isenberg
I'm new here

Addendum for Manual for Administrators: no error message on wrong Kerberos keytab path

This addendum extents

    PDF: FirstSpirit Manual for Administrators

    Chapter: 4.3.4.5 Kerberos ticket (integrated Windows login)

Problem:

If Kerberos SPNEGO based authentication is enabled and configured in FirstSpirit and the following error message is written to firstspirit5/log/fs-server.log with log level DEBUG is enabled, the most likely cause for this error is a wrong path to the keytab file given in firstspirit5/conf/fs-jaas.conf:

DEBUG 21.03.2014 12:34:00.000 (de.espirit.firstspirit.server.authentication.KerberosLoginModule):
received SPNEGO Authorization-Header: Negotiate YIIJW...

ERROR 21.03.2014 12:34:00.001 (de.espirit.firstspirit.server.authentication.KerberosLoginModule):
login failed! Failure unspecified at GSS-API level
(Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)

or the following when using an Arcfour encrypted ticket:

ERROR 21.03.2014 12:34:00.001 (de.espirit.firstspirit.server.authentication.KerberosLoginModule):
login failed! Failure unspecified at GSS-API level
(Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP -
RC4 with HMAC)


Please note, that the very same error message can also be caused by different passwords used for creation of the keytab file and the related entry on the KDC.

To verify, if Java reads the path name for the keytab file correctly: Enable the Kerberos debugging in firstspirit5/conf/fs-jaas.conf with changing the parameter debug="false" to debug="true" in the section com.sun.security.jgss.accept and observe the log output after restarting the FirstSpirit server and reloading the FirstSpirit startpage from a Kerberos enabled browser on another client system. The log message should be similar to the following line on each login on the startpage: 

INFO   | jvm 1    | 2014/04/02 12:34:00 | Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is C:/FirstSpirit5/conf/elstar-http.keytab refreshKrb5Config is false principal is HTTP/elstar.e-spirit.de@E-SPIRIT.DE tryFirstPass is false useFirstPass is false storePass is false clearPass is false

Note, that "keytab is" only means, that the filename was read from the configuration file fs-jaas.conf. Unfortunately, it does not give any information about the successful read of that file, for instance, if the access permissions to that file are wrong.

Solution:

Check, if the path to the keytab file given in the log message is correct and readable by the user the FirstSpirit is started with, on Windows usually "SYSTEM" on Unix "fs5".

On Windows use / instead of \ for path separation!