Encryption type troubles

Greg Hudson ghudson at MIT.EDU
Fri Sep 14 13:53:30 EDT 2012


On 09/14/2012 01:41 PM, Martin B. Smith wrote:
> krb5kdc[2783](info): AS_REQ (1 etypes {16}) 10.253.17.19:
> BAD_ENCRYPTION_TYPE

Check the key types present in the krbtgt principal.

Longer answer:

When you make an AS request, the KDC needs to pick three keys: the
encryption key for the ticket, the session key, and the reply key.  The
ticket encryption key needs to be understood by the server, the reply
key needs to be understood by the client, and the session key needs to
be understood by both.  We assume that the server understands the
encryption keys that it has long-term keys for in its principal entry
(unless the session_enctypes string attribute is set, but that's new in
1.11 which isn't out yet).

A BAD_ENCRYPTION_TYPE error means the server couldn't pick a session
key, meaning there was no commonality between the requested enctypes and
the server principal entry's key types (or that all of the common
entries aren't permitted, but that's not an issue in your scenario).  So
it's the server's principal entry--in this case, krbtgt/REALMNAME--which
is the problem, not the client's.

If there were a problem picking a reply key, you would get a
CANT_FIND_CLIENT_KEY error in the logs.



More information about the Kerberos mailing list