Kerberos - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC
We also got a Invalid argument (400) - Cannot find key of appropriate type to decrypt ...
error.
This can simply be thrown if the path to the keytab is wrong (in our case, we forgot we got a docker volume mapping there).
So, be sure the keytab path is the right one, as this could fire this weird exception.
It turned out the error above resulted from two problems:
The service principal in the spring configuration was wrong. It was [email protected], but HTTP/[email protected] is correct.
The Kvno in the keytab was not identical with the Kvno stored in the active directory. As stated on https://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html Active Directory is raising the Kvno with every execution of ktpass. However I wasn't able to find the value (msDS-KeyVersionNumber) for it in our AD and could only grap it from the request.
Summarized the 'Cannot find key of appropriate type to decrypt ...' error can result from one of the following problems:
- The service prinicpal in the spring security configuration is not identical with that from the keytab (param /princ from ktpass).
- There is no key for the enctype the AD has send the ticket with (param /crypto from ktpass and set in the krb5.conf/permitted_enctypes+default_tkt_enctypes).
- The Kvno from the ticket is different then the Kvno in the keytab (param /kvno from ktpass).
- The path to the keytab is wrong (see answer from Xavier Portebois)
- The process does not have permissions to read the keytab (See comment from user7610)
This can also be thrown if your using Active Directory as the KDC and the keytab user is configured for a different encryption setting than your keytab is using. In my case AES 128 was configured and I was expecting AES 256. A simple change of the configuration within AD resolved the issue.
If you are using Spring Boot then please pay attention how you specify keytab file.
Note that the classpath:
it will work when you run spring-boot:run
However it wont when you run java -jar xyz.jar
Because JAAS cant read it from classpath.
So please prefer file:
while specifying keytab file path.
(This is typical case when you use docker to package and run your application)