Windows Server 2016 - KDC has no support for encryption type while getting initial credentials

Silambarasan Madhappan silambarasan19 at gmail.com
Fri Nov 9 06:06:34 EST 2018 

Thank you, Todd Grayson for detailed information.
On Thu, Nov 8, 2018 at 10:07 PM Todd Grayson <tgrayson at cloudera.com> wrote:
>
> oops, typo by me:
>
> You are hard forcing AES for initial ticket granting ticket with the settings you are using for enctypes.
>
> Should read
>
> You are hard forcing AES for initial session key and ticket granting ticket with the settings you are using for enctypes.
>
> On Thu, Nov 8, 2018 at 9:35 AM Todd Grayson <tgrayson at cloudera.com> wrote:
>>
>> You are hard forcing AES for initial ticket granting ticket with the settings you are using for enctypes.   Unset (comment out) the 3 enctype lines for one of your tests.  How to comment out lines in the krb5.conf is covered in the second paragraph here:
>>
>> https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html
>>
>> Use klist -ef after you successfully authenticate and inspect the ticket encryption types used.  It will look something like this after commenting out those lines I mentioned and then retrying your kinit:
>>
>> dude at host:~$ kinit Administrator at AD.SEC.EXAMPLE.COM
>> Password for Administrator at AD.SEC.EXAMPLE.COM:
>> dude at host:~$ klist -ef
>> Ticket cache: FILE:/tmp/krb5cc_1000
>> Default principal: Administrator at AD.SEC.EXAMPLE.COM
>>
>> Valid starting       Expires              Service principal
>> 11/08/2018 09:16:00  11/08/2018 19:16:00  krbtgt/AD.SEC.EXAMPLE.COM at AD.SEC.EXAMPLE.COM
>> renew until 11/15/2018 09:15:53, Flags: FRIA
>> Etype (skey, tkt): arcfour-hmac, aes256-cts-hmac-sha1-96
>>
>> You can see on the Etype line, by default the inital session key is actualy rc4-hmac  (arcfour-hmac is same thing, just different names) But the actual ticket granting ticket. The above example is against a windows 2008 KDC, but 2016 is probably doing the same thing for backward comparability.
>>
>>
>> Kerberos will negotiate strongest encryption types by default within the available configuration.
>>
>> AD exposes per user account settings in the properties dialog, under account details, that allow you to set using AES encryption types.  Doing it for all accounts would be a global policy in AD.  This mail list does not really cover how to manage active directory as a KDC at that level, microsoft discussion boards would be best there.
>>
>> Given you are new to kerberos, I would suggest starting here, reading this will help you understand your terminology, what to search/google for, how things work in kerberos, etc.
>>
>> http://www.kerberos.org/software/tutorial.html
>>
>> The administration guide would be next step.
>>
>> Microsoft AD kerberos info is here, I would start with this AFTER going through the kerberos tutorial.
>>
>> https://docs.microsoft.com/en-us/windows/desktop/secauthn/microsoft-kerberos
>>
>>
>>
>> On Thu, Nov 8, 2018 at 9:03 AM Silambarasan Madhappan <silambarasan19 at gmail.com> wrote:
>>>
>>> Hi,
>>>
>>> I am new to Kerberos.  I am not able to obtain Kerberos
>>> ticket-granting tickets with strong encryption types from "Windows
>>> Server 2016 AD"
>>>
>>> My client kerberos configuration as below
>>> ========================
>>>
>>> $ cat /etc/krb5.conf
>>> [libdefaults]
>>> default_realm = CIFS.COM
>>> default_tkt_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96
>>> default_tgs_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96
>>> preferred_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96
>>> ccache_type = 2
>>>
>>> [realms]
>>> CIFS.COM = {
>>> kdc = WIN.cifs.com:88
>>> }
>>>
>>> [domain_realm]
>>> .cifs.com = CIFS.COM
>>>
>>> [logging]
>>> kdc = FILE:/var/log/krb5kdc.log
>>> admin_server = FILE:/var/log/kadmin.log
>>> default = FILE:/var/log/krb5lib.log
>>> [bash4.2]$
>>>
>>> Issue :
>>> =====
>>> $ kinit Administrator
>>> kinit(v5): KDC has no support for encryption type while getting
>>> initial credentials
>>> $
>>>
>>> Please let me know  where can I find the kdc configuration types in
>>> Active Directory (Windows Server 2016) ?
>>> Do I have to change any configuration on Kerberos Client or Server ?
>>> Please help me on this.
>>>
>>> Thanks,
>>> Silambarasan M
>>> ________________________________________________
>>> Kerberos mailing list           Kerberos at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>>
>> --
>> Todd Grayson
>> Customer Operations Engineering
>> Security SME
>>
>
>
> --
> Todd Grayson
> Customer Operations Engineering
> Security SME
>

More information about the Kerberos mailing list