RC4-HMAC encryption even when DES has been specified

Pattison, David david.pattison at siemens.com
Wed Feb 2 11:01:04 EST 2005

Hi guys,

I'm having trouble using Kerberos over HTTP on Windows (Win2k client, server
and KDC). I know this is strictly an MIT Kerberos list, but I've also seen
archived posts on Windows AD help, and I really am at my wits end with this.

I am using the jcifs-ext package with Java (testing on 1.4.1, 1.4.2 and
1.5), which does SPNEGO encryption on the tickets to make use of the
Negotiate protocol in IE. Via ethereal on both client and server I have
found the following: The client send the KDC an AS-REQ and gets back a DES
encrypted AS-REP. Then it sends a TGS-REQ, but specifies 7 different
encryption types (5 HMAC, 2 DES). The TGS-REP which is sent back from the
KDC is encrypted in DES-CBC-MD5 but the Ticket inside is in RC4-HMAC format.
The Negotiate header is then formed and sent to the server. Incidentally, it
*is* Kerberos Negotiate data not Negotiate wrapped NTLM data, as it begins
with YIIE0WG... Not the NTLM equivalent. Also, the data spans 2 TCP
messages, could this be a problem? I know that TCP is used when the message
is too big for UDP, but this happens even if I turn "Do Not Require Kerberos
Preauthentication" on in AD on all accounts.

Both client and server user accounts have been set to use DES encryption in
AD, as has the service principal account. All have had their passwords reset
after changing the DES property. The keytab file was created after all of
this with ktpass- specifying DES encryption too, and was placed on the

When I execute the program, the usual Java debug info appears, everything
seems fine: the keytab is found, Etype (which I'm assuming means "this
message will be encrypted using...") is DesCbcCrcEType etc. In Ethereal, the
app fails after an AP-REQ and AP-REP on the Server side, but no errors are
shown on Ethereal. Both messages use DES-CBC-CRC encryption. The resulting
stack trace by Java is caused by a KrbException, saying: "Invalid argument
(400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with
HMAC", and is thrown from sun.security.krb5.KrbApReq.a(DashoA12275:261).

I have no idea where this HMAC encryption is coming from. That said, via the
tools in the MS Resource Kit, I can see the Tickets on the local machines.
There are 2 on each, 1 is for the krbtgt service on the KDC whose Ticket is
encrypted in DES-CBC-MD5 and the Key with "etype 0". The other is called the
same as the opposing machine but has a $ symbol after is, eg KERBEROSSERVER$
on the client. These are encrypted with RSADSI RC4-HMAC for both Ticket and
Key. I have no idea what this latter ticket is for? Was it created by the

My real question is where is all this RC4-HMAC encryption coming from if
there is no trace of it in AD?


More information about the Kerberos mailing list