Enabling AES256 in the Java Runtime Environment for Single Sign-On

Liz Sanderson
Liz Sanderson
  • Updated

FME Version

  • FME 2015.x


When attempting to configure single sign-on (SSO, or Integrated Windows Authentication, IWA), you may not be able to log in automatically, though everything is configured correctly in the FME Server configuration files. You may find the following error in the fmeServer log file after visiting
 Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)


This is as a result of the KDC requiring the mode of encryption specified in the error message. The Oracle Java runtime environment (JRE) does not ship with support for this level of encryption, as its export is regulated by US and international law.


Oracle does distribute policy files to enable this type of encryption in the JRE separately. At the time of writing, the download is available from http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html, but a search for "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7" will turn up the correct file if the link changes.

FME Server 2016/2017 uses JRE 8 therefore download JCE8:
Or search for "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8 Download"

Once downloaded, the two *.jar files (local_policy.jar and US_export_policy.jar) need to be extracted to <FMEServer>\Utilities\jre\lib\security. Please make a backup of the existing files with the same names.

After restarting FME Server, you should be able to communicate with your authentication server. You may need to follow these steps for the JRE used by your external web application server, if applicable.

Please note that you should verify the legality of enabling this type of encryption in your own country.

Was this article helpful?



Please sign in to leave a comment.