KRB5KDC_ERR_ETYPE_NOSUPP Forest Domain

Ross Wilper rwilper at zm02.stanford.edu
Wed Nov 20 14:48:19 EST 2013 

You appear to have a host-to-realm issue (though that may not be the only
thing)

You are looking for a service ticket to a machine in QA.JUNIOR.COM and the
message states "Acquiring creds for HTTP/test.qa.junior.com at JUNIOR.COM"

Instead of "HTTP/test.qa.junior.com at QA.JUNIOR.COM"

-Ross

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf
Of 3junior
Sent: Tuesday, November 19, 2013 6:33 PM
To: kerberos at mit.edu
Subject: KRB5KDC_ERR_ETYPE_NOSUPP Forest Domain

Hi All,

I have forest domain with child domains. I create  a keytab on junior.com
with  -crypto RC4-HMAC-NT. My servers are windows 2003 with some DCs that
are 2008 with functional level set to Windows Server 2003. I have a redhat
Apache server setup with Kerberos. When a user on Windows 7 Machine try from
dev/qa/devtest.junior.com domain and try to connect to http://test.com they
are promoted for password.  When I look at wireshark trace from client I see
the following error "KRB5KDC_ERR_ETYPE_NOSUPP". Can someone please tell me
how to fix this? Or what I can do next I lost here. I am not using DES
security as wireshark shows rc4-hmac (23).


Domains
1.junior.com
2.qa.junior.com
3.dev.junior.com
4.devtest.junior.com

WireShark

1. AP-REQ to junior.com
Service instance name HTTP/test.qa.junior.com
Encryption type: rc4-hmac (23)
RealM: QA.JUNIOR.COM

2.AP-REP returns with a valid ticket

3. Client wants to validate ticket 
AP-REQ
Service instance name HTTP/test.qa.junior.com
Encryption type: rc4-hmac (23)
RealM: JUNIOR.COM
Encryption type: rc4-hmac (23)

4.error_code: KRB5KDC_ERR_ETYPE_NOSUPP (14)

Apache Logs
[Tue Nov 19 20:55:13 2013] [debug] src/mod_auth_kerb.c(1278): [client
10.1.1.12] Acquiring creds for HTTP/test.qa.junior.com at JUNIOR.COM
[Tue Nov 19 20:55:13 2013] [debug] src/mod_auth_kerb.c(1691): [client
10.1.1.12] Verifying client data using KRB5 GSS-API
[Tue Nov 19 20:55:13 2013] [debug] src/mod_auth_kerb.c(1707): [client
10.1.1.12] Client didn't delegate us their credential
[Tue Nov 19 20:55:13 2013] [debug] src/mod_auth_kerb.c(1735): [client
10.1.1.12] Warning: received token seems to be NTLM, which isn't supported
by the Kerberos module. Check your IE configuration.
[Tue Nov 19 20:55:13 2013] [debug] src/mod_auth_kerb.c(1138): [client
10.1.1.12] GSS-API major_status:00070000, minor_status:00000000
[Tue Nov 19 20:55:13 2013] [error] [client 10.1.1.12]
gss_accept_sec_context() failed: No credentials were supplied, or the
credentials were unavailable or inaccessible (, Unknown error)
[Tue Nov 19 20:55:13 2013] [debug] src/mod_auth_kerb.c(1939): [client
10.1.1.12] kerb_authenticate_user entered with user (NULL) and auth_type
Kerberos
[Tue Nov 19 20:55:13 2013] [error] [client 10.1.1.12] empty passwords are
not accepted








--
View this message in context:
http://kerberos.996246.n3.nabble.com/KRB5KDC-ERR-ETYPE-NOSUPP-Forest-Domain-
tp38962.html
Sent from the Kerberos - General mailing list archive at Nabble.com.
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list