Results 1 to 5 of 5

Thread: Zcs 8 and SPNEGO

  1. #1
    Join Date
    Sep 2013
    Posts
    6
    Rep Power
    2

    Default Zcs 8 and SPNEGO

    Dear all ,
    I'm about to move one of our customerrs from exchange to zimbra.
    Ive setup atest environment with ZCS 8 and Windows server 2012. After performing all the steps described in the docs of zcs 7 (zcs 8 documentation does not describe spnego configuration) i receive the following error


    Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) – Cannot find key of appropriate type to decrypt AP REP – RC4 with HMAC)

    Any help woill be appreciated.

    Thanks in advance.

  2. #2
    Join Date
    Mar 2006
    Location
    Greenwood, IN
    Posts
    90
    Rep Power
    9

    Default

    Hi,

    There should be a doc in /opt/zimbra/docs/spnego.txt. I'm curious to know if it is missing.

    As for the error, it looks like you need to enable rc4-hmac somewhere. Where is the error showing up? On the client? Zimbra server? Try setting in your krb5.conf:

    Code:
    default_tgs_enctypes = rc4-hmac
    default_tkt_enctypes = rc4-hmac
    --
    Jason Bryan
    Zimbra R&D

  3. #3
    Join Date
    Sep 2013
    Posts
    6
    Rep Power
    2

    Default

    Hi and thanks a lot for your help.
    Here is the krb5.ini.in
    [zimbra@mailsrv docs]$ cat /opt/zimbra/jetty/etc/krb5.ini.in
    [libdefaults]
    default_realm = %%zimbraSpnegoAuthRealm%%
    default_keytab_name = FILE:/opt/zimbra/data/mailboxd/spnego/jetty.keytab
    default_tkt_enctypes = rc4-hmac,des-cbc-md4,des-cbc-crc
    default_tgs_enctypes = rc4-hmac,des-cbc-md4,des-cbc-crc


    [realms]
    %%zimbraSpnegoAuthRealm%% = {
    default_domain = %%zimbraSpnegoAuthRealm%%
    }

    [domain_realm]
    .local = %%zimbraSpnegoAuthRealm%%

    [appdefaults]
    autologin = true
    forwardable=true
    Does the /etc/krb5.conf plays any role in the zimbra kerberos authentication? I will also try to set up /etc/krb5.conf and post back.

    Thank you.

    P.S. Yes, in /opt/zimbra/doc there is an spnego.txt
    Last edited by Stgiaf; 09-18-2013 at 04:13 AM.

  4. #4
    Join Date
    Sep 2013
    Posts
    6
    Rep Power
    2

    Default

    Additional Infomation: The error is logged within /opt/zimbra/log/zmmailboxd.out in the zimbra server.

    Thanks again

  5. #5
    Join Date
    Sep 2013
    Posts
    6
    Rep Power
    2

    Default

    No news .. Bad News!!
    I made a reasearch today and I can see that the TGT is obtained by active directory. For some reason the java cannot decrypt the provided key.. Here is the complete error from zmmailboxd.out
    Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator false KeyTab is /opt/zimbra/data/mailboxd/spnego/jetty.keytab refreshKrb5Config is false principal is HTTP/mailsrv.sglab.local@SGLAB.LOCAL tryFirstPass is false useFirstPass is false storePass is false clearPass is false
    principal is HTTP/mailsrv.sglab.local@SGLAB.LOCAL
    Will use keytab
    Total time for which application threads were stopped: 0.0001140 seconds
    Total time for which application threads were stopped: 0.0001440 seconds
    Commit Succeeded

    Total time for which application threads were stopped: 0.0001150 seconds
    2013-09-18 19:53:39.963:WARNejs.SpnegoLoginService:
    GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
    at sun.security.jgss.krb5.Krb5Context.acceptSecContex t(Krb5Context.java:788)
    at sun.security.jgss.GSSContextImpl.acceptSecContext( GSSContextImpl.java:342)
    at sun.security.jgss.GSSContextImpl.acceptSecContext( GSSContextImpl.java:285)
    at sun.security.jgss.spnego.SpNegoContext.GSS_acceptS ecContext(SpNegoContext.java:871)
    at sun.security.jgss.spnego.SpNegoContext.acceptSecCo ntext(SpNegoContext.java:544)
    at sun.security.jgss.GSSContextImpl.acceptSecContext( GSSContextImpl.java:342)
    at sun.security.jgss.GSSContextImpl.acceptSecContext( GSSContextImpl.java:285)
    at org.eclipse.jetty.security.SpnegoLoginService.logi n(SpnegoLoginService.java:135)
    at com.zimbra.cs.service.authenticator.SpnegoAuthenti cator.authenticate(SpnegoAuthenticator.java:133)
    at com.zimbra.cs.service.authenticator.SpnegoAuthenti cator.getPrincipal(SpnegoAuthenticator.java:74)
    at com.zimbra.cs.service.authenticator.SpnegoAuthenti cator.authenticate(SpnegoAuthenticator.java:67)
    at com.zimbra.cs.servlet.SpnegoFilter.authenticate(Sp negoFilter.java:123)
    at com.zimbra.cs.servlet.SpnegoFilter.doFilter(Spnego Filter.java:76)
    at org.eclipse.jetty.servlet.ServletHandler$CachedCha in.doFilter(ServletHandler.java:1291)
    at com.zimbra.cs.servlet.ETagHeaderFilter.doFilter(ET agHeaderFilter.java:45)
    at org.eclipse.jetty.servlet.ServletHandler$CachedCha in.doFilter(ServletHandler.java:1291)
    at com.zimbra.cs.servlet.ZimbraQoSFilter.doFilter(Zim braQoSFilter.java:114)
    at org.eclipse.jetty.servlet.ServletHandler$CachedCha in.doFilter(ServletHandler.java:1291)
    at org.eclipse.jetty.servlets.DoSFilter.doFilterChain (DoSFilter.java:473)
    at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSF ilter.java:344)
    at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSF ilter.java:315)
    at org.eclipse.jetty.servlet.ServletHandler$CachedCha in.doFilter(ServletHandler.java:1291)
    at org.eclipse.jetty.servlet.ServletHandler.doHandle( ServletHandler.java:443)
    at org.eclipse.jetty.server.handler.ScopedHandler.han dle(ScopedHandler.java:137)
    at org.eclipse.jetty.security.SecurityHandler.handle( SecurityHandler.java:532)
    at org.eclipse.jetty.server.session.SessionHandler.do Handle(SessionHandler.java:227)
    at org.eclipse.jetty.server.handler.ContextHandler.do Handle(ContextHandler.java:1044)
    at org.eclipse.jetty.servlet.ServletHandler.doScope(S ervletHandler.java:372)
    at org.eclipse.jetty.server.session.SessionHandler.do Scope(SessionHandler.java:189)
    at org.eclipse.jetty.server.handler.ContextHandler.do Scope(ContextHandler.java:978)
    at org.eclipse.jetty.server.handler.ScopedHandler.han dle(ScopedHandler.java:135)
    at org.eclipse.jetty.server.handler.ContextHandlerCol lection.handle(ContextHandlerCollection.java:255)
    at org.eclipse.jetty.server.handler.HandlerCollection .handle(HandlerCollection.java:154)
    at org.eclipse.jetty.server.handler.HandlerWrapper.ha ndle(HandlerWrapper.java:116)
    at org.eclipse.jetty.rewrite.handler.RewriteHandler.h andle(RewriteHandler.java:317)
    at org.eclipse.jetty.server.handler.DebugHandler.hand le(DebugHandler.java:81)
    at org.eclipse.jetty.server.handler.HandlerWrapper.ha ndle(HandlerWrapper.java:116)
    at org.eclipse.jetty.server.Server.handle(Server.java :369)
    at org.eclipse.jetty.server.AbstractHttpConnection.ha ndleRequest(AbstractHttpConnection.java:486)
    at org.eclipse.jetty.server.AbstractHttpConnection.he aderComplete(AbstractHttpConnection.java:933)
    at org.eclipse.jetty.server.AbstractHttpConnection$Re questHandler.headerComplete(AbstractHttpConnection .java:995)
    at org.eclipse.jetty.http.HttpParser.parseNext(HttpPa rser.java:640)
    at org.eclipse.jetty.http.HttpParser.parseAvailable(H ttpParser.java:235)
    at org.eclipse.jetty.server.AsyncHttpConnection.handl e(AsyncHttpConnection.java:82)
    at org.eclipse.jetty.io.nio.SslConnection.handle(SslC onnection.java:196)
    at org.eclipse.jetty.io.nio.SelectChannelEndPoint.han dle(SelectChannelEndPoint.java:668)
    at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.r un(SelectChannelEndPoint.java:52)
    at org.eclipse.jetty.util.thread.QueuedThreadPool.run Job(QueuedThreadPool.java:608)
    at org.eclipse.jetty.util.thread.QueuedThreadPool$3.r un(QueuedThreadPool.java:543)
    at java.lang.Thread.run(Thread.java:722)
    Caused by:
    KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC
    at sun.security.krb5.KrbApReq.authenticate(KrbApReq.j ava:273)
    at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:14 4)
    at sun.security.jgss.krb5.InitSecContextToken.<init>( InitSecContextToken.java:108)
    at sun.security.jgss.krb5.Krb5Context.acceptSecContex t(Krb5Context.java:771)
    at sun.security.jgss.GSSContextImpl.acceptSecContext( GSSContextImpl.java:342)
    at sun.security.jgss.GSSContextImpl.acceptSecContext( GSSContextImpl.java:285)
    at sun.security.jgss.spnego.SpNegoContext.GSS_acceptS ecContext(SpNegoContext.java:871)
    at sun.security.jgss.spnego.SpNegoContext.acceptSecCo ntext(SpNegoContext.java:544)
    at sun.security.jgss.GSSContextImpl.acceptSecContext( GSSContextImpl.java:342)
    at sun.security.jgss.GSSContextImpl.acceptSecContext( GSSContextImpl.java:285)
    at org.eclipse.jetty.security.SpnegoLoginService.logi n(SpnegoLoginService.java:135)
    at com.zimbra.cs.service.authenticator.SpnegoAuthenti cator.authenticate(SpnegoAuthenticator.java:133)
    at com.zimbra.cs.service.authenticator.SpnegoAuthenti cator.getPrincipal(SpnegoAuthenticator.java:74)
    at com.zimbra.cs.service.authenticator.SpnegoAuthenti cator.authenticate(SpnegoAuthenticator.java:67)
    at com.zimbra.cs.servlet.SpnegoFilter.authenticate(Sp negoFilter.java:123)
    at com.zimbra.cs.servlet.SpnegoFilter.doFilter(Spnego Filter.java:76)
    at org.eclipse.jetty.servlet.ServletHandler$CachedCha in.doFilter(ServletHandler.java:1291)
    at com.zimbra.cs.servlet.ETagHeaderFilter.doFilter(ET agHeaderFilter.java:45)
    at org.eclipse.jetty.servlet.ServletHandler$CachedCha in.doFilter(ServletHandler.java:1291)
    at com.zimbra.cs.servlet.ZimbraQoSFilter.doFilter(Zim braQoSFilter.java:114)
    at org.eclipse.jetty.servlet.ServletHandler$CachedCha in.doFilter(ServletHandler.java:1291)
    at org.eclipse.jetty.servlets.DoSFilter.doFilterChain (DoSFilter.java:473)
    at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSF ilter.java:344)
    at org.eclipse.jetty.servlets.DoSFilter.doFilter(DoSF ilter.java:315)
    at org.eclipse.jetty.servlet.ServletHandler$CachedCha in.doFilter(ServletHandler.java:1291)
    at org.eclipse.jetty.servlet.ServletHandler.doHandle( ServletHandler.java:443)
    at org.eclipse.jetty.server.handler.ScopedHandler.han dle(ScopedHandler.java:137)
    at org.eclipse.jetty.security.SecurityHandler.handle( SecurityHandler.java:532)
    at org.eclipse.jetty.server.session.SessionHandler.do Handle(SessionHandler.java:227)
    at org.eclipse.jetty.server.handler.ContextHandler.do Handle(ContextHandler.java:1044)
    at org.eclipse.jetty.servlet.ServletHandler.doScope(S ervletHandler.java:372)
    at org.eclipse.jetty.server.session.SessionHandler.do Scope(SessionHandler.java:189)
    at org.eclipse.jetty.server.handler.ContextHandler.do Scope(ContextHandler.java:978)
    at org.eclipse.jetty.server.handler.ScopedHandler.han dle(ScopedHandler.java:135)
    at org.eclipse.jetty.server.handler.ContextHandlerCol lection.handle(ContextHandlerCollection.java:255)
    at org.eclipse.jetty.server.handler.HandlerCollection .handle(HandlerCollection.java:154)
    at org.eclipse.jetty.server.handler.HandlerWrapper.ha ndle(HandlerWrapper.java:116)
    at org.eclipse.jetty.rewrite.handler.RewriteHandler.h andle(RewriteHandler.java:317)
    at org.eclipse.jetty.server.handler.DebugHandler.hand le(DebugHandler.java:81)
    at org.eclipse.jetty.server.handler.HandlerWrapper.ha ndle(HandlerWrapper.java:116)
    at org.eclipse.jetty.server.Server.handle(Server.java :369)
    at org.eclipse.jetty.server.AbstractHttpConnection.ha ndleRequest(AbstractHttpConnection.java:486)
    at org.eclipse.jetty.server.AbstractHttpConnection.he aderComplete(AbstractHttpConnection.java:933)
    at org.eclipse.jetty.server.AbstractHttpConnection$Re questHandler.headerComplete(AbstractHttpConnection .java:995)
    at org.eclipse.jetty.http.HttpParser.parseNext(HttpPa rser.java:640)
    at org.eclipse.jetty.http.HttpParser.parseAvailable(H ttpParser.java:235)
    at org.eclipse.jetty.server.AsyncHttpConnection.handl e(AsyncHttpConnection.java:82)
    at org.eclipse.jetty.io.nio.SslConnection.handle(SslC onnection.java:196)
    at org.eclipse.jetty.io.nio.SelectChannelEndPoint.han dle(SelectChannelEndPoint.java:668)
    at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.r un(SelectChannelEndPoint.java:52)
    at org.eclipse.jetty.util.thread.QueuedThreadPool.run Job(QueuedThreadPool.java:608)
    at org.eclipse.jetty.util.thread.QueuedThreadPool$3.r un(QueuedThreadPool.java:543)
    at java.lang.Thread.run(Thread.java:722)
    Any ideas if there is something i can do or a ptch is needed?

    Thanks again,
    Stefanos G.
    Last edited by Stgiaf; 09-19-2013 at 04:53 AM.

Similar Threads

  1. Error 401 when using Spnego authentication
    By mjendrossek in forum Administrators
    Replies: 1
    Last Post: 12-06-2012, 04:42 AM
  2. Error 401 when using Spnego authentication
    By mjendrossek in forum Installation
    Replies: 0
    Last Post: 12-05-2012, 01:41 AM
  3. spnego sso failure redirect
    By cbl016 in forum Administrators
    Replies: 4
    Last Post: 11-13-2012, 10:44 AM
  4. SPNEGO on the appliance
    By gerdesj in forum Virtualization
    Replies: 2
    Last Post: 11-11-2012, 12:33 AM
  5. spnego error
    By maumar in forum Zimbra Connector for Outlook
    Replies: 0
    Last Post: 09-12-2012, 12:10 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •