kinit request on keytab fails using 2K3sp1 KDC

Douglas E. Engert deengert at
Thu Mar 23 13:36:07 EST 2006

David Telfer wrote:

> Jeffrey Altman wrote:
>>Why do you need the kvno to be 1?  
> It wasn't so much that they needed to match, more to tidy up the situation I had on the KDC.
>>For example, what is the enctype of the service ticket issued by the
>>KDC?  Does that match the enctype of the keytab entry you are using?
>>What do the following commands output?
>>  klist -e -k /etc/krb5.keytab
>>  kvno HTTP/ at SMG.PLC.UK
>>  klist -e
> This appears to be the problem, the keytab is being generated with DES 
> CBD MD5, the service principal is sending an ArcFour encrypted tgt.
> The reason this never occured to me is that the user account has the 
> 'use DES encryption for this account' setting ticked.  I have tried the 
> following process to force the service principal to be DES;
> 1 - create account
> 2 - run ktpass util with -mapop set +DesOnly  and -crypto DES-CBC-MD5 
> options set.
> 3 - view account properites and ensure that 'use DES encryption for this 
> account' is checked
> 4 - change password of account (with the intention of forcing the DES 
> change from the ktpass step above)
> 5 - re-run identical ktpass line and use this as the final keytab
> Even with these steps, the encryption type of the ServicePrincipal tgt 
> stays as ArcFour.
> Unfortunately I am not the AD administrator, I have access to an admin 
> member of staff who has been applying the changes for me. 

They could look at the userAccountControl field of the account which shows
an an integer. Convert it to hex and look for the DesOnly bit0x200000

You as a user might be able to see this as well using ldap or one of the
Windows tools.

> Due to this I 
> cannot be sure of every setting their kdc controller has.  Specifically 
> I would be keen to find out whether there is a global setting which 
> forces all user and service principals to be created as ArcFour.  Has 
> anyone experienced somehing like this, or do they know of a way to hard 
> force the enc type of the service principal.

See the USE_DES_KEY_ONLY bit from above.

>>If the enctypes and output of those commands match, then you must
>>double check that the browser client is obtaining service tickets
>>with the name HTTP/ at SMG.PLC.UK and that the
>>enctype of that ticket matches the contents of the keytab entry.
> I haven't got to the stage of attempting to use mod_auth_kerb yet.  I am 
> still trying to get past the `#./kinit -k -t /etc/krb5.keytab 
> HTTP/ at SMG.PLC.UK` stage.  I may look into the 
> potential for using ArcFour for both the keytab and ServicePrincipal but 
> I'm sure this will open another can of worms as well.
> Thanks,
> David
> ________________________________________________
> Kerberos mailing list           Kerberos at


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list