KRB5KDC_ERR_ETYPE_NOSUPP in protocol transition

Nikhil Mishra nikhilm at
Wed Jul 29 00:23:50 EDT 2009

Thanks Luke. I will take a look at the branch.

I have implemented both S4U2self and S4U2proxy .
I tested it with win2k3 SP2 and limited set of hotfixes .This was
working fine and I was able to fetch corresponding tickets .

After doing an auto upgrade , is when I started getting this error .

I suspect some default parameters being set in windows registry is
causing the issue .

Snippet from my krb5.conf :

 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

 default_realm = WXYZ.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes
# default-tgt-enctypes = rc4-hmac
 default-tkt-enctypes = des-cbc-md5 des-hmac-sha1 des-cbc-crc
# permitted-enctypes = rc4-hmac

Please find the diff attached . This diff is taken on krb 1.6.5.
I will also give it a shot against win2k8.



Luke Howard wrote:
> On 27/07/2009, at 11:17 AM, Nikhil Mishra wrote:
>> Hi All ,
>> I made some changes in krb5_get_credentials to work for protocol
>> transition and constrained delegation .
> Sorry to duplicate the effort: you might want to take a look at the
> users/lhoward/s4u branch in SVN.
> That contains my in-progress implementation of S4U2Self and S4U2Proxy.
> Presently only S4U2Self (W2K3 protocol) is tested. (The W2K3 protocol
> has some weaknesses in that the S4U2Self request is not bound to the
> TGS-REQ. This was corrected in W2K8, but I haven't been able to get
> that to work yet.)
> As for your immediate problem, I'm not sure, because I haven't tested
> S4U2Proxy yet...
> cheers,
> -- Luke

-------------- next part --------------
A non-text attachment was scrubbed...
Name: kerberos_cd.diff
Type: text/x-patch
Size: 21146 bytes
Desc: not available
Url :

More information about the krbdev mailing list