Cross-Platform/Realm Authentication Error Assistance
Grant Cohoe
cohoe at csh.rit.edu
Mon Jan 24 14:21:15 EST 2011
I ran 'ksetup /getenctypeattr EXAMPLE.COM' on the AD DC and it
returned "Enctypes for domain EXAMPLE.COM: DES-CBC-CRC". I set this
earlier with 'ksetup /setenctypeattr EXAMPLE.COM DES-CBC-CRC'. Still
no good. Where in AD might I find the actual trust object? I looked
through ADSI Editor and was unable to locate anything that looked
related to this.
Thanks!
On Mon, Jan 24, 2011 at 12:26 PM, Wilper, Ross A <rwilper at stanford.edu> wrote:
> First, I would strongly suggest that you set the allowed encryption types by GPO, not by setting registry on machines.
>
> By default, all new external trust relationships created on Windows Server 2008 R2 will use only RC4-HMAC for the cross-realm enctype. You must use ksetup to enable/disable other enctypes (This will update the msDS-SupportedEncryptionTypes attribute on the trust object in AD you feel brave)
>
> -Ross
>
> -----Original Message-----
> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Grant Cohoe
> Sent: Sunday, January 23, 2011 3:19 PM
> To: kerberos at mit.edu
> Subject: Cross-Platform/Realm Authentication Error Assistance
>
> Hello,
>
> My organization is in the process of integrating an Active Directory
> server into our current UNIX-based environment for the purposes of
> account management and workstation policy.
>
> We currently have an MIT Kerberos KDC with realm EXAMPLE.COM
> (replacing my actual realms and domains). We now have the AD domain of
> AD.EXAMPLE.COM running on a Windows Server 2008R2 server. Following
> the guide here (http://pig.made-it.com/kerberos-trust.html), I have
> attempted to set up an outgoing realm trust between EXAMPLE.COM and
> AD.EXAMPLE.COM (in that the latter trusts the former for
> authentication). I am currently testing with a Windows 7 workstation
> that has been joined the the AD domain. Our MIT KDC currently
> supports DES-CBC-CRC only (something we are in the process of
> changing), so I ran gpedit on the Windows 7 client and added the
> appropriate settings according to this TechNet article
> (http://technet.microsoft.com/en-us/library/dd560670(WS.10).aspx). I
> have also specified this policy on the DC. On the AD DC, I set the
> "Use Kerberos DES encryption types for this account" flag for my
> testing user account.
>
> Using my EXAMPLE.COM credentials and monitoring the network traffic, I
> can see the AS and TGS communication between the Windows 7 client and
> the MIT KDC and all seems well there. However when the Windows 7
> client attempts to communicate with the AD DC (TGS-REQ), I get a
> "KRB5KDC_ERR_ETYPE_NOSUPP" error. At first, I thought it was just some
> encryption type mismatches. In the TGS-REQ to the AD DC, I can see
> multiple encryption types including DES-CBC-CRC, yet something in AD
> isn't liking this. As per this document
> (http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems), my
> suspicions were confirmed that it is indeed an encryption problem, but
> I am unsure as to how to go about fixing this on the AD DC. Could
> anyone help shed some light on what is happening or provide some ideas
> for how to fix this?
>
> Thank you in advance for any help you can provide,
> --
> Grant Cohoe
>
> System Administrator, Computer Science House
> Applied Networking and System Administration
> Rochester Institute of Technology
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Grant Cohoe
System Administrator, Computer Science House
Applied Networking and System Administration
Rochester Institute of Technology
More information about the Kerberos
mailing list