KDC has no support for encryption type (14) (Active Diretory)
Vikas Gandhi
vgandhi at quark.co.in
Thu Jun 3 01:27:07 EDT 2004
Hi
I am following samples given at
http://java.sun.com/products/jndi/tutorial/ldap/security/gssapi.html
I am getting following error KDC has no support for encryption type
(14)
OS : Windows 2003
Client OS : Terminal client on Windows 2003 User is Mittest
DS: Active Directory 2003
J2SE: 1.05 beta2
Domain: DOMAIN
Machine name: MACHINENAME.DOMAIN
Test User: mittest
KRb5.conf details are
[libdefaults]
default_realm = QDMS.CO.IN
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
#default_checksum = rsa-md5
dns_lookup_kdc = true
noaddresses = false
>>>KinitOptions cache name is C:\Documents and
Settings\mittest.QDMS\krb5cc_mittest
>> Acquire default native Credentials
>>> Obtained TGT from LSA: Credentials:
client=mittest at QDMS.CO.IN
server=krbtgt/QDMS.CO.IN at QDMS.CO.IN
authTime=20040602224515Z
startTime=20040602224515Z
endTime=20040603084515Z
renewTill=20040609224515Z
flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT
EType (int): 0
Found a principal
mittest at QDMS.CO.IN
comes in performJndiOperation
Found ticket for mittest at QDMS.CO.IN to go to
krbtgt/QDMS.CO.IN at QDMS.CO.IN expiring on Thu Jun 03 14:15:15 GMT+05:30
2004
Entered Krb5Context.initSecContext with state=STATE_NEW
Found ticket for mittest at QDMS.CO.IN to go to
krbtgt/QDMS.CO.IN at QDMS.CO.IN expiring on Thu Jun 03 14:15:15 GMT+05:30
2004
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 3 1 16.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.NullEType
>>> KrbKdcReq send: kdc=beetle.qdms.co.in UDP:88, timeout=30000,
number of retries =3, #bytes=1236
>>> KDCCommunication: kdc=beetle.qdms.co.in UDP:88,
timeout=30000,Attempt =1, #bytes=1236
>>> KrbKdcReq send: #bytes read=97
>>> KrbKdcReq send: #bytes read=97
>>> KDCRep: init() encoding tag is 126 req type is 13
KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.ah.a(Unknown Source)
at sun.security.krb5.internal.ag.a(Unknown Source)
at sun.security.krb5.internal.ag.<init>(Unknown Source)
at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
at sun.security.krb5.internal.a1.a(Unknown Source)
at sun.security.krb5.internal.a1.a(Unknown Source)
at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown
Source)
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)
at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown
Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.InitialContext.<init>(Unknown Source)
at javax.naming.directory.InitialDirContext.<init>(Unknown Source)
at JndiAction.performJndiOperation(GssExample.java:178)
at JndiAction.run(GssExample.java:141)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at GssExample.main(GssExample.java:124)
>>>KRBError:
sTime is Thu Jun 03 10:36:31 GMT+05:30 2004 1086239191000
suSec is 348275
error code is 14
error Message is KDC has no support for encryption type
realm is QDMS.CO.IN
sname is ldap/beetle.qdms.co.in
KrbException: KDC has no support for encryption type (14)
at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
at sun.security.krb5.internal.a1.a(Unknown Source)
at sun.security.krb5.internal.a1.a(Unknown Source)
at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown
Source)
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)
at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown
Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.InitialContext.<init>(Unknown Source)
at javax.naming.directory.InitialDirContext.<init>(Unknown Source)
at JndiAction.performJndiOperation(GssExample.java:178)
at JndiAction.run(GssExample.java:141)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at GssExample.main(GssExample.java:124)
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.ah.a(Unknown Source)
at sun.security.krb5.internal.ag.a(Unknown Source)
at sun.security.krb5.internal.ag.<init>(Unknown Source)
... 27 more
javax.naming.AuthenticationException: GSSAPI [Root exception is
javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: KDC has
no support for encryption type (14))]]
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)
at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown
Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.InitialContext.<init>(Unknown Source)
at javax.naming.directory.InitialDirContext.<init>(Unknown Source)
at JndiAction.performJndiOperation(GssExample.java:178)
at JndiAction.run(GssExample.java:141)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at GssExample.main(GssExample.java:124)
Caused by: javax.security.sasl.SaslException: GSS initiate failed
[Caused by GSSException: No valid credentials provided (Mechanism
level: KDC has no support for encryption type (14))]
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown
Source)
... 18 more
Caused by: GSSException: No valid credentials provided (Mechanism
level: KDC has no support for encryption type (14))
at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
... 19 more
Caused by: KrbException: KDC has no support for encryption type (14)
at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
at sun.security.krb5.internal.a1.a(Unknown Source)
at sun.security.krb5.internal.a1.a(Unknown Source)
at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
... 22 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.ah.a(Unknown Source)
at sun.security.krb5.internal.ag.a(Unknown Source)
at sun.security.krb5.internal.ag.<init>(Unknown Source)
... 27 more
FYI:
I tried to replace default_tkt_enctypes with des-cbc-crc:normal and
tried with des-cbc-md5 but no result at all
--Vikas
More information about the Kerberos
mailing list