Java 7 Kerberos问题 – AES128损坏的校验和

我正在从Java 6迁移到Java 7,并遇到Kerberos身份validation问题。 在我看来,底层的encryptiontypes顺序是切换的,因此使用不同的encryptiontypes。 在这种情况下,当Java 7运行时, Aes128CtsHmacSha1EType被用于部分事务。 ArcFourHmacEType用于运行Java 6并运行Java 7的其他部分。

其他细节:在Linux(Fedora 16)上针对Windows Active Directory服务器运行。

我知道如果在krb5.conf文件中设置了default_tkt_enctypes,default_tgs_enctypes,permitted_enctypes参数,我可以使身份validation正常工作; 不过,我希望在没有文件的情况下使用它,理想情况下不必强制使用一种或两种文本types。

这是我得到的错误消息:

 java.security.PrivilegedActionException: javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: Final handshake failed [Caused by GSSException: Token had invalid integrity check (Mechanism level: Corrupt checksum in Wrap token)]] at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:415) at *internal.code*.LDAPAuthenticator.authenticate(LDAPAuthenticator.java:46) at *internal.code*.LDAPAuthenticatorTest.testUpdateUser(LDAPAuthenticatorTest.java:30) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:601) at junit.framework.TestCase.runTest(TestCase.java:154) at junit.framework.TestCase.runBare(TestCase.java:127) at junit.framework.TestResult$1.protect(TestResult.java:106) at junit.framework.TestResult.runProtected(TestResult.java:124) at junit.framework.TestResult.run(TestResult.java:109) at junit.framework.TestCase.run(TestCase.java:118) at junit.framework.TestSuite.runTest(TestSuite.java:208) at junit.framework.TestSuite.run(TestSuite.java:203) at junit.textui.TestRunner.doRun(TestRunner.java:116) at com.intellij.junit3.JUnit3IdeaTestRunner.doRun(JUnit3IdeaTestRunner.java:139) at junit.textui.TestRunner.doRun(TestRunner.java:109) at com.intellij.junit3.JUnit3IdeaTestRunner.startRunnerWithArgs(JUnit3IdeaTestRunner.java:52) at com.intellij.rt.execution.junit.JUnitStarter.prepareStreamsAndStart(JUnitStarter.java:182) at com.intellij.rt.execution.junit.JUnitStarter.main(JUnitStarter.java:62) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:601) at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120) Caused by: javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: Final handshake failed [Caused by GSSException: Token had invalid integrity check (Mechanism level: Corrupt checksum in Wrap token)]] at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:168) at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:232) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740) at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) at javax.naming.InitialContext.init(InitialContext.java:242) at javax.naming.InitialContext.<init>(InitialContext.java:216) at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101) at *internal.code*.LDAPAuthenticator.getAttributeFor(LDAPAuthenticator.java:156) at *internal.code*.user.LDAPAuthenticator.access$000(LDAPAuthenticator.java:27) at *internal.code*.user.LDAPAuthenticator$1.run(LDAPAuthenticator.java:49) ... 27 more Caused by: javax.security.sasl.SaslException: Final handshake failed [Caused by GSSException: Token had invalid integrity check (Mechanism level: Corrupt checksum in Wrap token)] at com.sun.security.sasl.gsskerb.GssKrb5Client.doFinalHandshake(GssKrb5Client.java:328) at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:187) at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:132) ... 42 more Caused by: GSSException: Token had invalid integrity check (Mechanism level: Corrupt checksum in Wrap token) at sun.security.jgss.krb5.WrapToken_v2.getData(WrapToken_v2.java:151) at sun.security.jgss.krb5.WrapToken_v2.getData(WrapToken_v2.java:105) at sun.security.jgss.krb5.Krb5Context.unwrap(Krb5Context.java:983) at sun.security.jgss.GSSContextImpl.unwrap(GSSContextImpl.java:403) at com.sun.security.sasl.gsskerb.GssKrb5Client.doFinalHandshake(GssKrb5Client.java:234) ... 44 more 

这个设置是否可以使用AES128?

如果我不能使AES128工作,有没有办法通过系统参数(而不是使用krb5.conf)设置默认的enctypes?

听詹姆斯角,安装无限的安全文件。 由于美国的管辖权,JRE不能随JAR一起发货。