Cross-Platform/Realm Authentication Error Assistance

Grant Cohoe cohoe at
Mon Jan 24 14:21:15 EST 2011

I ran 'ksetup /getenctypeattr EXAMPLE.COM' on the AD DC and it
returned "Enctypes for domain EXAMPLE.COM: DES-CBC-CRC". I set this
earlier with 'ksetup /setenctypeattr EXAMPLE.COM DES-CBC-CRC'. Still
no good. Where in AD might I find the actual trust object? I looked
through ADSI Editor and was unable to locate anything that looked
related to this.


On Mon, Jan 24, 2011 at 12:26 PM, Wilper, Ross A <rwilper at> wrote:
> First, I would strongly suggest that you set the allowed encryption types by GPO, not by setting registry on machines.
> By default, all new external trust relationships created on Windows Server 2008 R2 will use only RC4-HMAC for the cross-realm enctype. You must use ksetup to enable/disable other enctypes (This will update the msDS-SupportedEncryptionTypes attribute on the trust object in AD you feel brave)
> -Ross
> -----Original Message-----
> From: kerberos-bounces at [mailto:kerberos-bounces at] On Behalf Of Grant Cohoe
> Sent: Sunday, January 23, 2011 3:19 PM
> To: kerberos at
> Subject: Cross-Platform/Realm Authentication Error Assistance
> Hello,
> My organization is in the process of integrating an Active Directory
> server into our current UNIX-based environment for the purposes of
> account management and workstation policy.
> We currently have an MIT Kerberos KDC with realm EXAMPLE.COM
> (replacing my actual realms and domains). We now have the AD domain of
> AD.EXAMPLE.COM running on a Windows Server 2008R2 server. Following
> the guide here (, I have
> attempted to set up an outgoing realm trust between EXAMPLE.COM and
> AD.EXAMPLE.COM (in that the latter trusts the former for
> authentication). I am currently testing with a Windows 7 workstation
> that has been joined the the AD domain.  Our MIT KDC currently
> supports DES-CBC-CRC only (something we are in the process of
> changing), so I ran gpedit on the Windows 7 client and added the
> appropriate settings according to this TechNet article
> ( I
> have also specified this policy on the DC. On the AD DC, I set the
> "Use Kerberos DES encryption types for this account" flag for my
> testing user account.
> Using my EXAMPLE.COM credentials and monitoring the network traffic, I
> can see the AS and TGS communication between the Windows 7 client and
> the MIT KDC and all seems well there. However when the Windows 7
> client attempts to communicate with the AD DC (TGS-REQ), I get a
> "KRB5KDC_ERR_ETYPE_NOSUPP" error. At first, I thought it was just some
> encryption type mismatches. In the TGS-REQ to the AD DC, I can see
> multiple encryption types including DES-CBC-CRC, yet something in AD
> isn't liking this. As per this document
> (, my
> suspicions were confirmed that it is indeed an encryption problem, but
> I am unsure as to how to go about fixing this on the AD DC. Could
> anyone help shed some light on what is happening or provide some ideas
> for how to fix this?
> Thank you in advance for any help you can provide,
> --
> Grant Cohoe
> System Administrator, Computer Science House
> Applied Networking and System Administration
> Rochester Institute of Technology
> ________________________________________________
> Kerberos mailing list           Kerberos at

Grant Cohoe

System Administrator, Computer Science House
Applied Networking and System Administration
Rochester Institute of Technology

More information about the Kerberos mailing list