GSSException: [..] Encryption type AES256CTS mode with HMAC SHA1-96 is not supported/enabled

Question

After setting our domain users to support AES encryption for Kerberos tokens (Windows Server 2008R2), on a web-application server side we get the following exception:

GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256CTS mode with HMAC SHA1-96 is not supported/enabled)

Strangely we have Java 6 (1.6.0_27) , which means that AES should be supported, according to this document: http://docs.oracle.com/javase/6/docs/technotes/guides/security/jgss/jgss-features.html

Any ideas what's missing in our web-application or Java, or third parties? We are using Spring security Kerberos extension (with minimal code modifications to fit into our current Spring 2.x version and additional authentication requirements).

Answer 1

EDIT (2017-05-06): upcoming JDK versions will have this included. Only a config parameter needs to be set, see JDK-8157561.

Follow this link - Java SE Downloads, scroll down and download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for your specific JDK version and follow the process in this tutorial titled: 5.4.2. Kerberos and Unlimited Strength Policy.

The basic steps are as follows:

1. locate your JDK's security directory (showing Unix below):

   $ locate 'jre/lib/security' | grep 'lib/security$'
   /usr/java/jdk1.7.0_17/jre/lib/security
   /usr/lib/jvm/java-1.5.0-gcj-1.5.0.0/jre/lib/security
   /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/lib/security
   /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.9.x86_64/jre/lib/security
   

2. Noting the above, we need to add the downloaded JCE .jar files to /usr/java/jdk1.7.0_17/jre/lib/security.

3. The JCE .zip file includes the following (showing JDK 1.7's JCE):

   $ ls -l UnlimitedJCEPolicy
   total 16
   -rw-rw-r-- 1 root root 2500 May 31  2011 local_policy.jar
   -rw-r--r-- 1 root root 7289 May 31  2011 README.txt
   -rw-rw-r-- 1 root root 2487 May 31  2011 US_export_policy.jar
   

4. These are the bundled versions with the JDK (again 1.7):

   $ ls -l /usr/java/jdk1.7.0_17/jre/lib/security/*.jar
   -rw-r--r--. 1 root root 2865 Mar  1  2013 /usr/java/jdk1.7.0_17/jre/lib/security/local_policy.jar
   -rw-r--r--. 1 root root 2397 Mar  1  2013 /usr/java/jdk1.7.0_17/jre/lib/security/US_export_policy.jar
   

5. We need to move these out of the way and replace them with the included versions in the JCE .zip file. I typically do the following:

   $ pushd /usr/java/jdk1.7.0_17/jre/lib/security/
   /usr/java/jdk1.7.0_17/jre/lib/security ~
   
   $ mkdir limited
   $ mv *.jar limited/
   
   $ cp ~/UnlimitedJCEPolicy/*.jar .
   $ ls -l *.jar
   -rw-r--r-- 1 root root 2500 Jun 25 12:50 local_policy.jar
   -rw-r--r-- 1 root root 2487 Jun 25 12:50 US_export_policy.jar
   

6. Restart anything that's making use of JDK (Tomcat, etc.).