How to create a Kerberos keytab file
with support for AES128 or AES256
How to enable AES256 support in the JVM
This addendum replaces
PDF: FirstSpirit Manual for Administrators
Chapter: 4.3.4.5 Kerberos ticket (integrated Windows login)
Paragraph: Creating the Kerberos-Keytab file in the example under Microsoft Active Directory
Notes
- Firstspirit Server requires Java 1.8.0_51 or newer for Kerberos if Java 8 is used: Java-Bug 8078439, blog post
- In some Active Directory environments, Internet Explorer 11 on Windows 7 and Windows 8 is sending Tickets of new standard NEGOEX depending on the Active Directory configuration which is currently not supported by Java 7 and 8 (Bug 8068516 and 6773898). Workaround: use Chrome, Firefox or Internet Explorer in compatibility mode in these environment.
Problem:
If Kerberos SPNEGO based authentication is enabled and configured in FirstSpirit and the following error message is written to firstspirit5/log/fs-server.log or tomcat/log/firstspirit.log, the AES256 support within the JVM used for the FirstSpirit or Tomcat is not enabled:
ERROR 01.02.2013 12:34:00.000 (de.espirit.firstspirit.server.authentication.KerberosLoginModule):
login failed! Failure unspecified at GSS-API level
(Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)
If the following error message is written to firstspirit5/log/fs-server.log or tomcat/log/firstspirit.log, the SPN entries for the encryptions types AES128 or AES256 are missing in the keytab file given in firstspirit5/conf/fs-jaas.conf:
ERROR 01.02.2013 12:34:00.000 (de.espirit.firstspirit.server.authentication.KerberosLoginModule):
login failed! Defective token detected
(Mechanism level: GSSHeader did not find the right tag)
Solution:
To create the file on a Kerberos server in a Microsoft Active Directory Domain, Windows Support Tools must be installed; they are supplied by Microsoft on the installation media of the operating system or can be downloaded from http://microsoft.com.
First, a normal user account has to be created on the Windows Domain Controller. This account must not be used for any other services than this keytab file as the password will be changed in this process and further changes of the password would invalidate the keytab file. The account does not need to assigned to any groups. To mark the user name as technical account for the Kerberos based service, a good name pattern is HOSTNAME-PROTOCOL, in this example elstar-HTTP is used. Use "http" also for "https". For the password, just enter any random text as it is overwritten in the next step. The parameters for the user account must be set as follows:
- password never expires: enabled
- user cannot change password: enabled
- do not trust user for delegation: enabled (not required for FirstSpirit, but increases security)
- use DES encryption for this account: DISABLED
- support for AES128: enabled (if you want to allow encryption with 128 bit key length)
- support for AES256: enabled (if you need encryption with 256 bit key length)
Screenshot while chaning user parameters:
Next, the SPN record is created, bound to the previously created user account and exported as keytab file. In addition to the previous documentation of FirstSpirit, we don't create a keytab file with just one encryption method, but instead create a combined file which containts SPN private keys for any encryption method supported within this Kerberos Realm. All these actions are automatically performed on the Windows Domain Controller by the command-line tool ktpass.exe from the Windows Support Tools:
ktpass -princ HTTP/elstar.mydomain.net@MYDOMAIN.NET
+rndpass -mapuser elstar-HTTP \-crypto ALL –ptype KRB5_NT_PRINCIPAL -out elstar-http.keytab
Note, that elstar-HTTP is the sample user account name written as one single word, not two parameters like "elstar -http".
Documentation for ktpass.exe: http://technet.microsoft.com/de-de/library/cc779157(v=ws.10).aspx
If the version of the ktpass used does not provide +rndpass, a manually entered random password can also be used here via -pass PASSWORT.
A limitation to just one encryption type is not possible via changing the parameter -crypto from ALL to RC4-HMAC-NT or AES256-SHA1 as at least Windows 2008R2 then would offer a wrong encoded ticket to the client.
You can only map one SPN record to any user account, so you need to create multiple user accounts for hosts with many virtual web server names.
For error analysis, the list of all Service-Principal names of the user account can be displayed as follows and it should show one entry only:
setspn -l elstar-HTTP
To remove a SPN from a user account:
setspn -d HTTP/elstar.mydomain elstar-HTTP
The keytab file created with ktpass.exe must now be copied onto the FirstSpirit server or the external application server, to the path given in fs-jaas.conf at parameter keyTab, for instance /opt/firstspirit5/conf/elstar-HTTP.keytab.
The entries within the keytab file can be listed and checked with the following command calls:
Unix:
klist -ke elstar-HTTP.keytab
kinit -V -k -t elstar-HTTP.keytab HTTP/elstar.domain.net@DOMAIN.NET
Windows:
c:\program files\java\jdk1.7.0_51\bin\ktab -l -e -k elstar-HTTP.keytab
Mac OS X:
ktutil -k elstar-HTTP.keytab list
As result, the list of all encryptions types, all with same KVNO (key version number), should be shown.
Now continue with the configuration of the file firstspirit5/conf/fs-jaas.conf as shown in chapter 4.3.4.5 Kerberos ticket (integrated Windows login).
After configuration of fs-jaas.conf continue with the activation of AES256 for the JVM as described in the next paragraph:
How to enable AES256 support in the JVM
Oracle Java is by default limited to 128 bit key lengths for AES and other encryption algorithms. To enable larger key lengths like 256 bit, the "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files" are required for Java 7 from http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html and Java 8 from http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html and need to be installed on the Java installation used for the FirstSpirit Server and if an external Web Application Server is used also for that. The installation instruction is given in the file READM.txt of the download package.
The installation is only required on the server, not the clients as the Kerberos authentication is done by the Web Browser on the client, not the JRE.
To check, which Kerberos ticket encryption types are supported by your JVM, use the following Java program:
KerberosEncryptionTypes.java:
/*
Lists all Kerberos Ticket encryption types this JVM supports.
If requested type is missing, install
"Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files"
http://oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
compile: javac KerberosEncryptionTypes.java
start: java KerberosEncryptionTypes
source: https://community.oracle.com/thread/1527582?tstart=-4
*/
import sun.security.krb5.internal.crypto.EType;
import sun.security.krb5.EncryptionKey;
class KerberosEncryptionTypes {
public static void main(String[] args) throws Exception {
for (int i: EType.getBuiltInDefaults()) {
String t = EType.getInstance(i).toString();
String e = "?";
switch (i) {
case 1: case 3: e = "DES"; break;
case 16: e = "DESede"; break;
case 17: e = "AES128"; break;
case 18: e = "AES256"; break;
case 23: e = "ArcFourHmac"; break;
}
System.out.print("EType: (" + i + ") " + e + " " + t.toString());
System.out.println(new EncryptionKey("test".toCharArray(), "test", e));
}
}
}