Problem:
After upgrading to zulu11.60.20-sa-jdk11.0.17, seeing the following exception:
JNDI authenticated FAIL.
com.exception.DcConnectionException: javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)]]
at com.service.impl.JndiAction.performJndiOperation(JndiAction.java:64)
at com.service.impl.JndiAction.run(JndiAction.java:38)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at java.base/javax.security.auth.Subject.doAs(Subject.java:361)
at AdTest.main(AdTest.java:120)
Caused by: javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)]]
at java.naming/com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:216)
at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:236)
at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2895)
at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:348)
...
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)]
at jdk.security.jgss/com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:222)
at java.naming/com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:172)
... 18 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)
at java.security.jgss/sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:773)
at java.security.jgss/sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:266)
at java.security.jgss/sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:196)
at jdk.security.jgss/com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:203)
... 19 more
Caused by: KrbException: Fail to create credential. (63) - No service creds
at java.security.jgss/sun.security.krb5.internal.CredentialsUtil.serviceCredsSingle(CredentialsUtil.java:458)
at java.security.jgss/sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:340)
at java.security.jgss/sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:314)
at java.security.jgss/sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:169)
at java.security.jgss/sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:490)
at java.security.jgss/sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:697)
... 22 more
Cause:
Per the October 2022 Release Notes, newly included JDK-8139348 deprecates Kerberos 3DES and RC4.
Solution:
Ideally, you should upgrade your ActiveDirectory to more secure encryption. Otherwise, you can re-enable the deprecated encryption types by adding "allow_weak_crypt=true" to your krb5.conf file under the [libdefaults] section. This will re-enable all weak encryption types, such as:
- des3-hmac-sha1 (3DES)
- rc4-hma (RC4)
- des-cbc-crc
- des-cbc-md5
- etc.
If you want to only enable 3DES and RC4, you can include them under "permitted_enctypes" to restrict access to only these 2 encryption types. For example:
[libdefaults]
allow_weak_crypt = true
permitted_enctypes = des3-hmac-sha1 rc4-hmac
Add Comment
Comments
Please sign in to leave a comment.