I was able to get the SPNEGO to work. The kerberos KDC was on Windows Server
2003.
When I attempt to use the same configuration against Windows Server 2008 it
fails.
with the following exception
Caused by: KrbException: KDC has no support for encryption type (14)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:66)
at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:449)
at sun.security.krb5.Credentials.sendASRequest(Credentials.java:406)
at sun.security.krb5.Credentials.acquireTGT(Credentials.java:378)
at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:662)
... 77 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
at sun.security.krb5.internal.ASRep.init(ASRep.java:58)
at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50)
... 81 more
Looking at the network packets I see
AS-REQ ---drill down inside the packet and encryption types are set to:
des-cbc-md5 des-cbc-crc rc4-hmac des3-cbc-sha1
aes128-cts-hmac-sha1-96
KDC returns preauth required -- this is expected
new AS-REQ -- drill down inside the packet and the encryption type is
aes128-cts-hmac-sha1-96
KDC returns KRBKDC_ERR_ETYPE_NOSUPP
on Windows Server 2003 the second AS-REQ is expecting the rc4-hmac...
anyone have any experience with this?
Thanks
Dean
--
View this message in context:
http://www.nabble.com/CAS-SPNEGO--Active-Directory-on-windows-server-2008-vs-2003-tp25531308p25531308.html
Sent from the CAS Users mailing list archive at Nabble.com.
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
