Some Java updates may affect the Kerberos login process when deprecated encryption types are used.
See this note for the required Java 11+ specific configuration: Additional Configuration for Java 11.
Symptoms:
- Java updated to one of the following patch versions (or newer)
- 7u361
- 8u351
- 11.0.17
In the jespa.log file, the following exception appears whenever Kerberos login is attempted:
Authentication failed: Token Type:WRAPPED_LEGACY_KRB Failure unspecified at GSS-API level (Mechanism level: Encryption type RC4 with HMAC is not supported/enabled)
Cause:
In the Java versions listed, the RC4 encryption type is disabled by default for Kerberos tickets due to the weak level of security it provides. By default, older Active Directory servers will encrypt tickets using RC4 encryption, causing the error.
How to resolve the issue:
To ensure the Kerberos tickets used for EasySSO do not use RC4 encryption, you can change the Active Directory User Attribute: msDS-SupportedEncryptionTypes to a value that does not include RC4 encryption. This change should only need to be made for the computer account that is used for Kerberos.
By default, we would suggest the value: 0x18 (AES 128 and AES 256).
To set this attribute for the computer account:
- Open ADSI Edit
- Find the computer account being used for EasySSO
- Select Properties
- Scroll to msDS-SupportedEncryptionTypes
- Set the value to 0x18
- Save the settings
It may be required for clients to log out of their machine and log back in for a new ticket to be generated for EasySSO Kerberos to resume normal operation.
Related Resources:
- Decrypting the Selection of Supported Kerberos Encryption Types (techcommunity.microsoft.com)
- OpenJDK bug for deprecating RC4 Encryption (bugs.openjdk.org)
- Java 8u351 release notes