KDC has no support for encryption type (14) (Active Diretory)

Jeffrey Altman jaltman2 at nyc.rr.com
Thu Jun 3 09:24:49 EDT 2004


When using Java you must turn on DES encryption type support
for the principals being used by Java clients or Java servers.

The encryption type being requested is not 14, it is 1.
Encryption type one is DES-CBC-CRC.  This is what you have
specified in your krb5.conf file.

As a note to all readers. it is strongly advised that you
not use the default_tkt_enctypes or default_tgs_enctypes
libdefaults in the krb5.conf.  Specifying arbitrary restrictions
on the client via the krb5.conf file will make interop
exceedingly difficult.  The KDC will choose the best key type
available based upon its knowledge of the client and the
service.  Knowledge of the client's supported enctypes will
be determined by examining the TGS_REQ.  Knowledge of the
service's supported enctypes is determined by looking at
the enctypes for which keys were generated in the Kerberos
database.

Jeffrey Altman



Vikas Gandhi wrote:
> Hi 
> 
> I am following samples given at 
> http://java.sun.com/products/jndi/tutorial/ldap/security/gssapi.html
> I am getting following error KDC has no support for encryption type
> (14)
> 
> OS : 		Windows 2003
> Client OS : 	Terminal client on Windows 2003 User is Mittest
> DS: 		Active Directory 2003
> J2SE: 		1.05 beta2
> Domain: 	DOMAIN
> Machine name: 	MACHINENAME.DOMAIN 
> Test User: 	mittest
> 
> KRb5.conf details are
> [libdefaults]		
> 	default_realm = QDMS.CO.IN	
> 	default_tkt_enctypes = des-cbc-crc 
> 	default_tgs_enctypes = des-cbc-crc
> 	#default_checksum = rsa-md5
> 	dns_lookup_kdc = true	
> 	noaddresses = false
> 
> 
> 
>>>>KinitOptions cache name is C:\Documents and
> 
> Settings\mittest.QDMS\krb5cc_mittest
> 
>>>Acquire default native Credentials
>>>
>>>>Obtained TGT from LSA: Credentials:
> 
> client=mittest at QDMS.CO.IN
> server=krbtgt/QDMS.CO.IN at QDMS.CO.IN
> authTime=20040602224515Z
> startTime=20040602224515Z
> endTime=20040603084515Z
> renewTill=20040609224515Z
> flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT
> EType (int): 0
> 
> Found a principal
> mittest at QDMS.CO.IN
> comes in performJndiOperation
> Found ticket for mittest at QDMS.CO.IN to go to
> krbtgt/QDMS.CO.IN at QDMS.CO.IN expiring on Thu Jun 03 14:15:15 GMT+05:30
> 2004
> Entered Krb5Context.initSecContext with state=STATE_NEW
> Found ticket for mittest at QDMS.CO.IN to go to
> krbtgt/QDMS.CO.IN at QDMS.CO.IN expiring on Thu Jun 03 14:15:15 GMT+05:30
> 2004
> Service ticket not found in the subject
> 
>>>>Credentials acquireServiceCreds: same realm
> 
> Using builtin default etypes for default_tgs_enctypes
> default etypes for default_tgs_enctypes: 3 1 16.
> 
>>>>CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>>>EType: sun.security.krb5.internal.crypto.NullEType
>>>>KrbKdcReq send: kdc=beetle.qdms.co.in UDP:88, timeout=30000,
> 
> number of retries =3, #bytes=1236
> 
>>>>KDCCommunication: kdc=beetle.qdms.co.in UDP:88,
> 
> timeout=30000,Attempt =1, #bytes=1236
> 
>>>>KrbKdcReq send: #bytes read=97
>>>>KrbKdcReq send: #bytes read=97
>>>>KDCRep: init() encoding tag is 126 req type is 13
> 
> KrbException: Identifier doesn't match expected value (906)
> 	at sun.security.krb5.internal.ah.a(Unknown Source)
> 	at sun.security.krb5.internal.ag.a(Unknown Source)
> 	at sun.security.krb5.internal.ag.<init>(Unknown Source)
> 	at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
> 	at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
> 	at sun.security.krb5.internal.a1.a(Unknown Source)
> 	at sun.security.krb5.internal.a1.a(Unknown Source)
> 	at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
> 	at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
> 	at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
> 	at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
> 	at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown
> Source)
> 	at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)
> 	at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
> 	at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
> 	at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
> 	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
> 	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
> 	at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown
> Source)
> 	at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
> 	at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
> 	at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
> 	at javax.naming.InitialContext.init(Unknown Source)
> 	at javax.naming.InitialContext.<init>(Unknown Source)
> 	at javax.naming.directory.InitialDirContext.<init>(Unknown Source)
> 	at JndiAction.performJndiOperation(GssExample.java:178)
> 	at JndiAction.run(GssExample.java:141)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at javax.security.auth.Subject.doAs(Unknown Source)
> 	at GssExample.main(GssExample.java:124)
> 
>>>>KRBError:
> 
> 	 sTime is Thu Jun 03 10:36:31 GMT+05:30 2004 1086239191000
> 	 suSec is 348275
> 	 error code is 14
> 	 error Message is KDC has no support for encryption type
> 	 realm is QDMS.CO.IN
> 	 sname is ldap/beetle.qdms.co.in
> KrbException: KDC has no support for encryption type (14)
> 	at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
> 	at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
> 	at sun.security.krb5.internal.a1.a(Unknown Source)
> 	at sun.security.krb5.internal.a1.a(Unknown Source)
> 	at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
> 	at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
> 	at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
> 	at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
> 	at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown
> Source)
> 	at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)
> 	at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
> 	at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
> 	at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
> 	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
> 	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
> 	at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown
> Source)
> 	at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
> 	at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
> 	at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
> 	at javax.naming.InitialContext.init(Unknown Source)
> 	at javax.naming.InitialContext.<init>(Unknown Source)
> 	at javax.naming.directory.InitialDirContext.<init>(Unknown Source)
> 	at JndiAction.performJndiOperation(GssExample.java:178)
> 	at JndiAction.run(GssExample.java:141)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at javax.security.auth.Subject.doAs(Unknown Source)
> 	at GssExample.main(GssExample.java:124)
> Caused by: KrbException: Identifier doesn't match expected value (906)
> 	at sun.security.krb5.internal.ah.a(Unknown Source)
> 	at sun.security.krb5.internal.ag.a(Unknown Source)
> 	at sun.security.krb5.internal.ag.<init>(Unknown Source)
> 	... 27 more
> javax.naming.AuthenticationException: GSSAPI [Root exception is
> javax.security.sasl.SaslException: GSS initiate failed [Caused by
> GSSException: No valid credentials provided (Mechanism level: KDC has
> no support for encryption type (14))]]
> 	at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)
> 	at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
> 	at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
> 	at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
> 	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
> 	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
> 	at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown
> Source)
> 	at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
> 	at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
> 	at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
> 	at javax.naming.InitialContext.init(Unknown Source)
> 	at javax.naming.InitialContext.<init>(Unknown Source)
> 	at javax.naming.directory.InitialDirContext.<init>(Unknown Source)
> 	at JndiAction.performJndiOperation(GssExample.java:178)
> 	at JndiAction.run(GssExample.java:141)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at javax.security.auth.Subject.doAs(Unknown Source)
> 	at GssExample.main(GssExample.java:124)
> Caused by: javax.security.sasl.SaslException: GSS initiate failed
> [Caused by GSSException: No valid credentials provided (Mechanism
> level: KDC has no support for encryption type (14))]
> 	at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown
> Source)
> 	... 18 more
> Caused by: GSSException: No valid credentials provided (Mechanism
> level: KDC has no support for encryption type (14))
> 	at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
> 	at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
> 	at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
> 	... 19 more
> Caused by: KrbException: KDC has no support for encryption type (14)
> 	at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
> 	at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
> 	at sun.security.krb5.internal.a1.a(Unknown Source)
> 	at sun.security.krb5.internal.a1.a(Unknown Source)
> 	at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
> 	... 22 more
> Caused by: KrbException: Identifier doesn't match expected value (906)
> 	at sun.security.krb5.internal.ah.a(Unknown Source)
> 	at sun.security.krb5.internal.ag.a(Unknown Source)
> 	at sun.security.krb5.internal.ag.<init>(Unknown Source)
> 	... 27 more
> 
> FYI: 
> I tried to replace default_tkt_enctypes with des-cbc-crc:normal and
> tried with des-cbc-md5 but no result at all
> --Vikas

-- 
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu


More information about the Kerberos mailing list