Cross-Platform/Realm Authentication Error Assistance
Grant Cohoe
cohoe at csh.rit.edu
Sun Jan 23 18:18:32 EST 2011
Hello,
My organization is in the process of integrating an Active Directory
server into our current UNIX-based environment for the purposes of
account management and workstation policy.
We currently have an MIT Kerberos KDC with realm EXAMPLE.COM
(replacing my actual realms and domains). We now have the AD domain of
AD.EXAMPLE.COM running on a Windows Server 2008R2 server. Following
the guide here (http://pig.made-it.com/kerberos-trust.html), I have
attempted to set up an outgoing realm trust between EXAMPLE.COM and
AD.EXAMPLE.COM (in that the latter trusts the former for
authentication). I am currently testing with a Windows 7 workstation
that has been joined the the AD domain. Our MIT KDC currently
supports DES-CBC-CRC only (something we are in the process of
changing), so I ran gpedit on the Windows 7 client and added the
appropriate settings according to this TechNet article
(http://technet.microsoft.com/en-us/library/dd560670(WS.10).aspx). I
have also specified this policy on the DC. On the AD DC, I set the
"Use Kerberos DES encryption types for this account" flag for my
testing user account.
Using my EXAMPLE.COM credentials and monitoring the network traffic, I
can see the AS and TGS communication between the Windows 7 client and
the MIT KDC and all seems well there. However when the Windows 7
client attempts to communicate with the AD DC (TGS-REQ), I get a
"KRB5KDC_ERR_ETYPE_NOSUPP" error. At first, I thought it was just some
encryption type mismatches. In the TGS-REQ to the AD DC, I can see
multiple encryption types including DES-CBC-CRC, yet something in AD
isn't liking this. As per this document
(http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems), my
suspicions were confirmed that it is indeed an encryption problem, but
I am unsure as to how to go about fixing this on the AD DC. Could
anyone help shed some light on what is happening or provide some ideas
for how to fix this?
Thank you in advance for any help you can provide,
--
Grant Cohoe
System Administrator, Computer Science House
Applied Networking and System Administration
Rochester Institute of Technology
More information about the Kerberos
mailing list