Why is JDK1.8.0u121 unable to find the kerberos default_tkt_enctypes types? (KrbException: no supported default etypes for default_tkt_enctypes)

Question

Following are my environment details:-

KDC Server : Windows Server 2012

Target machine : Windows 7

JDK Version : Oracle 1.8.0_121 (64 bit)

I'm getting the following exception on running the Java's kinit command the on Windows 7 machine :-

C:\Program Files\Java\jdk1.8.0_121\bin>kinit -k -t "C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab" HTTP/[email protected]
Exception: krb_error 0 no supported default etypes for default_tkt_enctypes No error
KrbException: no supported default etypes for default_tkt_enctypes
        at sun.security.krb5.Config.defaultEtype(Config.java:844)
        at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:249)
        at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:262)
        at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
        at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
        at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
        at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
        at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)

Command output in debug mode:-

C:\Program Files\Java\jdk1.8.0_121\bin>kinit -J-Dsun.security.krb5.debug=true -k -t "C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomca
t_ad.keytab" HTTP/[email protected]
>>>KinitOptions cache name is C:\Users\devtcadmin\krb5cc_devtcadmin
Principal is HTTP/[email protected]
>>> Kinit using keytab
>>> Kinit keytab file name: C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab
Java config name: null
LSA: Found Ticket
LSA: Made NewWeakGlobalRef
LSA: Found PrincipalName
LSA: Made NewWeakGlobalRef
LSA: Found DerValue
LSA: Made NewWeakGlobalRef
LSA: Found EncryptionKey
LSA: Made NewWeakGlobalRef
LSA: Found TicketFlags
LSA: Made NewWeakGlobalRef
LSA: Found KerberosTime
LSA: Made NewWeakGlobalRef
LSA: Found String
LSA: Made NewWeakGlobalRef
LSA: Found DerValue constructor
LSA: Found Ticket constructor
LSA: Found PrincipalName constructor
LSA: Found EncryptionKey constructor
LSA: Found TicketFlags constructor
LSA: Found KerberosTime constructor
LSA: Finished OnLoad processing
Native config name: C:\Windows\krb5.ini
Loaded from native config
>>> Kinit realm name is DEVDEVELOPMENT.COM
>>> Creating KrbAsReq
>>> KrbKdcReq local addresses for dev26 are:

        dev26/192.168.1.229
IPv4 address

        dev26/fe80:0:0:0:78ae:388f:4f63:3717%11
IPv6 address
>>> KdcAccessibility: reset
>>> KeyTabInputStream, readName(): DEVDEVELOPMENT.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): dev26.devdevelopment.com
>>> KeyTab: load() entry length: 99; type: 18
Looking for keys for: HTTP/[email protected]
Added key: 18version: 3
Exception: krb_error 0 no supported default etypes for default_tkt_enctypes No error
KrbException: no supported default etypes for default_tkt_enctypes
        at sun.security.krb5.Config.defaultEtype(Config.java:844)
        at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:249)
        at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:262)
        at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
        at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
        at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
        at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
        at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)

Following is the output of the ktpass command on the KDC server (Windows Server 2012) to generate the tomcat_ad.keytab file :-

C:\Users\Administrator>ktpass /out C:\tomcat_ad.keytab /mapuser [email protected] /princ HTTP/[email protected] /pass ****** /crypto AES256-SHA1 ptype KRB5_NT_PRINCIPAL
    Targeting domain controller: dev.devdevelopment.com
    Using legacy password setting method
    Successfully mapped HTTP/dev26.devdevelopment.com to devtcadmin.
    Key created.
    Output keytab to C:\tomcat_ad.keytab:
    Keytab version: 0x502
    keysize 99 HTTP/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x12 (AES256-SHA1) keylength 32 (0xf20788d7c6f99c385fc91b53c7d9ef55591d314e5340ca1fb9acac1b178c8861)

Following is the content of the krb5.ini file that is at C:\Windows in Windows 7 machine :-

[libdefaults]
default_realm=DEVDEVELOPMENT.COM
default_keytab_name=“C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab"
default_tkt_enctypes=aes256-cts-hmac-shal-96
default_tgs_enctypes=aes256-cts-hmac-shal-96
permitted_enctypes=aes256-cts-hmac-shal-96
udp_preference_limit=1
forwardable=true

[realms]
DEVDEVELOPMENT.COM={
    kdc=dev.devdevelopment.com:88
}

[domain_realm]
devdevelopment.com=DEVDEVELOPMENT.COM
.devdevelopment.com=DEVDEVELOPMENT.COM

Following is the output of Java's ktab command on Windows 7 machine :-

C:\Program Files\Java\jdk1.8.0_121\bin>ktab -l -e -t -k "C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab"
Keytab name: C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab
KVNO Timestamp      Principal
---- -------------- ---------------------------------------------------------------------------------------
   3 1/1/70 5:30 AM HTTP/[email protected] (18:AES256 CTS mode with HMAC SHA1-96)

I have also updated the JCE jar files under C:\Program Files\Java\jre1.8.0_121\lib\security and C:\Program Files\Java\jdk1.8.0_121\jre\lib\security folders.

What should be done to overcome this exception?

EDIT 1 (continued from my 3rd comment) :-

Following is the output of the first knit command with the tomcat_ad.keytab file in the C:\Program Files\Java\jre1.8.0_121\bin folder:-

C:\Program Files\Java\jdk1.8.0_121\bin>kinit -k -t tomcat_ad.keytab HTTP/dev26.devdevelopment.com
New ticket is stored in cache file C:\Users\devtcadmin\krb5cc_devtcadmin

And, following is the output of the kinit command with the tomcat_ad.keytab file in the C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab folder and after appending the C:\Program Files\Java\jdk1.8.0_121\bin; in the path environment variable:-

C:\Users\devtcadmin>kinit -k -t "C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tomcat_ad.keytab" HTTP/[email protected]
New ticket is stored in cache file C:\Users\devtcadmin\krb5cc_devtcadmin

BUT the kinit command in the debug mode this time gives out the following exception :-

C:\Users\devtcadmin>kinit -J-Dsun.security.krb5.debug=true -k -t "C:\Program Files\Apache Software Foundation\Tomcat 8.5\conf\tomcat_ad.keytab" HTTP/[email protected]
>>>KinitOptions cache name is C:\Users\devtcadmin\krb5cc_devtcadmin
Principal is HTTP/[email protected]
>>> Kinit using keytab
>>> Kinit keytab file name: C:\Program Files\Apache Software Foundation\Tomcat 8.5\conf\tomcat_ad.keytab
Java config name: null
LSA: Found Ticket
LSA: Made NewWeakGlobalRef
LSA: Found PrincipalName
LSA: Made NewWeakGlobalRef
LSA: Found DerValue
LSA: Made NewWeakGlobalRef
LSA: Found EncryptionKey
LSA: Made NewWeakGlobalRef
LSA: Found TicketFlags
LSA: Made NewWeakGlobalRef
LSA: Found KerberosTime
LSA: Made NewWeakGlobalRef
LSA: Found String
LSA: Made NewWeakGlobalRef
LSA: Found DerValue constructor
LSA: Found Ticket constructor
LSA: Found PrincipalName constructor
LSA: Found EncryptionKey constructor
LSA: Found TicketFlags constructor
LSA: Found KerberosTime constructor
LSA: Finished OnLoad processing
Native config name: C:\Windows\krb5.ini
Loaded from native config
>>> Kinit realm name is DEVDEVELOPMENT.COM
>>> Creating KrbAsReq
>>> KrbKdcReq local addresses for dev26 are:

        dev26/192.168.1.229
IPv4 address

        dev26/fe80:0:0:0:78ae:388f:4f63:3717%11
IPv6 address
>>> KdcAccessibility: reset
Looking for keys for: HTTP/[email protected]
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23.
Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type:  No error
KrbException: Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type:
        at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280)
        at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
        at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
        at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
        at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
        at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)

Why do the above commands work after commenting those lines in the C:\Windows\krb5.ini file? And why the kinit command in the debug mode output the above exception?

Answer 1

I've seen this before. Try this. Copy the keytab into the C:\Program Files\Java\jdk1.8.0_121\bin directory and try again with the simpler command shown below from within that directory. You don't need to append the Kerberos realm to the SPN since you have the realm defined already in krb5.conf, so I removed it.

kinit -k -t tomcat_ad.keytab HTTP/dev26.devdevelopment.com

If it still doesn't work, be sure you really do have the unlimited strength JCE jar files inside the \lib\security directory. Although you said you did, a Java JRE upgrade can overwrite them.

EDIT: On the Account tab of the AD user account devtcadmin, ensure the box "This account supports Kerberos AES 256 bit encryption" is checked.

If it still doesn't work, then on the Windows 7 machine, in C:\Windows\krb5.conf, comment out the four below lines as shown. They are not required, as Kerberos is going to use the highest possible encrytpion types anyway, and in Windows 7/2008 and above, TCP is used by default so you do not need to set the UDP preference limit.

#default_tkt_enctypes=aes256-cts-hmac-shal-96
#default_tgs_enctypes=aes256-cts-hmac-shal-96
#permitted_enctypes=aes256-cts-hmac-shal-96
#udp_preference_limit=1

Take a quick glance at my TechNet article for further reference on this: Kerberos Keytabs – Explained

Answer 2

I saw a similar issue when trying to use the JDK's Kerberos support from a Windows Server 2012R2 as a client with a Linux server that was still using a 'legacy' keytab. The error I was seeing was:

KrbException: no supported default etypes for default_tkt_enctypes

To fix this interoperability issue I looked at the OpenJDK source and found a setting in EType.java called allow_weak_crypto:

Adding this setting to my krb5.conf solved the issue for me:

[libdefaults]
       allow_weak_crypto = true