etypes error

dave dartt davedartt at gmail.com
Mon Dec 9 11:24:15 EST 2013


I am trying to use IBM Client Access on my Kubuntu (debian). I have
successfully authenticated against our KDC and received my TGT. The
KDC server is using all the newest and latest protocols but the
iSeries is still using the old DES-CBC-MD5 encryption. I have no
control over this aspect so I was wondering is there a way to force my
system to allow the usage of this old encryption type? so that I can
use my kerberos ticket to authenticate my IBM Client Access and be
able to comply with my companies move to a SSO system.


KDC server log entry concerning my ticket denial...

 12/09/2013 08:25:45 AM
> LogName=System
> SourceName=Microsoft-Windows-Kerberos-Key-Distribution-Center
> EventCode=16
> EventType=2
> Type=Error
> ComputerName=DC1.mycompany.com
> TaskCategory=None
> OpCode=None
> RecordNumber=826440
> Keywords=Classic
> Message=While processing a TGS request for the target server krbsvr400/
> iseries.mycompany.com, the account ddartt at MYCOMPANY.COM did not have a
> suitable key for generating a Kerberos ticket (the missing key has an ID
> of 8). The requested etypes were 18 17 16 23. The accounts available
> etypes were 23 -133 -128 3 1. Changing or resetting the password of host_1
> _krbsvr400 will generate a proper key.


More information about the Kerberos mailing list