krb5 1.15 interop with Windows 2000

Greg Hudson ghudson at
Mon Sep 18 10:42:48 EDT 2017

On 09/18/2017 08:49 AM, Weijun Wang wrote:
> I am running kinit against a Windows 2000 server and see 
>   kinit: KDC has no support for encryption type while getting initial credentials
> After I remove the aes-sha2 etypes from default_tkt_enctypes from krb5.conf, kinit succeeds.
> Looks like although Windows 2000 uses RC4-HMAC, it is aware of aes-sha1 etypes and allows them in etypes in AS-REQ. However, when aes-sha2 etypes appear there, it fails.
> Is this an known issue?

It's not a familiar issue to me.  We also have Camellia enctypes in the
default list, so if the Windows 2000 KDC is simply erroring out on
unknown enctypes, one would think this issue would have manifested long ago.

If you put the aes-sha2 enctypes back but put them at the end rather
than third and fourth, does kinit still fail?  It's conceivable that
rc4-hmac needs to appear early enough in the list, or has to appear
before unknown enctypes, or something.

More information about the krbdev mailing list