Subject Security Context lost: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES128 CTS mode with HMAC SHA1-96)

[FlyingSheepOnSailfish]

We spent weeks fighting and debugging this error:

"GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES128 CTS mode with HMAC SHA1-96)".

This is an error which can have many causes. Finding the root cause is like searching for a needle in several haystacks. Google brings many hits, but given the many possible causes, rarely the correct one!

We ignite Spark (and thus Jetty) in the security context of a Kerberos Subject. i.e. in a Subject.doAs() structure, and at a later point can use a Spark before filter to do Kerberos / SPNEGO authentication of incoming requests. This worked because the filter ran in the security context of the given Subject in which Spark was ignited.

However, with an updated version of our application, with many updated 3rd Party jars, inc. Spark and Jetty, we suddenly got the error above.

After debugging the JRE, and much trial-and-error elimination of possible causes, we finally found the smoking gun:

The root cause is a breaking change in Jetty,.

i.e. the problem is not a Spark problem: but I post here as an aid to others using Spark facing the same issue who may search here first.

Our workaround was to put the Subject.doAs() into the Spark before filter, directly around the call to our SPNEGO authentication code.