Support Center > Search Results > SecureKnowledge Details
Capsule Cloud SSO Agent cannot authenticate users using AES-256-CTS-HMAC-SHA1-96 algorithm Technical Level
Symptoms
  • SSO Authentication fails for all users within the configured Active Directory domain.

  • The [SSO Agent Path]/[SSO Agent GUID]/client_messages.log file shows the following error message:
    Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type: No error 
    KrbException: Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type: 
    at sun.security.krb5.internal.crypto.EType.getDefaults(Unknown Source) 
    at sun.security.krb5.KrbAsReqBuilder.build(Unknown Source) 
    at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source) 
    at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source) 
    at sun.security.krb5.internal.tools.Kinit.(Unknown Source) 
    at sun.security.krb5.internal.tools.Kinit.main(Unknown Source) 
    
  • The trac.log file under the C:\Program Files (x86)\CheckPoint\Cloud Connector\ directory shows the following message when users attempt to authenticate via SSO:
    [TR_SRV2CL] TR_SRV2CL::ClientNotificationEvent: Received client notification of type TR_NOTIFICATION_FWCLOUD_RETRY_SSO_AUTH
    [TR_PACKET_STATISTICS] TR_PACKET_STATISTICS::FwcloudOneTimePasswordMgr::AskFWCloudOneTimePasswordCB: entering...
    [TR_PACKET_STATISTICS] TR_PACKET_STATISTICS::FwcloudOneTimePasswordMgr::AskFWCloudOneTimePasswordCB: OTP is NULL - running CB function and returning TrFAIL !!
    
Cause

The default Java 7 distribution does not provide the capability to use advanced encryption algorithms including AES-256. Whilst this does not affect Active Directory environments with default encryption strength settings, in environments where the Active Directory Domain Controllers will only accept higher-grade encryption strength for Kerberos authentication, it is necessary to implement the Java Cryptography Extensions (JCE) Unlimited Strength policy.


Solution
  1. Stop the SSO agent.

  2. Re-create the keytab file using the ktpass command, with the /crypto All argument to enable keys for all cryptographic algorithms.

  3. Download the Java 7 Java Cryptography Extensions (JCE) Unlimited Strength Encryption Jurisdiction Policy Files.

  4. Extract the local_policy.jar and US_export_policy.jar files from the zip archive.

  5. Place these files in the C:\Program Files\Java\jre7\lib\security\ directory on the SSO agent machine.

  6. Start the SSO agent and confirm clients can now obtain SSO registration keys.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment