Fw: Help:while using the Kerberos protocol not able to login into the system without password

Ashish vermaashish_mca at hotmail.com
Wed Dec 14 13:19:28 EST 2016 

Hello,

We have configured AD DC on windows 2012 R2 and executed ktpass command as follows:
C:\Users\Administrator>ktpass -princ host/<hostname>@<active directory domain> -mapuser <domain name>\TestU1 -pass * -crypto AES128-SHA1 -ptype KRB5_NT_PRINCIPAL -out C:\KeyTab\TestAES128.keytab

and login into windows client (windows 8.1 machine) with the domain user TestU1.

and setup the Kerberos key on BS2000 machine using /ADD-KEYTAB-ENTRY command and windows ID access authorization are defined for BS2000 user ID for the single sign on by /MODIFY-LOGON-PROTECTION command.

while trying to login in the BS2000 machine it shows error code KRB0008 [which means encryption type is not supported or key version mismatch].

1. list of supported encryption type on the BS2000 machine is as follows:

DES-CBC-CRC                    8  2016-12-07  10:21:40

DES-CBC-MD5                    8  2016-12-07  10:21:40

AES128-CTS                     8  2016-12-07  10:21:40

AES256-CTS                     8  2016-12-07  10:21:40

RC4-HMAC                       8  2016-12-07  10:21:40
RC4-HMAC-EXP

and we are using the encryption type AES256-SHA1 and AES128-SHA1 both are supported encryption type but still not able to login.

2. Also regarding the key version mismatch, we are using the same Vno. in the  /ADD-KEYTAB-ENTRY command, which is retrieved from the output of ktpass command.

3. We have executed the ktpass command for AES256-SHA1 and AES128-SHA1 encryption type but while login into the domain user in windows 8.1 machine and by executing the klist command on windows 2012 R2 machine cached ticket regarding encryption type AES256-SHA1 [KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96] is displayed and ticket regarding encryption type AES128-SHA1 is not displayed.

4. Even after clear the kerberos ticket from the cache [klist -purge] and again login with the domain user into windows 8.1 machine
and by using the klist command on windows 2012 R2 machine cached ticket regarding encryption type AES256-SHA1
[KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96] is displayed and ticket regarding encryption type AES128-SHA1 is not displayed.

Please help in configuring the Kerberos.

Thank You

More information about the krbdev mailing list