2 Sep 2010 22:27
Re: KDC has no support for encryption type
Douglas E. Engert <deengert <at> anl.gov>
2010-09-02 20:27:27 GMT
2010-09-02 20:27:27 GMT
On 9/2/2010 5:19 AM, Yves Martin wrote: > Hello, > > I'm also interested in tips about this "no support for encryption type". > > My ActiveDirectory administrator has created DES-CBC-MD5 keytab on 2003 > server and > $ kinit -k -t keytab HTTP/server.domain.com > works on server-side but on a Linux client I get: > > $ kvno HTTP/server.domain.com > kvno: KDC has no support for encryption type while getting credentials > for HTTP/server.domain.com See the 1.8.1 release notes: http://web.mit.edu/Kerberos/krb5-1.8/README-1.8.1.txt The krb5-1.8 release disables single-DES cryptosystems by default. As a result, you may need to add the libdefaults setting "allow_weak_crypto = true" to communicate with existing Kerberos infrastructures if they do not support stronger ciphers. You should have the AD admin use RC4-HMAC-NT, as all current Kerberos implementations can use this. Don't use DES if at all possible. > > My krb5.conf contains - for krb5 1.8.1 library version: > ticket_lifetime = 24h > renew_lifetime = 7d > kdc_req_checksum_type = 2 > checksum_type = 2 > ccache_type = 1 > forwardable = true > proxiable = true > default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5 > default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5 > permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5 > You most likely could drop these last three lines. > Another strange point: > the SSO has worked for a while (since keytab creation) with IE 8 on > Windows XP but it no longer works now (I have rebooted my client ??) > > That is the first time I get such an error. Many other setups work fine, > but generally with "rc4-hmac-nt" encryption. > > I have just discovered "-crypto all" option for ktpass. What are its > consequences ? Not sure, but keep in mind AD 2003 does not support AES, 2008 does. > > Any help is welcome > Best regards > Yves > > On jeu, 2010-09-02 at 10:04 +0200, Emmanuel Lesouef wrote: >> Hello, >> >> I'm trying to authenticate part of a website using mod_auth_kerberos >> with apache2 (version of module : 5.3-5 from debian lenny). >> >> I followed the following blog post : >> >> http://blog.scottlowe.org/2006/08/10/kerberos-based-sso-with-apache/ >> >> And read http://modauthkerb.sourceforge.net/configure.html also. >> >> Kerberos auth doesn't work and it leaves me with the following error : >> >> "failed to verify krb5 credentials: KDC has no support for encryption >> type" >> >> Is there something to do with it ? >> >> The KDC is a windows 2008R2 server. Keytab was generated on a DC using >> ktpass. > -- -- Douglas E. Engert <DEEngert <at> anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ------------------------------------------------------------------------------ This SF.net Dev2Dev email is sponsored by: Show off your parallel programming skills. Enter the Intel(R) Threading Challenge 2010. http://p.sf.net/sfu/intel-thread-sfd
RSS Feed