KDC has no support for encryption type (14) After Set DES Accout
david.turing
openssl at 21cn.com
Thu Nov 10 20:17:32 EST 2005
hah, I know what happens, the IE version.
I passed SSO test on XP sp1 , W2K professional with IE5(with sp4)
but not on IE6 with SP4
----- Original Message -----
From: "david.turing" <openssl at 21cn.com>
To: "Douglas E. Engert" <deengert at anl.gov>
Cc: <kerberos at mit.edu>
Sent: Thursday, November 10, 2005 12:05 PM
Subject: KDC has no support for encryption type (14) After Set DES Accout
> hi, I have dealing the problem for long time and no response in bea forum.
> I feel very exhausted when checking mit's kerberos mailist and sun
> security forum.
> The problem is "KDC has no support for encryption type (14)" when i
> doing the SSO between MS domain and Weblogic.
>
> I had set Account to use DES Encryption type for the host but have
> nothing change .
>
> My Steps are as below :
> 1)
> first Generate the DES Encryption Type User Account for the weblogic
> server, namely "weblogic" on Windows AD.
>
>
> 2)
> then, I generate the keytab using w2k's ktpass on the AD SERVER:
> c:\>ktpass -princ HTTP/weblogic.dlsvr.com at DLSVR.COM -mapuser weblogic
> -pass weblogic -out dlsvr_keytab -crypto des-cbc-crc
>
> and it turn out to be successful.
>
> c:\>ktab -k dlsvr_keytab -a HTTP/weblogic at DLSVR.COM
>
> and I place the dlsvr_keytab to the weblogic server[weblogic]
> I use the kinit to check the keytab
> kinit -k -t dlsvr_keytab HTTP/weblogic at DLSVR.COM
>
> output is :New ticket is store in cache file C:\Documents and Setting ........
>
> 3) I modify the KDC Config file in c:\winnt
>
> My W2KSP4 KDC Config is:
> c:\winnt\krb5.ini-----------------------------
>
> [libdefaults]
>
> default_realm = DLSVR.COM
> default_tkt_enctypes = des-cbc-crc
> default_tgs_enctypes = des-cbc-crc
> ticket_lifetime = 600
>
> [realms]
>
> DLSVR.COM = {
> kdc = 192.168.2.231
> admin_server = dlserver
> default_domain = DLSVR.COM
> }
>
> [domain_realm]
> .dlsvr.com= DLSVR.COM
>
> [appdefaults]
> autologin = true
> forward = true
> forwardable = true
> encrypt = true
>
>
> The Log is shown in Weblogic, it told me that KDC has no support for
> encryption type (14)
> I try to modify the regstry entry as SUN mention in JGSS, changing the
> allowtgtsessionkey
> which locate in
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
> set allowtgtsessionkey=1, but nothing help to prevent the KDC has no
> support for encryption type (14)
>
> The Log in weblogic is as below:
> ------------------------------------
>
> <2005-11-8 ....... CST> <Debug> <SecurityDebug> <000000> <Found
> Negotiate with SPNEGO token>
> >>> KeyTab: load() entry length: 50
> >>> KeyTabInputStream, readName(): DLSVR.COM
> >>> KeyTabInputStream, readName(): host
> >>> KeyTabInputStream, readName(): weblogic
> >>> KeyTab: load() entry length: 44
> >>> KeyTabInputStream, readName(): dlsvr.com
> >>> KeyTabInputStream, readName(): weblogic
> >>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
> >>>crc32: e9889c7a
> >>>crc32: 11101001100010001001110001111010
> >>> KrbAsReq calling createMessage
> >>> KrbAsReq in createMessage
> >>> KrbAsReq etypes are: 1
> >>> KrbKdcReq send: kdc=192.168.2.231 UDP:88, timeout=30000, number of
> retries =3, #bytes=216
> >>> KDCCommunication: kdc=192.168.2.231 UDP:88, timeout=30000,Attempt
> =1, #bytes=216
> >>> KrbKdcReq send: #bytes read=1217
> >>> KrbKdcReq send: #bytes read=1217
> >>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
> >>>crc32: 54c176ae
> >>>crc32: 1010100110000010111011010101110
> >>> KrbAsRep cons in KrbAsReq.getReply host/weblogic
> Found key for host/weblogic at DLSVR.COM
> Entered Krb5Context.acceptSecContext with state=STATE_NEW
> <2005-11-8 ........ CST> <Debug> <SecurityDebug> <000000> <GSS
> exception GSSException: Failure unspecified at GSS-API level
> (Mechanism level: KDC has no support for encryption type (14))
> GSSException: Failure unspecified at GSS-API level (Mechanism level:
> KDC has no support for encryption type (14))
> at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:734)
> at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:300)
> at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246)
> at weblogic.security.providers.utils.SPNEGONegotiateToken.getUsername(SPNEGONegotiateToken.java:371)
> at weblogic.security.providers.authentication.SinglePassNegotiateIdentityAsserterProviderImpl.assertIdentity(SinglePassNegotiateIdentityAsserterProvider
> Impl.java:201)
> at weblogic.security.service.PrincipalAuthenticator .assertIdentity(PrincipalAuthenticator.java:553)
> at weblogic.servlet.security.internal.CertSecurityModule.checkUserPerm(CertSecurityModule.java:104)
> at weblogic.servlet.security.internal.SecurityModule.beginCheck(SecurityModule.java:199)
> at weblogic.servlet.security.internal.CertSecurityModule.checkA(CertSecurityModule.java:86)
> at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:145)
> at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3685)
> at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2644)
> at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
> at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)
>
>
> Any Help or Advice woud be highly appreciated!
>
> david.turing
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list