Warning Callout (Yellow)
If you see errors like this:
java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
then the advice in this article may apply to you, especially the last few paragraphs regarding differences between LDAP and Kerberos user IDs.
In order to configure the SSO Agent to successfully interact with a KDC that only supports AES256 as an encoding type for tickets it is necessary to carefully observe some prerequisites.
Java Cryptographic Extensions
First of all your Java environment must support AES256. This is standard in OpenJDK JRE distributions but Oracle Java ("JDK 8, 7, and 6 updates earlier than 8u161, 7u171, and 6u16") require the installation of Java Cryptographic Extensions. Some more details are available at the following pages:
Active Directory Settings
Ensure the SPN is registered correctly to the service account and there are no SPNs registered to the host machine itself. Use setspn –L to confirm this
Ensure Active Directory settings for the service account support the encryption types for AES. This is set in AC under the property ‘msDS-SupportedEncryptionTypes’ As an unsigned integer value representing a bitfield (plenty information on this available online).
SSO Agent Settings
Your krb5.conf file should have your encryption types specified. Order denotes preference here so AES256 first
default_tkt_enctypes = aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96,arcfour-hmac
default_tgs_enctypes = aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96,arcfour-hmac
permitted_enctypes = aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96,arcfour-hmac
In sso-agent.conf ensure your Kerberos user ID is purely the user ID. So where as your LDAP user may require additional domain parameters, the Kerberos user does not.
e.g. LDAP user ‘DOMAIN\\USER_ID’
Kerberos user ‘USER_ID’