Ross Wilper rwilper at
Wed Nov 20 14:48:19 EST 2013

You appear to have a host-to-realm issue (though that may not be the only

You are looking for a service ticket to a machine in QA.JUNIOR.COM and the
message states "Acquiring creds for HTTP/ at JUNIOR.COM"

Instead of "HTTP/ at QA.JUNIOR.COM"


-----Original Message-----
From: kerberos-bounces at [mailto:kerberos-bounces at] On Behalf
Of 3junior
Sent: Tuesday, November 19, 2013 6:33 PM
To: kerberos at
Subject: KRB5KDC_ERR_ETYPE_NOSUPP Forest Domain

Hi All,

I have forest domain with child domains. I create  a keytab on
with  -crypto RC4-HMAC-NT. My servers are windows 2003 with some DCs that
are 2008 with functional level set to Windows Server 2003. I have a redhat
Apache server setup with Kerberos. When a user on Windows 7 Machine try from
dev/qa/ domain and try to connect to they
are promoted for password.  When I look at wireshark trace from client I see
the following error "KRB5KDC_ERR_ETYPE_NOSUPP". Can someone please tell me
how to fix this? Or what I can do next I lost here. I am not using DES
security as wireshark shows rc4-hmac (23).



1. AP-REQ to
Service instance name HTTP/
Encryption type: rc4-hmac (23)

2.AP-REP returns with a valid ticket

3. Client wants to validate ticket 
Service instance name HTTP/
Encryption type: rc4-hmac (23)
Encryption type: rc4-hmac (23)

4.error_code: KRB5KDC_ERR_ETYPE_NOSUPP (14)

Apache Logs
[Tue Nov 19 20:55:13 2013] [debug] src/mod_auth_kerb.c(1278): [client] Acquiring creds for HTTP/ at JUNIOR.COM
[Tue Nov 19 20:55:13 2013] [debug] src/mod_auth_kerb.c(1691): [client] Verifying client data using KRB5 GSS-API
[Tue Nov 19 20:55:13 2013] [debug] src/mod_auth_kerb.c(1707): [client] Client didn't delegate us their credential
[Tue Nov 19 20:55:13 2013] [debug] src/mod_auth_kerb.c(1735): [client] Warning: received token seems to be NTLM, which isn't supported
by the Kerberos module. Check your IE configuration.
[Tue Nov 19 20:55:13 2013] [debug] src/mod_auth_kerb.c(1138): [client] GSS-API major_status:00070000, minor_status:00000000
[Tue Nov 19 20:55:13 2013] [error] [client]
gss_accept_sec_context() failed: No credentials were supplied, or the
credentials were unavailable or inaccessible (, Unknown error)
[Tue Nov 19 20:55:13 2013] [debug] src/mod_auth_kerb.c(1939): [client] kerb_authenticate_user entered with user (NULL) and auth_type
[Tue Nov 19 20:55:13 2013] [error] [client] empty passwords are
not accepted

View this message in context:
Sent from the Kerberos - General mailing list archive at
Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list