Is Windows server 2008+KDC not interoperable with Java, Solaris and UNIX or MIT kerberos?

Michael B Allen ioplex at gmail.com
Thu Jul 28 16:02:06 EDT 2011 

On Thu, Jul 28, 2011 at 2:22 PM, Sabharanjak, Ravi
<Ravi.Sabharanjak at blackrock.com> wrote:
> Hello all,
>
> I am not able to get a ticket from a server 2008 or a server 2008 R2 KDC from a Java, Solaris or Linux client unless I constrain the client to use RC4-HMAC for the encryption types. (Have tried this using kfw-3-2-2 on Windows as well). Is server2008+ not interoperable with these Kerberos implementations?
>
> A brief background - if the domain is not in server 2008+ functionality mode (ie there are 2003 or older domain controllers in the environment), server 2008+ does not enable support for AES encryption (unless the client is a vista+ client that has updated the msDS-SupportedEncryptionTypes attribute in its user object). Server 2008+ also does not enable support for DES by default.
>
> In the network traces, I can see clients proposing to use DES, RC4-HMAC and AES for the AS-REQ if they are not configured to be limited to using RC4-HMAC. I am expecting the client and the KDC to settle on the use of RC4-HMAC, however the KDC replies with KRB5KDC_ERR_ETYPE_NOSUPP.
>
> I don't want to constrain the clients to use just RC4-HMAC, as I want them to switch to AES automatically when the domain functional level is upgraded and AES support becomes available on the DC.
>
> The Java version is the latest off Java.com. The linux and Solaris versions are fairly current.
>
> Wireshark traces attached. Any help you can provide or insights into why this is not working out would be greatly appreciated.

Hi Ravi,

I think you probably need to do something like:

  permitted_enctypes = aes128-cts rc4-hmac

[But I just typed this in from memory, double check at your end what
the right parameter values are.]

It sounds like Windows does not like clients even offering to do DES
maybe. I agree that the Windows KDC should probably just ignore DES
but maybe that's Windows' way of disabling DES at the front door as a
precaution in the case were old accounts still have DES keys laying
around. Java shouldn't even be trying DES anymore. Make sure you're
not using an old Java. But I would not be surprised if Java is still
trying to do DES. The Java Kerberos implementation is not particularly
good and it has had a sorry history.

Mike

-- 
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/

More information about the Kerberos mailing list