FW: FW: [ActiveDir] Kerberos interoperability question

Tue, 27 Jul 2004 14:44:09 -0700

Chris,
    Here is a response from our Kerberos guy regarding your question:
 
Mike Thommes
Argonne National Laboratory
-----Original Message-----
From: Engert, Douglas E.
Sent: Tuesday, July 27, 2004 3:46 PM
To: Thommes, Michael M.
Subject: Re: FW: [ActiveDir] Kerberos interoperability question

Mike can you forward on my reply below? 
   

-----Original Message-----
From: Chris Flesher [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 27, 2004 2:34 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Kerberos interoperability question

We are trying to have our users authenticate to an MIT5 Kerberos realm. I've followed the process for setting up an XP client to allow a user to get a ticket from the realm, but I keep getting event id 529 and 537 errors, which are pretty cryptic. On the Unix side, the error is as below:

Jul 27 13:11:07 kerberos-beta00 krb5kdc[1347]: [ID 702911 local3.info] AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 128.xxx.xxx.xxx: BAD_ENCRYPTION_TYPE: [EMAIL PROTECTED] for krbtgt/[EMAIL PROTECTED], KDC has no support for encryption type
 

The client is asking for a ticket with specific enctypes  types. The KDC says it does not have a key for the user with any of these encrytion types.
The KDC may only have a 3des key type of 16 or 7 registered. Ask you Kerberos admin. What version of the KDC code are you running?
You may have to add another key for the user.
 

The only common ones between MIT and Microsoft currently are 1, 3, 23.  17, and 18 are in the works.

The "standard" enctypes from the soon to be released  draft-ietf-krb-wg-crypto-07.txt
The -133, -128 and -135 are Microsoft specific.
 
 

     encryption type                etype      section or comment
     -----------------------------------------------------------------
     des-cbc-crc                        1             6.2.3
     des-cbc-md4                        2             6.2.2
     des-cbc-md5                        3             6.2.1
     [reserved]                         4
     des3-cbc-md5                       5
     [reserved]                         6
     des3-cbc-sha1                      7
     dsaWithSHA1-CmsOID                 9           (pkinit)
     md5WithRSAEncryption-CmsOID       10           (pkinit)
     sha1WithRSAEncryption-CmsOID      11           (pkinit)
     rc2CBC-EnvOID                     12           (pkinit)
     rsaEncryption-EnvOID              13   (pkinit from PKCS#1 v1.5)
     rsaES-OAEP-ENV-OID                14   (pkinit from PKCS#1 v2.0)
     des-ede3-cbc-Env-OID              15           (pkinit)
     des3-cbc-sha1-kd                  16              6.3
     aes128-cts-hmac-sha1-96           17          [KRB5-AES]
     aes256-cts-hmac-sha1-96           18          [KRB5-AES]
     rc4-hmac                          23          (Microsoft)
     rc4-hmac-exp                      24          (Microsoft)
     subkey-keymaterial                65     (opaque; PacketCable)


Has anyone ever come across this type of scenario, and if so, how did you fix it?
Chris FlesherThe University of ChicagoNSIT/DCS1-773-834-8477
--

 Douglas E. Engert  <[EMAIL PROTECTED]>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444
 

Reply via email to