Sunday, June 1, 2014

IllegalBlockSizeException kinit kerberos ApacheDS

While trying to kerberize a web application, I ran into the following error on the KDC server, which happened to be ApacheDS.

 IllegalBlockSizeException: Input length not multiple of 8 bytes.

 Eventually, I was able to isolate the problem in the krb5.conf file of the client. When the default_tgs_enctype and the default_tkt_enctype were not explicitly specified, as shown below, the problem went away and the KDC could successfully generate either TGS-REP or  AS-REP responses.

 #/------------------------------- start of krb5.conf --------------------------/
[libdefaults]
default_realm = EXAMPLE.COM
# default_tgs_enctypes = des-cbc-md5,des3-cbc-sha1-kd
# default_tkt_enctypes = des-cbc-md5,des3-cbc-sha1-kd
kdc_timeout = 5000
dns_lookup_realm = false
dns_lookup_kdc = false
allow_weak_crypto = yes
forwardable = true
ap_req_checksum_type = 12

 [realms]
EXAMPLE.COM = {
kdc = 127.0.0.1:60088
}

 [login]
krb4_convert = true
krb4_get_tickets = false
#/------------------------------- end of krb5.conf ----------------------------/

ApacheDS log output after a TGS_REQ:

 INFO   | jvm 1    | 2014/06/01 17:50:49 | [17:50:49] DEBUG [org.apache.directory.server.KERBEROS_LOG] - /127.0.0.1:54210 SENT:  
INFO   | jvm 1    | 2014/06/01 17:50:49 | >-------------------------------------------------------------------------------
INFO   | jvm 1    | 2014/06/01 17:50:49 | KdcRep : TGS-REP
INFO   | jvm 1    | 2014/06/01 17:50:49 | pvno : 5
INFO   | jvm 1    | 2014/06/01 17:50:49 | msg-type : TGS_REP
INFO   | jvm 1    | 2014/06/01 17:50:49 | crealm : EXAMPLE.COM
INFO   | jvm 1    | 2014/06/01 17:50:49 | cname : { name-type: KRB_NT_PRINCIPAL, name-string : <'wmmnpr'> }
INFO   | jvm 1    | 2014/06/01 17:50:49 | Ticket :
INFO   | jvm 1    | 2014/06/01 17:50:49 |   tkt-vno : 5
INFO   | jvm 1    | 2014/06/01 17:50:49 |   realm : EXAMPLE.COM
INFO   | jvm 1    | 2014/06/01 17:50:49 |   sname : { name-type: KRB_NT_UNKNOWN, name-string : <'HTTP', 'example.com'> }
INFO   | jvm 1    | 2014/06/01 17:50:49 |   enc-part : EncryptedData : {
INFO   | jvm 1    | 2014/06/01 17:50:49 |     etype: aes128-cts-hmac-sha1-96 (17)
INFO   | jvm 1    | 2014/06/01 17:50:49 |     cipher: 0x0D 0x56 0xC4 0x0C 0x01 0x9E 0x62 0x6E 0x28 0x45 ....
INFO   | jvm 1    | 2014/06/01 17:50:49 | }
INFO   | jvm 1    | 2014/06/01 17:50:49 | 
INFO   | jvm 1    | 2014/06/01 17:50:49 | EncryptedData : {
INFO   | jvm 1    | 2014/06/01 17:50:49 |     etype: aes128-cts-hmac-sha1-96 (17)
INFO   | jvm 1    | 2014/06/01 17:50:49 |     cipher: 0x94 0x75 0xE9 0x4C 0xDA 0x6D 0x79 0xDC 0x49 0x0E ...
INFO   | jvm 1    | 2014/06/01 17:50:49 | }
INFO   | jvm 1    | 2014/06/01 17:50:49 | 
INFO   | jvm 1    | 2014/06/01 17:50:49 | -------------------------------------------------------------------------------<
INFO   | jvm 1    | 2014/06/01 17:50:49 | 
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)