gss_acquire_cred failing with No key table entry found
I am trying to make a windows client authenticate with a Linux server in a domain-joined scenario, I have created a service principal based on the documentation provided as part of PBIS/gssapps and MSDN GSS/SSPI interop documentation. Updated the relevant keytab entry in /etc/krb5.keytab.
Ensured the DNS zones are set up correctly and the machine is domain joined
The error I am running into:
The service_name passed is «gss/dell-vostro-155.domain.in@domain.in» .
I do see the principal in ktutil/list
Mostly looking for advice on how to go about debugging this.
Edit:
114 2 gss/dell-vostro-155.domain.in@domain.in (des-cbc-crc)
This is happening on the server end, where it is going to do an gss_ASC,
sudo ./gss-server gss/dell-vostro-155.domain.in@domain.in
so gss-server is acting as the «gss» part in the principal name.
EDIT
krb5.conf is a bit big I wanted to paste things as it is so added a Pastebin link krb5.conf
1 Answer 1
I actually sent a mail to kerberos@mit.edu to help me out, this is what they recommended.
This code was importing a krb5 principal name, but with a name type indicating a GSS host-based service name. (gss_nt_service name is more properly spelled GSS_C_NT_HOSTBASED_SERVICE; I’m not sure why the Microsoft documentation is using the archaic identifier.)
We can do one of the following:
Don’t import a name or acquire creds. Pass GSS_C_NO_CREDENTIAL to gss_accept_sec_context() as the verifier cred handle. The client will be able to authenticate to any key in the keytab, so make sure the keytab doesn’t contain extraneous entries. This is the approach recommended by most Kerberos developers.
Use the GSS_KRB5_NT_PRINCIPAL_NAME name type instead of gss_nt_service_name, in order to treat the imported name as a krb5 principal name.
Use a GSS host-based service name instead of a principal name. The host-based service name might look like «gss@dell-vostro-155.domain.com» for this key (although «gss» isn’t really a proper first component as it doesn’t name a service protocol). With MIT krb5 1.10+, you can also just specify the first component («gss» in this case), allowing the client to authenticate to any keytab entry matching that first component.
For more, see http://web.mit.edu/kerberos/krb5-latest/doc/appdev/gssapi.html particularly the «Name types» and «Acceptor names» sections.
I used GSS_KRB5_NT_PRINCIPAL_NAME to make things work.
Источник
Spring Boot fails reading certificate with IllegalArgumentException: jsse.alias_no_key_entry
I developed an application and I uploaded to my domain. The host provides me a wildcard certificate to use, so I tried to add it into my application. I don’t know if I am doing the right steps or what.
So, this is what I did:
- I downloaded the certificate ( last.cer )
- I created a keystore from that certificate:
- That created last.p12 , which I put into resources/keystore/
This is my configuration:
The key-password is the one I put in the host provider in order to download the certificate.
I also added the ServletWebServerFactory .
When I start up the application, I get this:
But the alias is «carlos» in both places.
1 Answer 1
You need the private key. (but not a biscuit 🙂
If the host ‘provides’ the cert in response to your request — especially if you created the Certificate Signing Request (CSR) — then you must have the privatekey; use it. If the ‘host’, or possibly the CA, or somebody else created this identity for you, get the privatekey from them. Depending on the form you have or get, the method to use it may vary some.
Also, writing/modifying files under Program Files (x86) on Windows is a bad idea. These changes may fail outright or disappear. Microsoft has officially stated since the 1990s that files in the %PROGRAMFILES*% directory(ies) should not be modified and data should go under (the places now known as) %PROGRAMDATA% %USERPROFILE% or %ALLUSERSPROFILE% as applicable. Viruses and malware often work by illegitimately modifying %PROGRAMFILES*%, so recentish versions of Windows — at least 8 and 10 and the Server versions, I don’t recall about 7 for sure — as well as antivirus and other security products have gotten more aggressive about prohibiting or discarding attempts to change these files. Since you actually want this file elsewhere anyway — in your server application directory (or jar? you’re not clear) — just write it there to start with.
Источник
No key table entry found matching #2
Comments
cyberyor commented May 7, 2018 •
Trying to set up Jupyterhub to authenticate LDAP users against an existing KDC on a separate node.
So far, I have the following:
However, when authenticating with a valid (LDAP) user, I get the following error:
The text was updated successfully, but these errors were encountered:
willingc commented May 14, 2018
Is @cyberyor’s use case with LDAP something that this authenticator supports?
@willingc from Project Jupyter
xmatthias commented May 22, 2018
struggling with this myself at the moment.
looking at your error — i think the problem is that the service-name has the wrong format.
Service principal names should be of the format / @MYDOMAIN.COM — whereas yours is just @MYDOMAIN.COM (basically a regular principal), which kerberos does not allow/use as service principal names.
Also, the host must be resolvable (to the correct IP address) by the KDC.
Unfortunately, information about this authenticator is very sparse, i found the slides for the initial presentation here — however it seems that some components have been modified- but i didn’t find any reference to it so far.
cltsao commented Sep 27, 2018 •
I’m having a similar issue. My keytab file contains service principals `Keytab name: FILE:/etc/httpfs.keytab
KVNO Timestamp Principal
2 09/27/2018 14:13:48 httpfs/ip-10-0-1-103.ec2.internal@EC2.INTERNAL
2 09/27/2018 14:13:48 httpfs/ip-10-0-1-103.ec2.internal@EC2.INTERNAL
2 09/27/2018 14:13:48 httpfs/ip-10-0-1-103.ec2.internal@EC2.INTERNAL
2 09/27/2018 14:13:48 HTTP/ip-10-0-1-103.ec2.internal@EC2.INTERNAL
2 09/27/2018 14:13:48 HTTP/ip-10-0-1-103.ec2.internal@EC2.INTERNAL
2 09/27/2018 14:13:48 HTTP/ip-10-0-1-103.ec2.internal@EC2.INTERNAL`
I tried several values for c.KDCAuthenticator.service_name, including ‘HTTP’, ‘HTTP@ip-10-0-1-103.ec2.internal’, and ‘HTTP/ip-10-0-1-103.ec2.internal@EC2.INTERNAL’, but none works.
@xmatthias Could you show a sample keytab file and service name? Thank you!
Источник
How to resolve : java.io.IOException: jsse.alias_no_key_entry
I have a Debian virtual machine with Tomcat installed. I would like to install an SSL certificate so that my website is in Https.
I received the following certificate files with my VM:
I created a keystore with the following command :
Then, I modified the file conf/server.xml file with the following code:
Unfortunately, I get the following error when starting tomcat :
I do not understand where it can come from. Because my alias is however the good one .
Thank you in advance for your help
4 Answers 4
In my case, the cause of this issue was that the SSL key alias present in the application was not same as the alias passed while creating the certificate.
keytool -genkeypair -keyalg RSA -alias dummyApp -keystore dummy-app.p12 -storepass password -validity 3650 -keysize 2048 -dname «CN=dummy-app, OU=Enterprise, O=Test, L=Unknown, ST=Unknown, C=US» -storetype pkcs12
To fix, this I had to correct the value of the server.ssl.key-alias property. As per the above SSL generation example, its value should be dummyApp .
Just had this issue, only with .p7b. This error means your keystore doesn’t contain the original private key.
Please make sure your private key (.csr) is in the same keystore with the .p7b chain.
I followed these steps:
1. Generated a key with a keystore:
keytool -genkey -alias [alias_name] -keyalg RSA -keystore [enter_keystore_name] -keysize 2048
This command creates not only a key entry, but also a private key in the keystore. That’s why it’s important to import the .p7b into the same keystore.
2. Generated a CSR from this entry:
keytool -certreq -keyalg RSA -keysize 2048 -alias [alias_name] -file [csr_file_name] -keystore No лун no entry -ext san=dns:[FQDN_of_server]
3. Imported the received signed .p7b into the same keystore (I recommend you to download the .p7b into the same folder your .csr and keystore are in):
keytool -import -alias [alias_name] -trustcacerts -file [ssl_certificate.p7b] -keystore No лун no entry
If everything’s done right, your keystore will contain the generated private key and the received .p7b.
Источник
TOMCAT SSL Error: Alias name does not identify a key entry
I am trying to configure Tomcat 6 using SSL with a certificate provided to us (by someone). My SSL experience only spans a few days, but I still have to configure the darn thing.
I was provided a certificate (downloaded from IE) in DER format.
Next I created a keystore:
Say I used «password» for password
I configured this in Tomcat’s server.xml in the SSL section:
Upon starting Tomcat I get the darn error.
I then did a keytool -list on b2b.keystore, and noticed that the alias is in all lowercase, so after updating server.xml and restarting, I still get the same error, but for the lower case alias.
Then I though that perhaps I need a root CA. So I recreated the b2b.keystore as follows:
Then I re-executed my keytool command against MyCompany.der
But I still get the same error, that the alias does not identify a key entry.
I am wondering if I am making some fundamental error in configuring tomcat, or should this thing be working and I’m just making a stupid careless mistake?
Any guidance would be greatly appreciated.
1 Answer 1
What Tomcat needs is the certificate and its private key. The certificate is public information that any of your user can see, but the private key should be yours only: this is what prevents others from running a website with your certificate. By importing MyCompany.der , you’re only importing the certificate.
You would need to find where you private key is first. (Normally, even the person who issued the certificate to you shouldn’t know its private key.)
Источник