Trying to make Windows Server 2016 Active Directory + Kerberos and Java OpenJDK 8 kinit to obtain a ticket-granting ticket returns KrbException: Identifier doesn't match expected value (906)
I have two Azure VMs, and I want to obtain a kinit ticket-granting-ticket with Windows Server 2016, one at 10.0.1.4 and the other at 10.0.1.7.
The 10.0.1.4 VM contains an Active Directory with LDAP and a DNS Server. The computer name is WinServer2016Fo. So the Active Directory Domain Controller is WinServer2016Fo.corp.demo.com and the Kerberos Key Distribution Center is WINSERVER2016FO.CORP.DEMO.COM, as I understand it is the domain controller name, all in uppercase.
The 10.0.1.7 VM contains Java OpenJDK 8. The computer name is demoMachine. I have verified with Telnet that I can connect from 10.0.1.7 to WinServer2016Fo.corp.demo.com (10.0.1.4) using port 88 (the one which Kerberos uses).
The Domain is corp.demo.com, I created an user for that domain, called demoHttp with password demoHttp
I have linked the user demoHttp to demoMachine using setspn as follows:
setspn -S HTTP/demoMachine.corp.demo.com demoHttp
Then I created the krb5.keytab as follows:
ktpass -out krb5.keytab -princ HTTP/[email protected] -mapUser demoHttp -mapOp set -pass demoHttp -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL
The krb5.ini at the 10.0.1.7 (demo.corp.demo.com VM):
[libdefaults]
default_realm = CORP.DEMO.COM
default_keytab_name = FILE:c:\Windows\krb5.keytab
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
forwardable = true
renewable = true
noaddresses = true
clockskew = 300
udp_preference_limit = 1
allor_weak_crypto = true
[realms]
CORP.DEMO.COM = {
kdc = WinServer2016Fo.corp.demo.com:88
default_domain = corp.demo.com
}
[domain_realm]
corp.demo.com = CORP.DEMO.COM
The problem is when I try to run kinit with OpenJDK 8:
kinit.exe "-J-Dsun.security.krb5.debug=true" -k -t C:\Windows\krb5.keytab HTTP/demoMachine.corp.demo.com
It throws the following exception:
PS C:\Users\demoHttp> .\Downloads\openjdk-8u41-b04-windows-i586-14_jan_2020\java-se-8u41-ri\bin\kinit.exe "-J-Dsun.security.krb5.debug=true" -k -t C:\Windows\krb5.keytab HTTP/demoMachine.corp.demo.com
Java config name: null
LSA: Found Ticket
LSA: Made NewWeakGlobalRef
LSA: Found PrincipalName
LSA: Made NewWeakGlobalRef
LSA: Found DerValue
LSA: Made NewWeakGlobalRef
LSA: Found EncryptionKey
LSA: Made NewWeakGlobalRef
LSA: Found TicketFlags
LSA: Made NewWeakGlobalRef
LSA: Found KerberosTime
LSA: Made NewWeakGlobalRef
LSA: Found String
LSA: Made NewWeakGlobalRef
LSA: Found DerValue constructor
LSA: Found Ticket constructor
LSA: Found PrincipalName constructor
LSA: Found EncryptionKey constructor
LSA: Found TicketFlags constructor
LSA: Found KerberosTime constructor
LSA: Finished OnLoad processing
Native config name: C:\windows\krb5.ini
Loaded from native config
>>>KinitOptions cache name is C:\Users\demoHttp\krb5cc_demoMachineHttp
Principal is HTTP/[email protected]
>>> Kinit using keytab
>>> Kinit keytab file name: C:\Windows\krb5.keytab
>>> Kinit realm name is CORP.DEMO.COM
>>> Creating KrbAsReq
>>> KrbKdcReq local addresses for elm are:
demoMachine/10.0.1.7
IPv4 address
demoMachine/fe80:0:0:0:fc1c:feca:403e:10f7%6
IPv6 address
>>> KdcAccessibility: reset
>>> KeyTabInputStream, readName(): WINSERVER2016FO.CORP.DEMO.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): demoMachine.corp.demo.com
>>> KeyTab: load() entry length: 95; type: 23
Looking for keys for: HTTP/[email protected]
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23.
Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes available; only have keys of following t
ype: No error
KrbException: Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type:
at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280)
at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
PS C:\Users\demoHttp>
Another test:
PS C:\Users\demoHttp> .\Downloads\openjdk-8u41-b04-windows-i586-14_jan_2020\java-se-8u41-ri\bin\kinit.exe "-J-Dsun.security.krb5.debug=true" -k -t C:\Windows\krb5.keytab H
P/[email protected]
>>>KinitOptions cache name is C:\Users\demoHttp\krb5cc_demoHttp
Principal is HTTP/[email protected]
>>> Kinit using keytab
>>> Kinit keytab file name: C:\Windows\krb5.keytab
Java config name: null
LSA: Found Ticket
LSA: Made NewWeakGlobalRef
LSA: Found PrincipalName
LSA: Made NewWeakGlobalRef
LSA: Found DerValue
LSA: Made NewWeakGlobalRef
LSA: Found EncryptionKey
LSA: Made NewWeakGlobalRef
LSA: Found TicketFlags
LSA: Made NewWeakGlobalRef
LSA: Found KerberosTime
LSA: Made NewWeakGlobalRef
LSA: Found String
LSA: Made NewWeakGlobalRef
LSA: Found DerValue constructor
LSA: Found Ticket constructor
LSA: Found PrincipalName constructor
LSA: Found EncryptionKey constructor
LSA: Found TicketFlags constructor
LSA: Found KerberosTime constructor
LSA: Finished OnLoad processing
Native config name: C:\windows\krb5.ini
Loaded from native config
>>> Kinit realm name is WINSERVER2016FO.CORP.DEMO.COM
>>> Creating KrbAsReq
>>> KrbKdcReq local addresses for elm are:
demoMachine/10.0.1.7
IPv4 address
demoMachine/fe80:0:0:0:fc1c:feca:403e:10f7%6
IPv6 address
>>> KdcAccessibility: reset
>>> KeyTabInputStream, readName(): WINSERVER2016FO.CORP.DEMO.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): demoMachine.corp.demo.com
>>> KeyTab: load() entry length: 95; type: 23
Looking for keys for: HTTP/[email protected]
Added key: 23version: 44
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23.
>>> KrbAsReq creating message
getKDCFromDNS using UDP
getKDCFromDNS using TCP
>>> KrbKdcReq send: kdc=WinServer2016Fo TCP:88, timeout=30000, number of retries =3, #bytes=246
>>> KDCCommunication: kdc=WinServer2016Fo TCP:88, timeout=30000,Attempt =1, #bytes=246
>>>DEBUG: TCPClient reading 140 bytes
>>> KrbKdcReq send: #bytes read=140
>>> KdcAccessibility: remove WinServer2016Fo
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Wed Sep 30 20:02:17 UTC 2020 1601496137000
suSec is 459157
error code is 68
error Message is null
sname is krbtgt/[email protected]
msgType is 30
Exception: krb_error 68 null (68) null
KrbException: null (68)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
at sun.security.krb5.internal.ASRep.init(ASRep.java:64)
at sun.security.krb5.internal.ASRep.<init>(ASRep.java:59)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
... 4 more
PS C:\Users\demoHttp>