1 Reply Latest reply on Nov 17, 2011 2:56 PM by Erik Brown

    Invalid Argument (400)?

      Setting up Kerberos on a BBSA server.


      Windows 2008 SP2

      All DCs are W2K8 SP2


      1) validated the keytab works (multiple times) from the BBSA App Server

      2) imported the blappserv_login.conf, blappserv_krb5.conf, blclient_login.conf, blclient_krb5.conf, krb5.ini, and config.properties from my lab and modified the particulars for the development environment.  The lab works without any problem

      3) turned on the two settings in blasadmin (IsDomainAuthEnabled, IsADKAuthEnabled)

      4) set the registry key (allowtgtsessionkey)

      5) rebooted


      in the console.log I get this information (names changed to protect the innocent)


      principal is BLAuthSvc/BBSA@MYDOMAIN.COM
      EncryptionKey: keyType=3 keyBytes (hex dump)=0000: BC 32 46 2A 61 1A AE 89  
      Added server's keyKerberos Principal BLAuthSvc/BBSA@MYDOMAIN.COMKey Version 3key EncryptionKey: keyType=3 keyBytes (hex dump)=
      0000: BC 32 46 2A 61 1A AE 89  

        [Krb5LoginModule] added Krb5Principal  BLAuthSvc/BBSA@MYDOMAIN.COM to Subject
      Commit Succeeded



      Looks promising, right?



      After I attempt to login (and fail due to AD/Kerberos error), I get this message in console.log:


      [17 Nov 2011 13:46:12,425] [Authentication-Service-Thread-0] [WARN] [::] [Appserver] Possible configuration issue during login.

      [17 Nov 2011 13:46:12,425] [Authentication-Service-Thread-0] [WARN] [::] [Appserver] Check configuration of: C:\Program Files\BMC Software\BladeLogic\8.1\NSH\br\blappserv_login.conf

      [17 Nov 2011 13:46:12,425] [Authentication-Service-Thread-0] [WARN] [::] [Appserver]                    and: C:\Program Files\BMC Software\BladeLogic\8.1\NSH\br\blappserv_krb5.conf

      [17 Nov 2011 13:46:12,425] [Authentication-Service-Thread-0] [WARN] [::] [Appserver] Actual error returned: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC

      [17 Nov 2011 13:46:12,440] [Authentication-Service-Thread-0] [WARN] [::] [Appserver] The client connection closed or timed-out during the authentication process

      [17 Nov 2011 13:46:12,440] [Authentication-Service-Thread-0] [INFO] [::] [Appserver] Authentication Connection closed



      I have modified both files to make them as "barebones" as possible and I've restarted after every change.


      I've even tried changing the encryption to RC4-HMAC-NT, but it caused the service to fail to start.



      I have been able to successfully login using Domain Authentication using these files, but SSO w/ Kerberos fails so far... so I'm at a loss as to what to do next...



      com.sun.security.jgss.accept {
      com.sun.security.auth.module.Krb5LoginModule required
      keyTab="C:\\Program Files\\BMC Software\\BladeLogic\\8.1\\NSH\\br\\BLAuthSvc.keytab"

      com.bladelogic.auth.service.ADKerberosPasswordLogin {
      com.sun.security.auth.module.Krb5LoginModule required




      ticket_lifetime = 6000

      default_realm = MYDOMAIN.COM

      default_tkt_enctypes = des-cbc-md5

      default_tgs_enctypes = des-cbc-md5


      MYDOMAIN.COM = {

      kdc = MYSRV_1.MYDOMAIN.COM:88

      ... <snippage> ...

      kdc = MYSRV_X.MYDOMAIN.COM:88



      .mydomain.com = MYDOMAIN.COM

        • 1. Invalid Argument (400)?

          Physician, heal thyself. looks like i might have figured it out.


          it's not documented in the BBSA documentation, but in order to use DES-CBC-MD5, one must also activate the "Use Kerberos DES encryption types for this account" setting... otherwise, you get stuck in RC4-HMAC mode, which apparently is default for Windows.



          1 of 1 people found this helpful