Le 4/8/13 7:16 PM, Kiran Ayyagari a écrit : > very likely that the default weak encryption type set in ApacheDS is the > reason. > > either you enable the weak encrytion support in krb5.conf > > [libdefaults] > allow_weak_crypto = true > > or modify the encryption types configured in ApacheDS > > 1. go to the entry > ads-serverId=kerberosServer,ou=servers,ads-directoryServiceId=default,ou=config > > 2. remove des3-cbc-sha1-kd from ads-krbEncryptionTypes attribute (you can > add another value like aes256-cts-hmac-sha1-96) > > 3. restart the server > > let us know if you still have an issue
I wonder if this is not related to a bug I fixed 2 or 3 weeks ago : the selection of the encyption mechanism is not correct in M11, and the encryption type used by the client does not match the one used by the server? The workaround on the server would be to remove all the weak entryptionTypes to only keep AES256. -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
