Douglas E. Engert | 2 Sep 22:27 2010

Re: KDC has no support for encryption type


On 9/2/2010 5:19 AM, Yves Martin wrote:
>   Hello,
>
> I'm also interested in tips about this "no support for encryption type".
>
> My ActiveDirectory administrator has created DES-CBC-MD5 keytab on 2003
> server and
> $ kinit -k -t keytab HTTP/server.domain.com
> works on server-side but on a Linux client I get:
>
> $ kvno HTTP/server.domain.com
> kvno: KDC has no support for encryption type while getting credentials
> for HTTP/server.domain.com

See the 1.8.1 release notes:
http://web.mit.edu/Kerberos/krb5-1.8/README-1.8.1.txt

The krb5-1.8 release disables single-DES cryptosystems by default.  As
a result, you may need to add the libdefaults setting
"allow_weak_crypto = true" to communicate with existing Kerberos
infrastructures if they do not support stronger ciphers.

You should have the AD admin use RC4-HMAC-NT, as all current
Kerberos implementations can use this. Don't use DES if at all possible.

>
> My krb5.conf contains - for krb5 1.8.1 library version:
>   ticket_lifetime = 24h
>   renew_lifetime = 7d
>   kdc_req_checksum_type = 2
>   checksum_type = 2
>   ccache_type = 1
>   forwardable = true
>   proxiable = true
>   default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
>   default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
>   permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
>

You most likely could drop these last three lines.

> Another strange point:
> the SSO has worked for a while (since keytab creation) with IE 8 on
> Windows XP but it no longer works now (I have rebooted my client ??)
>
> That is the first time I get such an error. Many other setups work fine,
> but generally with "rc4-hmac-nt" encryption.
>
> I have just discovered "-crypto all" option for ktpass. What are its
> consequences ?

Not sure, but keep in mind AD 2003 does not support AES, 2008 does.
>
> Any help is welcome
> Best regards
> Yves
>
> On jeu, 2010-09-02 at 10:04 +0200, Emmanuel Lesouef wrote:
>> Hello,
>>
>> I'm trying to authenticate part of a website using mod_auth_kerberos
>> with apache2 (version of module : 5.3-5 from debian lenny).
>>
>> I followed the following blog post :
>>
>> http://blog.scottlowe.org/2006/08/10/kerberos-based-sso-with-apache/
>>
>> And read http://modauthkerb.sourceforge.net/configure.html also.
>>
>> Kerberos auth doesn't work and it leaves me with the following error :
>>
>> "failed to verify krb5 credentials: KDC has no support for encryption
>> type"
>>
>> Is there something to do with it ?
>>
>> The KDC is a windows 2008R2 server. Keytab was generated on a DC using
>> ktpass.
>

--

-- 

  Douglas E. Engert  <DEEngert <at> anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:

Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
http://p.sf.net/sfu/intel-thread-sfd

Gmane