4

Trying to make Windows Server 2016 Active Directory + Kerberos and Java OpenJDK 8 kinit to obtain a ticket-granting ticket returns KrbException: Identifier doesn't match expected value (906)

I have two Azure VMs, and I want to obtain a kinit ticket-granting-ticket with Windows Server 2016, one at 10.0.1.4 and the other at 10.0.1.7.

The 10.0.1.4 VM contains an Active Directory with LDAP and a DNS Server. The computer name is WinServer2016Fo. So the Active Directory Domain Controller is WinServer2016Fo.corp.demo.com and the Kerberos Key Distribution Center is WINSERVER2016FO.CORP.DEMO.COM, as I understand it is the domain controller name, all in uppercase.

The 10.0.1.7 VM contains Java OpenJDK 8. The computer name is demoMachine. I have verified with Telnet that I can connect from 10.0.1.7 to WinServer2016Fo.corp.demo.com (10.0.1.4) using port 88 (the one which Kerberos uses).

The Domain is corp.demo.com, I created an user for that domain, called demoHttp with password demoHttp

I have linked the user demoHttp to demoMachine using setspn as follows:

setspn -S HTTP/demoMachine.corp.demo.com demoHttp

Then I created the krb5.keytab as follows:

ktpass -out krb5.keytab -princ HTTP/demoMachine.corp.demo.com@WINSERVER2016FO.CORP.DEMO.COM -mapUser demoHttp -mapOp set -pass demoHttp -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL

The krb5.ini at the 10.0.1.7 (demo.corp.demo.com VM):

[libdefaults]
          default_realm = CORP.DEMO.COM
          default_keytab_name = FILE:c:\Windows\krb5.keytab
          default_tkt_enctypes = rc4-hmac 
          default_tgs_enctypes = rc4-hmac 
          forwardable  = true
          renewable  = true
          noaddresses = true
          clockskew  = 300
          udp_preference_limit = 1
          allor_weak_crypto = true
[realms]
          CORP.DEMO.COM = {
                kdc = WinServer2016Fo.corp.demo.com:88
                default_domain = corp.demo.com
    }
[domain_realm]
        corp.demo.com = CORP.DEMO.COM

The problem is when I try to run kinit with OpenJDK 8:

kinit.exe "-J-Dsun.security.krb5.debug=true" -k -t C:\Windows\krb5.keytab HTTP/demoMachine.corp.demo.com

It throws the following exception:

PS C:\Users\demoHttp> .\Downloads\openjdk-8u41-b04-windows-i586-14_jan_2020\java-se-8u41-ri\bin\kinit.exe "-J-Dsun.security.krb5.debug=true" -k -t C:\Windows\krb5.keytab HTTP/demoMachine.corp.demo.com
Java config name: null
LSA: Found Ticket
LSA: Made NewWeakGlobalRef
LSA: Found PrincipalName
LSA: Made NewWeakGlobalRef
LSA: Found DerValue
LSA: Made NewWeakGlobalRef
LSA: Found EncryptionKey
LSA: Made NewWeakGlobalRef
LSA: Found TicketFlags
LSA: Made NewWeakGlobalRef
LSA: Found KerberosTime
LSA: Made NewWeakGlobalRef
LSA: Found String
LSA: Made NewWeakGlobalRef
LSA: Found DerValue constructor
LSA: Found Ticket constructor
LSA: Found PrincipalName constructor
LSA: Found EncryptionKey constructor
LSA: Found TicketFlags constructor
LSA: Found KerberosTime constructor
LSA: Finished OnLoad processing
Native config name: C:\windows\krb5.ini
Loaded from native config
>>>KinitOptions cache name is C:\Users\demoHttp\krb5cc_demoMachineHttp
Principal is HTTP/demoMachine.corp.demo.com@CORP.DEMO.COM
>>> Kinit using keytab
>>> Kinit keytab file name: C:\Windows\krb5.keytab
>>> Kinit realm name is CORP.DEMO.COM
>>> Creating KrbAsReq
>>> KrbKdcReq local addresses for elm are:

    demoMachine/10.0.1.7



IPv4 address


    demoMachine/fe80:0:0:0:fc1c:feca:403e:10f7%6



IPv6 address
>>> KdcAccessibility: reset
>>> KeyTabInputStream, readName(): WINSERVER2016FO.CORP.DEMO.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): demoMachine.corp.demo.com
>>> KeyTab: load() entry length: 95; type: 23
Looking for keys for: HTTP/demoMachine.corp.demo.com@CORP.DEMO.COM
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23.
Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes available; only have keys of following t
ype:  No error
KrbException: Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type:
        at sun.security.krb5.internal.crypto.EType.getDefaults(EType.java:280)
        at sun.security.krb5.KrbAsReqBuilder.build(KrbAsReqBuilder.java:261)
        at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:315)
        at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
        at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
        at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
PS C:\Users\demoHttp>

Another test:

PS C:\Users\demoHttp> .\Downloads\openjdk-8u41-b04-windows-i586-14_jan_2020\java-se-8u41-ri\bin\kinit.exe "-J-Dsun.security.krb5.debug=true" -k -t C:\Windows\krb5.keytab H
P/elm.corp.demo.com@WINSERVER2016FO.CORP.DEMO.COM
>>>KinitOptions cache name is C:\Users\demoHttp\krb5cc_demoHttp
Principal is HTTP/demoMachine.corp.demo.com@WINSERVER2016FO.CORP.DEMO.COM
>>> Kinit using keytab
>>> Kinit keytab file name: C:\Windows\krb5.keytab
Java config name: null
LSA: Found Ticket
LSA: Made NewWeakGlobalRef
LSA: Found PrincipalName
LSA: Made NewWeakGlobalRef
LSA: Found DerValue
LSA: Made NewWeakGlobalRef
LSA: Found EncryptionKey
LSA: Made NewWeakGlobalRef
LSA: Found TicketFlags
LSA: Made NewWeakGlobalRef
LSA: Found KerberosTime
LSA: Made NewWeakGlobalRef
LSA: Found String
LSA: Made NewWeakGlobalRef
LSA: Found DerValue constructor
LSA: Found Ticket constructor
LSA: Found PrincipalName constructor
LSA: Found EncryptionKey constructor
LSA: Found TicketFlags constructor
LSA: Found KerberosTime constructor
LSA: Finished OnLoad processing
Native config name: C:\windows\krb5.ini
Loaded from native config
>>> Kinit realm name is WINSERVER2016FO.CORP.DEMO.COM
>>> Creating KrbAsReq
>>> KrbKdcReq local addresses for elm are:

    demoMachine/10.0.1.7



IPv4 address


    demoMachine/fe80:0:0:0:fc1c:feca:403e:10f7%6



IPv6 address
>>> KdcAccessibility: reset
>>> KeyTabInputStream, readName(): WINSERVER2016FO.CORP.DEMO.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): demoMachine.corp.demo.com
>>> KeyTab: load() entry length: 95; type: 23
Looking for keys for: HTTP/demoMachine.corp.demo.com@WINSERVER2016FO.CORP.DEMO.COM
Added key: 23version: 44
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23.
>>> KrbAsReq creating message
getKDCFromDNS using UDP
getKDCFromDNS using TCP
>>> KrbKdcReq send: kdc=WinServer2016Fo TCP:88, timeout=30000, number of retries =3, #bytes=246
>>> KDCCommunication: kdc=WinServer2016Fo TCP:88, timeout=30000,Attempt =1, #bytes=246
>>>DEBUG: TCPClient reading 140 bytes
>>> KrbKdcReq send: #bytes read=140
>>> KdcAccessibility: remove WinServer2016Fo
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
         sTime is Wed Sep 30 20:02:17 UTC 2020 1601496137000
         suSec is 459157
         error code is 68
         error Message is null
         sname is krbtgt/WINSERVER2016FO.CORP.DEMO.COM@WINSERVER2016FO.CORP.DEMO.COM
         msgType is 30
Exception: krb_error 68 null (68) null
KrbException: null (68)
        at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
        at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
        at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
        at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
        at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
Caused by: KrbException: Identifier doesn't match expected value (906)
        at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
        at sun.security.krb5.internal.ASRep.init(ASRep.java:64)
        at sun.security.krb5.internal.ASRep.<init>(ASRep.java:59)
        at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
        ... 4 more
PS C:\Users\demoHttp>
Victor Polo De Gyves Montero
  • 141

0 Answers0