etypes error

dave dartt davedartt at
Mon Dec 9 11:24:15 EST 2013

I am trying to use IBM Client Access on my Kubuntu (debian). I have
successfully authenticated against our KDC and received my TGT. The
KDC server is using all the newest and latest protocols but the
iSeries is still using the old DES-CBC-MD5 encryption. I have no
control over this aspect so I was wondering is there a way to force my
system to allow the usage of this old encryption type? so that I can
use my kerberos ticket to authenticate my IBM Client Access and be
able to comply with my companies move to a SSO system.

KDC server log entry concerning my ticket denial...

 12/09/2013 08:25:45 AM
> LogName=System
> SourceName=Microsoft-Windows-Kerberos-Key-Distribution-Center
> EventCode=16
> EventType=2
> Type=Error
> TaskCategory=None
> OpCode=None
> RecordNumber=826440
> Keywords=Classic
> Message=While processing a TGS request for the target server krbsvr400/
>, the account ddartt at MYCOMPANY.COM did not have a
> suitable key for generating a Kerberos ticket (the missing key has an ID
> of 8). The requested etypes were 18 17 16 23. The accounts available
> etypes were 23 -133 -128 3 1. Changing or resetting the password of host_1
> _krbsvr400 will generate a proper key.

More information about the Kerberos mailing list