krb5 1.15 interop with Windows 2000

Weijun Wang at
Mon Sep 18 11:06:20 EDT 2017

> On Sep 18, 2017, at 10:42 PM, Greg Hudson <ghudson at> wrote:
> On 09/18/2017 08:49 AM, Weijun Wang wrote:
>> I am running kinit against a Windows 2000 server and see 
>>  kinit: KDC has no support for encryption type while getting initial credentials
>> After I remove the aes-sha2 etypes from default_tkt_enctypes from krb5.conf, kinit succeeds.
>> Looks like although Windows 2000 uses RC4-HMAC, it is aware of aes-sha1 etypes and allows them in etypes in AS-REQ. However, when aes-sha2 etypes appear there, it fails.
>> Is this an known issue?
> It's not a familiar issue to me.  We also have Camellia enctypes in the
> default list, so if the Windows 2000 KDC is simply erroring out on
> unknown enctypes, one would think this issue would have manifested long ago.
> If you put the aes-sha2 enctypes back but put them at the end rather
> than third and fourth, does kinit still fail?  It's conceivable that
> rc4-hmac needs to appear early enough in the list, or has to appear
> before unknown enctypes, or something.

Just tried some different combinations of default_tkt_enctypes. This error only happens when aes256-sha2 is placed before rc4-hmac. All other etypes are safe.

BTW, the server does not complain with its 1st PREAUTH_REQUIRED response, and in my 2nd AS-REQ, if I provide a wrong password, the error is PASSWORD_INCORRECT. Only if I provide the correct password it returns this error. Seems like it decides to choose etype of 20 but only realize it's not supported after a while.


More information about the krbdev mailing list