KRB5KDC_ERR_ETYPE_NOSUPP Forest Domain

3junior 3junior at gmail.com
Tue Nov 19 21:33:27 EST 2013 

Hi All,

I have forest domain with child domains. I create  a keytab on junior.com
with  -crypto RC4-HMAC-NT. My servers are windows 2003 with some DCs that
are 2008 with functional level set to Windows Server 2003. I have a redhat
Apache server setup with Kerberos. When a user on Windows 7 Machine try from
dev/qa/devtest.junior.com domain and try to connect to http://test.com they
are promoted for password.  When I look at wireshark trace from client I see
the following error "KRB5KDC_ERR_ETYPE_NOSUPP". Can someone please tell me
how to fix this? Or what I can do next I lost here. I am not using DES
security as wireshark shows rc4-hmac (23).


Domains
1.junior.com
2.qa.junior.com
3.dev.junior.com
4.devtest.junior.com

WireShark

1. AP-REQ to junior.com
Service instance name HTTP/test.qa.junior.com
Encryption type: rc4-hmac (23)
RealM: QA.JUNIOR.COM

2.AP-REP returns with a valid ticket

3. Client wants to validate ticket 
AP-REQ
Service instance name HTTP/test.qa.junior.com
Encryption type: rc4-hmac (23)
RealM: JUNIOR.COM
Encryption type: rc4-hmac (23)

4.error_code: KRB5KDC_ERR_ETYPE_NOSUPP (14)

Apache Logs
[Tue Nov 19 20:55:13 2013] [debug] src/mod_auth_kerb.c(1278): [client
10.1.1.12] Acquiring creds for HTTP/test.qa.junior.com at JUNIOR.COM
[Tue Nov 19 20:55:13 2013] [debug] src/mod_auth_kerb.c(1691): [client
10.1.1.12] Verifying client data using KRB5 GSS-API
[Tue Nov 19 20:55:13 2013] [debug] src/mod_auth_kerb.c(1707): [client
10.1.1.12] Client didn't delegate us their credential
[Tue Nov 19 20:55:13 2013] [debug] src/mod_auth_kerb.c(1735): [client
10.1.1.12] Warning: received token seems to be NTLM, which isn't supported
by the Kerberos module. Check your IE configuration.
[Tue Nov 19 20:55:13 2013] [debug] src/mod_auth_kerb.c(1138): [client
10.1.1.12] GSS-API major_status:00070000, minor_status:00000000
[Tue Nov 19 20:55:13 2013] [error] [client 10.1.1.12]
gss_accept_sec_context() failed: No credentials were supplied, or the
credentials were unavailable or inaccessible (, Unknown error)
[Tue Nov 19 20:55:13 2013] [debug] src/mod_auth_kerb.c(1939): [client
10.1.1.12] kerb_authenticate_user entered with user (NULL) and auth_type
Kerberos
[Tue Nov 19 20:55:13 2013] [error] [client 10.1.1.12] empty passwords are
not accepted








--
View this message in context: http://kerberos.996246.n3.nabble.com/KRB5KDC-ERR-ETYPE-NOSUPP-Forest-Domain-tp38962.html
Sent from the Kerberos - General mailing list archive at Nabble.com.

More information about the Kerberos mailing list