If you see this SSO Agent Java Error:
java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
then the advice in this article may apply to you, especially the last few paragraphs regarding differences between LDAP and Kerberos user IDs.
In order to configure the SSO Agent to successfully interact with a KDC that only supports AES256 as an encoding type for tickets it is necessary to carefully observe some prerequisites.
Java Cryptographic Extensions
First of all your Java environment must support AES256. This is standard in OpenJDK JRE distributions but Oracle Java ("JDK 8, 7, and 6 updates earlier than 8u161, 7u171, and 6u16") require the installation of Java Cryptographic Extensions. Some more details are available at the following pages:
Active Directory Settings
Ensure the SPN is registered correctly to the service account and there are no SPNs registered to the host machine itself. Use setspn –L to confirm this
Ensure Active Directory settings for the service account support the encryption types for AES. This is set in AC under the property ‘msDS-SupportedEncryptionTypes’ As an unsigned integer value representing a bitfield (plenty information on this available online).
SSO Agent Settings
Your krb5.conf file should have your encryption types specified. Order denotes preference here so AES256 first
default_tkt_enctypes = aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96,arcfour-hmac
default_tgs_enctypes = aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96,arcfour-hmac
permitted_enctypes = aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96,arcfour-hmac
In sso-agent.conf ensure your Kerberos user ID is purely the user ID. So where as your LDAP user may require additional domain parameters, the Kerberos user does not.
e.g. LDAP user ‘DOMAIN\\USER_ID’
Kerberos user ‘USER_ID’
- Kerberos tickets are issued by the domain controller (usually Active Directory)
- If no ticket is being issued, please check the controller (Active Directory config)
- If the wrong sort of ticket is being issued (e.g. NTLM ticket or RC4 ticket when AES is required), edit the configuration of the controller (Active Directory config)
- If the right sort of ticket is being issued but the SSO-Agent cannot use it, please fix the SSO agent config or its run-time environment
- If you don't know which of these applies, run
kliston the client machine that cannot authenticate