Is Windows server 2008+KDC not interoperable with Java, Solaris and UNIX or MIT kerberos?

Douglas E. Engert deengert at anl.gov
Thu Jul 28 17:10:13 EDT 2011



On 7/28/2011 1:22 PM, Sabharanjak, Ravi wrote:
> Hello all,
>
> I am not able to get a ticket from a server 2008 or a server 2008 R2 KDC from a Java, Solaris or Linux client unless I constrain the client to use RC4-HMAC for the encryption types. (Have tried this using kfw-3-2-2 on Windows as well). Is server2008+ not interoperable with these Kerberos implementations?
>
> A brief background - if the domain is not in server 2008+ functionality mode (ie there are 2003 or older domain controllers in the environment), server 2008+ does not enable support for AES encryption (unless the client is a vista+ client that has updated the msDS-SupportedEncryptionTypes attribute in its user object). Server 2008+ also does not enable support for DES by default.
>
> In the network traces, I can see clients proposing to use DES, RC4-HMAC and AES for the AS-REQ if they are not configured to be limited to using RC4-HMAC. I am expecting the client and the KDC to settle on the use of RC4-HMAC, however the KDC replies with KRB5KDC_ERR_ETYPE_NOSUPP.
>
> I don't want to constrain the clients to use just RC4-HMAC, as I want them to switch to AES automatically when the domain functional level is upgraded and AES support becomes available on the DC.
>
> The Java version is the latest off Java.com. The linux and Solaris versions are fairly current.
>
> Wireshark traces attached. Any help you can provide or insights into why this is not working out would be greatly appreciated.

Have you tried using a newly added user to AD, to see if the problem
is related to when the user account was created?

If I recall, during the upgrade process from 2003 to 2008 there are
some schema changes that have to be made. Has this been done?

You could look at what versions of the Kerberos server,
is running on the DC (KDCsvc.dll), and install the latest hotfix
if needed, for example, check out this article.

http://support.microsoft.com/kb/2425227


>
> Thanks,
> -Ravi
>
>
>
>
>
> THIS MESSAGE AND ANY ATTACHMENTS ARE CONFIDENTIAL, PROPRIETARY, AND MAY BE PRIVILEGED.  If this message was misdirected, BlackRock, Inc. and its subsidiaries, ("BlackRock") does not waive any confidentiality or privilege.  If you are not the intended recipient, please notify us immediately and destroy the message without disclosing its contents to anyone.  Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized.  The views and opinions expressed in this e-mail message are the author's own and may not reflect the views and opinions of BlackRock, unless the author is authorized by BlackRock to express such views or opinions on its behalf.  All email sent to or from this address is subject to electronic storage and review by BlackRock.  Although BlackRock operates anti-virus programs, it does not accept responsibility for any damage whatsoever caused by viruses being passed.
>
>
>
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list