When using a keytab on a RHEL8 FIPS Enabled VM get failure: Cannot find any provider supporting AES/CTS/NoPadding

Solution Verified - Updated -

Issue

  • Created a keytab on our Windows DC with the following command:
    ktpass -princ http/ABC.abc.local@abc.local -pass **** -mapuser abc\ABC -crypto all -out win.ktab -kvno 0 -ptype KRB5_NT_PRINCIPAL
  • In the Windows AD, the ABC account is setup with 'This account supports Kerberos AES 256 bit encryption" and msDS-SupportedEncryptionTypes is set to 0x10 = (AES256_CTS_HMAC_SHA1_96)
    On our RHEL VM we have RHEL 8.10 and Java 17 (1:17.0.11.0.9-2.el8) installed and FIPS enabled and is joined to the AD domain.
  • When we attempt to use the keytab the error we receive is Cannot find any provider supporting AES/CTS/NoPadding.
    When we disable fips (fips-mode-setup --disable) and reboot, we are able to successfully use the keytab.

Environment

  • Windows AD
    • keytab on Windows DC
  • OpenJDK
    • 17

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content