powered by Jive Software

SSO not working: "Do not have keys of types listed in default_tkt_enctypes"

Hi,

this drives me crazy! :frowning: Since one week I’m trying to get SSO work. I reinstall the whole Windows Server several times. I tried Windows Server 2008 R2 and Windows Server 2012. I installed them in a Virtual Box VM. I only installed Active Directoy (incl. DNS) and then I’m trying to get SSO work.

So I installed Openfire (3.7.x and also 3.8.x). I tried the included Java version of Openfire and also the latest version of Java.

I used this tutorial: http://community.igniterealtime.org/docs/DOC-1060

And also this one: http://community.igniterealtime.org/docs/DOC-1362

When I call: **kinit xmpp/servername.mydomain@REALM -t -k xmpp.keytab **I alway get the following error:

Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes

available; only have keys of following type: No error

KrbException: Do not have keys of types listed in default_tkt_enctypes available

; only have keys of following type:

at sun.security.krb5.internal.crypto.EType.getDefaults(Unknown Source)

at sun.security.krb5.KrbAsReqBuilder.build(Unknown Source)

at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source)

at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source)

at sun.security.krb5.internal.tools.Kinit.(Unknown Source)

at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)

Why is no type listed in the error message?

If I open my xmpp.keytab with ktab it shows the xmpp principal, so the keytab file seems to be correct.

I don’t know what to do know, because I can’t find any solution for this error with Google, etc.

Best regards,

Sascha

whats your domain level set to? if its 2008r2, then you’ll need to enabled DES encyrption types, as DES is disabled by default

On Windows Server 2008R2 I set it to Windows Server 2008R2 and on Windows Server 2012 to Windows Server 2012.

Where do I have to enable DES? I thought AD only supports rc4-hmac? For example ktpass uses rc4-hmac-nt as default for creating the keytab file.

Regards,

Sascha

EDIT:

I reinstalled AD with “Windows Server 2003” als Level, but still the same error.

I also set “Use DES …” for the AD-User “xmpp-openfire”. And I set the Encryption Types for Kerberos with gpedit. But I still got the same error message :frowning:

Its been a while since I’ve set sso up on a 2008r2 (and higher) domain. If I have time tomorrow to spin up a couple of serves in a lab, I’ll check it out and let you know what needs to happen.

Thanks a lot for you help! :slight_smile:

I got it working. After enabling DES, etc. I realized that I had the parameters after “kinit” in the wrong order:

instead of “kinit -t -k xmpp.keytab” it has to be “kinit -k -t xmpp.keytab” (I made this mistake, because I also used ktab and there you have to use “-k” to specify the filename)

Now kinit is working and creates a ticket without prompting for a password, but Openfire is still unable to use SSO:

I fired up a lab today and went through the install processes. hope this helps

http://community.igniterealtime.org/docs/DOC-2585

Thank you so much for your work! :slight_smile:

Could you please describe in detail, what you mean with “Must have PTR record for openfire server” ?

My domain is: domain.mirabyte.com

My Servername (Computer) is: mserver

In the settings of Openfire I specified:

xmpp.domain = mserver

xmpp.fqdn = mserver.domain.mirabyte.com

The IP is: 192.168.10.56

I added a Reverse Lookup Zone (10.168.192.in-addr.arpa) and a PTR in this zone (192.168.10.56 and mserver.domain.mirabyte.com)

Where do I have to add another PTR and which values do I have to use?

btw: The host for the PTR is “mserver.domain.mirabyte.com.” (dot at the end!) is this correct? I did not enter this dot. I don’t know why Windows at the dot at the end of the hostname field for that PTR.

Regards,

Sascha

EDIT:

When I use ktab for creating the keytab file, and check the file with kinit, I got the following error:

Exception: krb_error 0 Checksum failed No error
KrbException: Checksum failed
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(Unknown So
urce)
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(Unknown So
urce)
at sun.security.krb5.EncryptedData.decrypt(Unknown Source)
at sun.security.krb5.KrbAsRep.decrypt(Unknown Source)
at sun.security.krb5.KrbAsRep.decryptUsingKeyTab(Unknown Source)
at sun.security.krb5.KrbAsReqBuilder.resolve(Unknown Source)
at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source)
at sun.security.krb5.internal.tools.Kinit.(Unknown Source)
at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)
Caused by: java.security.GeneralSecurityException: Checksum failed
at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(Unknown So
urce)
at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(Unknown Source)

… 9 more

it looks like it might be a problem with your keytab. also, make sure you that you only have one user account mapped to the server with spn.