This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 98%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK%3C/text%3E%3C/svg%3E)
Previously, we run our application in Java 11 and use Kerberos authentication to connect to the Microsoft SQL server, everything works fine. However, after we upgrade to Java 17 due to some security reasons, the Kerberos authentication failed.
The settings of SQL server and AD are the same as the question asked before, and the user used to login has enabled "This account supports Kerberos AES 128 bit encryption" and "This account supports Kerberos AES 256 bit encryption".
I use Spring Initializr to create two POC projects, one is Spring Boot 2.7.5 with Java 11 (pom.xml, GitHub repo), and the other one is Spring Boot 3.0.6 with Java 17 (pom.xml, GitHub repo).
The application.xml is very simple: link (domain and account manually changed for hiding private info)
JDK version:
In Java 11 everything works fine. However, in Java 17 the exception shows:
2023-05-11T11:23:15.151+08:00 INFO 55672 --- [ main] com.zaxxer.hikari.HikariDataSource : HikariPool-1 - Starting...
2023-05-11T11:23:45.730+08:00 ERROR 55672 --- [ main] com.zaxxer.hikari.pool.HikariPool : HikariPool-1 - Exception during pool initialization.
com.microsoft.sqlserver.jdbc.SQLServerException: Integrated authentication failed. ClientConnectionId:eb219e14-2fd1-4f8c-84aa-ef5b0de368fd
at com.microsoft.sqlserver.jdbc.SQLServerConnection.terminate(SQLServerConnection.java:3937) ~[mssql-jdbc-12.2.0.jre11.jar:na]
at com.microsoft.sqlserver.jdbc.KerbAuthentication.initAuthHandShake(KerbAuthentication.java:184) ~[mssql-jdbc-12.2.0.jre11.jar:na]
at com.microsoft.sqlserver.jdbc.KerbAuthentication.generateClientContext(KerbAuthentication.java:215) ~[mssql-jdbc-12.2.0.jre11.jar:na]
at com.microsoft.sqlserver.jdbc.SQLServerConnection.sendLogon(SQLServerConnection.java:6221) ~[mssql-jdbc-12.2.0.jre11.jar:na]
at com.microsoft.sqlserver.jdbc.SQLServerConnection.logon(SQLServerConnection.java:5068) ~[mssql-jdbc-12.2.0.jre11.jar:na]
at com.microsoft.sqlserver.jdbc.SQLServerConnection$LogonCommand.doExecute(SQLServerConnection.java:5002) ~[mssql-jdbc-12.2.0.jre11.jar:na]
at com.microsoft.sqlserver.jdbc.TDSCommand.execute(IOBuffer.java:7685) ~[mssql-jdbc-12.2.0.jre11.jar:na]
at com.microsoft.sqlserver.jdbc.SQLServerConnection.executeCommand(SQLServerConnection.java:4048) ~[mssql-jdbc-12.2.0.jre11.jar:na]
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:3487) ~[mssql-jdbc-12.2.0.jre11.jar:na]
at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:3077) ~[mssql-jdbc-12.2.0.jre11.jar:na]
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectInternal(SQLServerConnection.java:2919) ~[mssql-jdbc-12.2.0.jre11.jar:na]
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:1787) ~[mssql-jdbc-12.2.0.jre11.jar:na]
at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:1229) ~[mssql-jdbc-12.2.0.jre11.jar:na]
at com.zaxxer.hikari.util.DriverDataSource.getConnection(DriverDataSource.java:138) ~[HikariCP-5.0.1.jar:na]
at com.zaxxer.hikari.pool.PoolBase.newConnection(PoolBase.java:359) ~[HikariCP-5.0.1.jar:na]
at com.zaxxer.hikari.pool.PoolBase.newPoolEntry(PoolBase.java:201) ~[HikariCP-5.0.1.jar:na]
at com.zaxxer.hikari.pool.HikariPool.createPoolEntry(HikariPool.java:470) ~[HikariCP-5.0.1.jar:na]
at com.zaxxer.hikari.pool.HikariPool.checkFailFast(HikariPool.java:561) ~[HikariCP-5.0.1.jar:na]
at com.zaxxer.hikari.pool.HikariPool.<init>(HikariPool.java:100) ~[HikariCP-5.0.1.jar:na]
at com.zaxxer.hikari.HikariDataSource.getConnection(HikariDataSource.java:112) ~[HikariCP-5.0.1.jar:na]
at org.hibernate.engine.jdbc.connections.internal.DatasourceConnectionProviderImpl.getConnection(DatasourceConnectionProviderImpl.java:122) ~[hibernate-core-6.1.7.Final.jar:6.1.7.Final]
at org.hibernate.engine.jdbc.env.internal.JdbcEnvironmentInitiator$ConnectionProviderJdbcConnectionAccess.obtainConnection(JdbcEnvironmentInitiator.java:284) ~[hibernate-core-6.1.7.Final.jar:6.1.7.Final]
at org.hibernate.engine.jdbc.env.internal.JdbcEnvironmentInitiator.initiateService(JdbcEnvironmentInitiator.java:177) ~[hibernate-core-6.1.7.Final.jar:6.1.7.Final]
at org.hibernate.engine.jdbc.env.internal.JdbcEnvironmentInitiator.initiateService(JdbcEnvironmentInitiator.java:36) ~[hibernate-core-6.1.7.Final.jar:6.1.7.Final]
at org.hibernate.boot.registry.internal.StandardServiceRegistryImpl.initiateService(StandardServiceRegistryImpl.java:119) ~[hibernate-core-6.1.7.Final.jar:6.1.7.Final]
at org.hibernate.service.internal.AbstractServiceRegistryImpl.createService(AbstractServiceRegistryImpl.java:255) ~[hibernate-core-6.1.7.Final.jar:6.1.7.Final]
at org.hibernate.service.internal.AbstractServiceRegistryImpl.initializeService(AbstractServiceRegistryImpl.java:230) ~[hibernate-core-6.1.7.Final.jar:6.1.7.Final]
at org.hibernate.service.internal.AbstractServiceRegistryImpl.getService(AbstractServiceRegistryImpl.java:207) ~[hibernate-core-6.1.7.Final.jar:6.1.7.Final]
at org.hibernate.boot.model.relational.Database.<init>(Database.java:44) ~[hibernate-core-6.1.7.Final.jar:6.1.7.Final]
at org.hibernate.boot.internal.InFlightMetadataCollectorImpl.getDatabase(InFlightMetadataCollectorImpl.java:218) ~[hibernate-core-6.1.7.Final.jar:6.1.7.Final]
at org.hibernate.boot.internal.InFlightMetadataCollectorImpl.<init>(InFlightMetadataCollectorImpl.java:191) ~[hibernate-core-6.1.7.Final.jar:6.1.7.Final]
at org.hibernate.boot.model.process.spi.MetadataBuildingProcess.complete(MetadataBuildingProcess.java:138) ~[hibernate-core-6.1.7.Final.jar:6.1.7.Final]
at org.hibernate.jpa.boot.internal.EntityManagerFactoryBuilderImpl.metadata(EntityManagerFactoryBuilderImpl.java:1348) ~[hibernate-core-6.1.7.Final.jar:6.1.7.Final]
at org.hibernate.jpa.boot.internal.EntityManagerFactoryBuilderImpl.build(EntityManagerFactoryBuilderImpl.java:1419) ~[hibernate-core-6.1.7.Final.jar:6.1.7.Final]
at org.springframework.orm.jpa.vendor.SpringHibernateJpaPersistenceProvider.createContainerEntityManagerFactory(SpringHibernateJpaPersistenceProvider.java:66) ~[spring-orm-6.0.8.jar:6.0.8]
at org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean.createNativeEntityManagerFactory(LocalContainerEntityManagerFactoryBean.java:376) ~[spring-orm-6.0.8.jar:6.0.8]
at org.springframework.orm.jpa.AbstractEntityManagerFactoryBean.buildNativeEntityManagerFactory(AbstractEntityManagerFactoryBean.java:409) ~[spring-orm-6.0.8.jar:6.0.8]
at org.springframework.orm.jpa.AbstractEntityManagerFactoryBean.afterPropertiesSet(AbstractEntityManagerFactoryBean.java:396) ~[spring-orm-6.0.8.jar:6.0.8]
at org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean.afterPropertiesSet(LocalContainerEntityManagerFactoryBean.java:352) ~[spring-orm-6.0.8.jar:6.0.8]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1816) ~[spring-beans-6.0.8.jar:6.0.8]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1766) ~[spring-beans-6.0.8.jar:6.0.8]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:598) ~[spring-beans-6.0.8.jar:6.0.8]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:520) ~[spring-beans-6.0.8.jar:6.0.8]
at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:326) ~[spring-beans-6.0.8.jar:6.0.8]
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:234) ~[spring-beans-6.0.8.jar:6.0.8]
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:324) ~[spring-beans-6.0.8.jar:6.0.8]
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:200) ~[spring-beans-6.0.8.jar:6.0.8]
at org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:1132) ~[spring-context-6.0.8.jar:6.0.8]
at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:907) ~[spring-context-6.0.8.jar:6.0.8]
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:584) ~[spring-context-6.0.8.jar:6.0.8]
at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:732) ~[spring-boot-3.0.6.jar:3.0.6]
at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:434) ~[spring-boot-3.0.6.jar:3.0.6]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:310) ~[spring-boot-3.0.6.jar:3.0.6]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1304) ~[spring-boot-3.0.6.jar:3.0.6]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1293) ~[spring-boot-3.0.6.jar:3.0.6]
at com.example.demojpa.DemoJpaApplication.main(DemoJpaApplication.java:10) ~[classes/:na]
Caused by: org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: KDC has no support for encryption type (14))
at java.security.jgss/sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:778) ~[java.security.jgss:na]
at java.security.jgss/sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:266) ~[java.security.jgss:na]
at java.security.jgss/sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:196) ~[java.security.jgss:na]
at com.microsoft.sqlserver.jdbc.KerbAuthentication.initAuthHandShake(KerbAuthentication.java:164) ~[mssql-jdbc-12.2.0.jre11.jar:na]
... 54 common frames omitted
Caused by: sun.security.krb5.KrbException: KDC has no support for encryption type (14)
at java.security.jgss/sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:69) ~[java.security.jgss:na]
at java.security.jgss/sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:224) ~[java.security.jgss:na]
at java.security.jgss/sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:235) ~[java.security.jgss:na]
at java.security.jgss/sun.security.krb5.internal.CredentialsUtil.serviceCredsSingle(CredentialsUtil.java:477) ~[java.security.jgss:na]
at java.security.jgss/sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:340) ~[java.security.jgss:na]
at java.security.jgss/sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:314) ~[java.security.jgss:na]
at java.security.jgss/sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:169) ~[java.security.jgss:na]
at java.security.jgss/sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:493) ~[java.security.jgss:na]
at java.security.jgss/sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:700) ~[java.security.jgss:na]
... 57 common frames omitted
Caused by: sun.security.krb5.Asn1Exception: Identifier doesn't match expected value (906)
at java.security.jgss/sun.security.krb5.internal.KDCRep.init(KDCRep.java:140) ~[java.security.jgss:na]
at java.security.jgss/sun.security.krb5.internal.TGSRep.init(TGSRep.java:65) ~[java.security.jgss:na]
at java.security.jgss/sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60) ~[java.security.jgss:na]
at java.security.jgss/sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:54) ~[java.security.jgss:na]
... 65 common frames omitted
2023-05-11T11:23:45.827+08:00 INFO 55672 --- [ main] o.hibernate.jpa.internal.util.LogHelper : HHH000204: Processing PersistenceUnitInfo [name: default]
2023-05-11T11:23:45.850+08:00 INFO 55672 --- [ main] org.hibernate.Version : HHH000412: Hibernate ORM core version 6.1.7.Final
I also tried to remove the username and password in application.xml, and use kinit before starting the application. The result is the same, Java 11 is passed, and Java 17 throws the exception above.
I searched for what has been updated in Java 17, and found this link says 3DES and RC4 have been deprecated in Kerberos in Java 17.
Also, I found this link shows a list of supported encryption types and the "14" in the exception corresponds to "DES_CBC_MD5, RC4, AES 128", which contains the deprecated RC4. I guess it's the reason why this error happened.
Does anyone know how to solve this problem?
Thanks.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 83%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
According to this article, by default it will use RC4 if the user used as service account doesn't have the attribute msDS-SupportedEncryptionTypes.
And also, the second answer of this says that "'This account supports Kerberos AES 128 bit encryption' and 'This account supports Kerberos AES 256 bit encryption' for the principal service account" fixes this problem.
I enable "This account supports Kerberos AES 256 bit encryption" and it's fixed! Thanks for the help!
after we upgrade to Java 17 due to some security reasons
The only thing you changed is the Java version; so why do you think it's a SQL Server and not Java/JDBC related issue?
Have you also installed the latest JDBC version?
Thanks for the reply.
I use Maven in this project, the JDBC driver is the latest which is 11.2.3.jre17.
The reason why I think it is related to the SQL server and AD is because I guess maybe it's possible to make SQL server use another encryption type for Kerberos Authentication since by default it's using the deprecated RC4.
There's no tag like Java/JDBC, so I only tag SQL server and AD which are used in this POC.
I have no clue where is the root cause of this problem, so if you have any idea please let me know.
