KDC has no support for encryption type

vijaydpr prashant.vijayadas at gmail.com
Sat Aug 2 04:32:39 EDT 2014 

Hi Robert,

Thank you for the reply.

We have fixed the problem yesterday.
You are absolutely right, as per the Windows 2008 R2 help documentation,
windows only supports the below encryption types
http://technet.microsoft.com/en-us/library/cc753771.aspx

[/crypto {DES-CBC-CRC|DES-CBC-MD5|RC4-HMAC-NT|AES256-SHA1|AES128-SHA1|All}]

We had previously tried generating the keytab file with both AES 256-SHA1 &
the RC4-HMAC-NT.
However our ktpass command on the Windows AD had mentioned that DES
encryption type be not selected.

ktpass -princ SBQADM/<Fully Qualified Hostname>.mydomain.com at MYDOMAIN.COM
-mapuser MYDOMAIN\SBQADM -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop
set *-DESONLY* -pass na8Exe12 -out sbq.keytab

However , after the keytab was generated, the SBQADM user's settings
revealed that the DES encryption was still selected.  However we didnt
realize this as the keytab file did not show us this at all.
They keytab shows us ARCFOUR-HMAC and nowhere does it mention that DES-
encryption is selected.

orsapbisbx01:sbqadm 52> klist -e
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: SBQADM/<Fully Qualified
Hostname>.mydomain.com>@MYDOMAIN.COM

Valid starting     Expires            Service principal
08/01/14 00:39:30  08/01/14 10:39:30  krbtgt/MYDOMAIN.COM at MYDOMAIN.COM
        renew until 08/08/14 00:39:30, Etype (skey, tkt): *arcfour-hmac,
arcfour-hmac*
orsapbisbx01:sbqadm 53>

But after we got the error via kvno ,
 orsapbisbx01:sbqadm 56>  /usr/bin/kvno -k /etc/krb5.keytab  SBQADM/<Fully
Qualified Hostname>.mydomain.com>@MYDOMAIN.COM
kvno: KDC has no support for encryption type while getting credentials for
SBQADM/<Fully Qualified Hostname>.mydomain.com>@MYDOMAIN.COM

When we cross checked the user SBQADM  on the AD , there was a checkbox with
the option DES encryption checked. This was causing the problem. The moment
, we unchecked this option on the AD for the user and regenerated the
Kerberos ticket via kinit ,the kvno was able to validate the kerberos ticket
validity and the encryption type.

The SSO started working as well for us.Thanks a lot for your suggestion and
help.

Warm Regards
Prashant Vijaydas





--
View this message in context: http://kerberos.996246.n3.nabble.com/KDC-has-no-support-for-encryption-type-tp41083p41105.html
Sent from the Kerberos - General mailing list archive at Nabble.com.

More information about the Kerberos mailing list