Articles in this section

Self help
How To
["How To"]

Geneos - SSO Agent and KDC with AES256

Avatar
ITRS Support
  • Updated
Follow

If you see this SSO Agent Java Error:

java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)

then the advice in this article may apply to you, especially the last few paragraphs regarding differences between LDAP and Kerberos user IDs.

In order to configure the SSO Agent to successfully interact with a KDC that only supports AES256 as an encoding type for tickets it is necessary to carefully observe some prerequisites.

Java Cryptographic Extensions

First of all your Java environment must support AES256. This is standard in OpenJDK JRE distributions but Oracle Java ("JDK 8, 7, and 6 updates earlier than 8u161, 7u171, and 6u16") require the installation of Java Cryptographic Extensions. Some more details are available at the following pages:

https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8170157

https://www.oracle.com/java/technologies/javase-jce-all-downloads.html

Active Directory Settings

Ensure the SPN is registered correctly to the service account and there are no SPNs registered to the host machine itself. Use setspn –L to confirm this

Ensure Active Directory settings for the service account support the encryption types for AES. This is set in AC under the property ‘msDS-SupportedEncryptionTypes’ As an unsigned integer value representing a bitfield (plenty information on this available online).

SSO Agent Settings

Your krb5.conf file should have your encryption types specified. Order denotes preference here so AES256 first

default_tkt_enctypes = aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96,arcfour-hmac
default_tgs_enctypes = aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96,arcfour-hmac
permitted_enctypes = aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96,arcfour-hmac

In sso-agent.conf ensure your Kerberos user ID is purely the user ID. So where as your LDAP user may require additional domain parameters, the Kerberos user does not.

e.g. LDAP user ‘DOMAIN\\USER_ID’
Kerberos user ‘USER_ID’

 

Troubleshooting Tips:

  1. Kerberos tickets are issued by the domain controller (usually Active Directory)
  2. If no ticket is being issued, please check the controller (Active Directory config)
  3. If the wrong sort of ticket is being issued (e.g. NTLM ticket or RC4 ticket when AES is required), edit the configuration of the controller (Active Directory config)
  4. If the right sort of ticket is being issued but the SSO-Agent cannot use it, please fix the SSO agent config or its run-time environment
  5. If you don't know which of these applies, run klist on the client machine that cannot authenticate

 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.