Encryption type troubles

Marcus Watts mdw at umich.edu
Fri Sep 14 13:56:13 EDT 2012


> Date:    Fri, 14 Sep 2012 13:41:04 EDT
> To:      kerberos at mit.edu
> From:    "Martin B. Smith" <smithmb at ufl.edu>
> Subject: Encryption type troubles
> 
> Hi all,
> 
> I'm trying to debug a problem where I've specifically asked for an=20
> encryption type that I know my principal has an entry for, but I still=20
> fail to get a ticket, and I am not getting a lot of good information=20
> about what's happening. I'll describe the situation below, and I'd=20
> welcome any feedback about the problem itself or how to gather more=20
> information.
> 
> Thanks!
> 
> I've got a principal configured like so:
> 
> Number of keys: 6
> Key: vno 27, DES with HMAC/sha1, no salt
> Key: vno 27, DES cbc mode with RSA-MD5, no salt
> Key: vno 27, DES cbc mode with CRC-32, Version 4
> Key: vno 27, DES cbc mode with CRC-32, AFS version 3
> Key: vno 27, Triple DES cbc mode with HMAC/sha1, no salt
> Key: vno 27, ArcFour with HMAC/md5, no salt
> Attributes: REQUIRES_PRE_AUTH

2 things,
1 try reordering the enc types.  You want strongest first,
weakest last.  I don't think that matters much here,
but it's a good general practice.

2 check your krbtgt key types (and any other service tickets
you want to get.)  You won't be able to get a service ticket
for a given enc type if the service doesn't have a key for
that enc type.  (It will probably always be encrypted
with the *first* key - which is where and why the principal
key order matters.)

					-Marcus Watts


More information about the Kerberos mailing list