If once Kerberos is enabled and SPN is added you are getting an error similar to the below in the logs - you will need to perform extra actions on your server-side JRE/JDK.
jespa.security.SecurityProviderException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)
The security policy in the JRE/JDK being used needs updating. See here for details - "Support for AES encryption type", especially the Note below the page:
NOTE: The JCE framework within JDK includes an ability to enforce restrictions regarding the cryptographic algorithms and maximum cryptographic strengths available to applications. Such restrictions are specified in "jurisdiction policy files." The jurisdiction policy files bundled in Java SE limit the maximum key length. Hence, to use the AES256 encryption type, you will need to install the JCE crypto policy with the unlimited version to allow AES with 256-bit key.
The files for Java 8 can be obtained here;
http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
Please read the README file that is inside the package and install the 2 jars accordingly.
Can I pre-emptively identify this problem before I try configuring Kerberos authentication?
Yes!
Go to https://www.howsmyssl.com/
The preference in the list of ciphers that your browser presents for SSL will be similar to the preference used when encrypting the Kerberos ticket. Below is the example from IE11 on Windows 10. As you can see AES 256 is preferred by the browser and the problem will manifest itself in the absence of strong security policies.
Given Cipher Suites
The cipher suites your client said it supports, in the order it sent them, are:
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
- TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
- TLS_DHE_DSS_WITH_AES_256_CBC_SHA
- TLS_DHE_DSS_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Please note the default policies of the browsers and domains may change - so it would make sense to always install strong policies where it is permitted by law.