KDC has no support for encryption type
vijaydpr
prashant.vijayadas at gmail.com
Sat Aug 2 04:39:15 EDT 2014
Hi Robert,
Thanks for the reply, My problem is fixed, it was due to a wrong encryption
type.
Warm Regards
Prahsant
On Sat, Aug 2, 2014 at 2:02 PM, vijaydpr [via Kerberos] <
ml-node+s996246n41105h46 at n3.nabble.com> wrote:
> Hi Robert,
>
> Thank you for the reply.
>
> We have fixed the problem yesterday.
> You are absolutely right, as per the Windows 2008 R2 help documentation,
> windows only supports the below encryption types
> http://technet.microsoft.com/en-us/library/cc753771.aspx
>
> [/crypto
> {DES-CBC-CRC|DES-CBC-MD5|RC4-HMAC-NT|AES256-SHA1|AES128-SHA1|All}]
>
> We had previously tried generating the keytab file with both AES 256-SHA1
> & the RC4-HMAC-NT.
> However our ktpass command on the Windows AD had mentioned that DES
> encryption type be not selected.
>
> ktpass -princ SBQADM/<Fully Qualified Hostname>.mydomain.com at MYDOMAIN.COM
> -mapuser MYDOMAIN\SBQADM -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL
> -mapop set *-DESONLY* -pass na8Exe12 -out sbq.keytab
>
> However , after the keytab was generated, the SBQADM user's settings
> revealed that the DES encryption was still selected. However we didnt
> realize this as the keytab file did not show us this at all.
> They keytab shows us ARCFOUR-HMAC and nowhere does it mention that DES-
> encryption is selected.
>
> orsapbisbx01:sbqadm 52> klist -e
> Ticket cache: FILE:/tmp/krb5cc_500
> Default principal: SBQADM/<Fully Qualified Hostname>.mydomain.com>@
> MYDOMAIN.COM
>
> Valid starting Expires Service principal
> 08/01/14 00:39:30 08/01/14 10:39:30 krbtgt/MYDOMAIN.COM at MYDOMAIN.COM
> renew until 08/08/14 00:39:30, Etype (skey, tkt): *arcfour-hmac,
> arcfour-hmac*
> orsapbisbx01:sbqadm 53>
>
> But after we got the error via kvno ,
> orsapbisbx01:sbqadm 56> /usr/bin/kvno -k /etc/krb5.keytab SBQADM/<Fully
> Qualified Hostname>.mydomain.com>@MYDOMAIN.COM
> kvno: KDC has no support for encryption type while getting credentials for
> SBQADM/<Fully Qualified Hostname>.mydomain.com>@MYDOMAIN.COM
>
> When we cross checked the user SBQADM on the AD , there was a checkbox
> with the option DES encryption checked. This was causing the problem. The
> moment , we unchecked this option on the AD for the user and regenerated
> the Kerberos ticket via kinit ,the kvno was able to validate the kerberos
> ticket validity and the encryption type.
>
> The SSO started working as well for us.Thanks a lot for your suggestion
> and help.
>
> Warm Regards
> Prashant Vijaydas
>
>
>
> ------------------------------
> If you reply to this email, your message will be added to the discussion
> below:
>
> http://kerberos.996246.n3.nabble.com/KDC-has-no-support-for-encryption-type-tp41083p41105.html
> To unsubscribe from KDC has no support for encryption type, click here
> <http://kerberos.996246.n3.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=41083&code=cHJhc2hhbnQudmlqYXlhZGFzQGdtYWlsLmNvbXw0MTA4M3wtOTc5NDAzNDg2>
> .
> NAML
> <http://kerberos.996246.n3.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>
--
View this message in context: http://kerberos.996246.n3.nabble.com/KDC-has-no-support-for-encryption-type-tp41083p41106.html
Sent from the Kerberos - General mailing list archive at Nabble.com.
More information about the Kerberos
mailing list