows Server 2012 to Windows Server 2012.

Where do I have to enable DES? I thought AD only supports rc4-hmac? For example ktpass uses rc4-hmac-nt as default for creating the keytab file.

Regards,

Sascha

EDIT:

I reinstalled AD with ā€œWindows Server 2003ā€ als Level, but still the same error.

I also set ā€œUse DES ā€¦ā€ for the AD-User ā€œxmpp-openfireā€. And I set the Encryption Types for Kerberos with gpedit. But I still got the same error message :frowning:

Its been a while since Iā€™ve set sso up on a 2008r2 (and higher) domain. If I have time tomorrow to spin up a couple of serves in a lab, Iā€™ll check it out and let you know what needs to happen.

Thanks a lot for you help! :slight_smile:

I got it working. After enabling DES, etc. I realized that I had the parameters after ā€œkinitā€ in the wrong order:

instead of ā€œkinit -t -k xmpp.keytabā€ it has to be ā€œkinit -k -t xmpp.keytabā€ (I made this mistake, because I also used ktab and there you have to use ā€œ-kā€ to specify the filename)

Now kinit is working and creates a ticket without prompting for a password, but Openfire is still unable to use SSO:

I fired up a lab today and went through the install processes. hope this helps

http://community.igniterealtime.org/docs/DOC-2585

Thank you so much for your work! :slight_smile:

Could you please describe in detail, what you mean with ā€œMust have PTR record for openfire serverā€ ?

My domain is: domain.mirabyte.com

My Servername (Computer) is: mserver

In the settings of Openfire I specified:

xmpp.domain = mserver

xmpp.fqdn = mserver.domain.mirabyte.com

The IP is: 192.168.10.56

I added a Reverse Lookup Zone (10.168.192.in-addr.arpa) and a PTR in this zone (192.168.10.56 and mserver.domain.mirabyte.com)

Where do I have to add another PTR and which values do I have to use?

btw: The host for the PTR is ā€œmserver.domain.mirabyte.com.ā€ (dot at the end!) is this correct? I did not enter this dot. I donā€™t know why Windows at the dot at the end of the hostname field for that PTR.

Regards,

Sascha

EDIT:

When I use ktab for creating the keytab file, and check the file with kinit, I got the following error:

Exception: krb_error 0 Checksum failed No error
KrbException: Checksum failed
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(Unknown So
urce)
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(Unknown So
urce)
at sun.security.krb5.EncryptedData.decrypt(Unknown Source)
at sun.security.krb5.KrbAsRep.decrypt(Unknown Source)
at sun.security.krb5.KrbAsRep.decryptUsingKeyTab(Unknown Source)
at sun.security.krb5.KrbAsReqBuilder.resolve(Unknown Source)
at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source)
at sun.security.krb5.internal.tools.Kinit.(Unknown Source)
at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)
Caused by: java.security.GeneralSecurityException: Checksum failed
at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(Unknown So
urce)
at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(Unknown Source)

ā€¦ 9 more

it looks like it might be a problem with your keytab. also, make sure you that you only have one user account mapped to the server with spn.