First, I would strongly suggest that you set the allowed encryption types by GPO, not by setting registry on machines.
By default, all new external trust relationships created on Windows Server 2008 R2 will use only RC4-HMAC for the cross-realm enctype. You must use ksetup to enable/disable other enctypes (This will update the msDS-SupportedEncryptionTypes attribute on the trust object in AD you feel brave) -Ross -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Grant Cohoe Sent: Sunday, January 23, 2011 3:19 PM To: [email protected] Subject: Cross-Platform/Realm Authentication Error Assistance Hello, My organization is in the process of integrating an Active Directory server into our current UNIX-based environment for the purposes of account management and workstation policy. We currently have an MIT Kerberos KDC with realm EXAMPLE.COM (replacing my actual realms and domains). We now have the AD domain of AD.EXAMPLE.COM running on a Windows Server 2008R2 server. Following the guide here (http://pig.made-it.com/kerberos-trust.html), I have attempted to set up an outgoing realm trust between EXAMPLE.COM and AD.EXAMPLE.COM (in that the latter trusts the former for authentication). I am currently testing with a Windows 7 workstation that has been joined the the AD domain. Our MIT KDC currently supports DES-CBC-CRC only (something we are in the process of changing), so I ran gpedit on the Windows 7 client and added the appropriate settings according to this TechNet article (http://technet.microsoft.com/en-us/library/dd560670(WS.10).aspx). I have also specified this policy on the DC. On the AD DC, I set the "Use Kerberos DES encryption types for this account" flag for my testing user account. Using my EXAMPLE.COM credentials and monitoring the network traffic, I can see the AS and TGS communication between the Windows 7 client and the MIT KDC and all seems well there. However when the Windows 7 client attempts to communicate with the AD DC (TGS-REQ), I get a "KRB5KDC_ERR_ETYPE_NOSUPP" error. At first, I thought it was just some encryption type mismatches. In the TGS-REQ to the AD DC, I can see multiple encryption types including DES-CBC-CRC, yet something in AD isn't liking this. As per this document (http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems), my suspicions were confirmed that it is indeed an encryption problem, but I am unsure as to how to go about fixing this on the AD DC. Could anyone help shed some light on what is happening or provide some ideas for how to fix this? Thank you in advance for any help you can provide, -- Grant Cohoe System Administrator, Computer Science House Applied Networking and System Administration Rochester Institute of Technology ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
