I ran 'ksetup /getenctypeattr EXAMPLE.COM' on the AD DC and it returned "Enctypes for domain EXAMPLE.COM: DES-CBC-CRC". I set this earlier with 'ksetup /setenctypeattr EXAMPLE.COM DES-CBC-CRC'. Still no good. Where in AD might I find the actual trust object? I looked through ADSI Editor and was unable to locate anything that looked related to this.
Thanks! On Mon, Jan 24, 2011 at 12:26 PM, Wilper, Ross A <[email protected]> wrote: > First, I would strongly suggest that you set the allowed encryption types by > GPO, not by setting registry on machines. > > By default, all new external trust relationships created on Windows Server > 2008 R2 will use only RC4-HMAC for the cross-realm enctype. You must use > ksetup to enable/disable other enctypes (This will update the > msDS-SupportedEncryptionTypes attribute on the trust object in AD you feel > brave) > > -Ross > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf Of > Grant Cohoe > Sent: Sunday, January 23, 2011 3:19 PM > To: [email protected] > Subject: Cross-Platform/Realm Authentication Error Assistance > > Hello, > > My organization is in the process of integrating an Active Directory > server into our current UNIX-based environment for the purposes of > account management and workstation policy. > > We currently have an MIT Kerberos KDC with realm EXAMPLE.COM > (replacing my actual realms and domains). We now have the AD domain of > AD.EXAMPLE.COM running on a Windows Server 2008R2 server. Following > the guide here (http://pig.made-it.com/kerberos-trust.html), I have > attempted to set up an outgoing realm trust between EXAMPLE.COM and > AD.EXAMPLE.COM (in that the latter trusts the former for > authentication). I am currently testing with a Windows 7 workstation > that has been joined the the AD domain. Our MIT KDC currently > supports DES-CBC-CRC only (something we are in the process of > changing), so I ran gpedit on the Windows 7 client and added the > appropriate settings according to this TechNet article > (http://technet.microsoft.com/en-us/library/dd560670(WS.10).aspx). I > have also specified this policy on the DC. On the AD DC, I set the > "Use Kerberos DES encryption types for this account" flag for my > testing user account. > > Using my EXAMPLE.COM credentials and monitoring the network traffic, I > can see the AS and TGS communication between the Windows 7 client and > the MIT KDC and all seems well there. However when the Windows 7 > client attempts to communicate with the AD DC (TGS-REQ), I get a > "KRB5KDC_ERR_ETYPE_NOSUPP" error. At first, I thought it was just some > encryption type mismatches. In the TGS-REQ to the AD DC, I can see > multiple encryption types including DES-CBC-CRC, yet something in AD > isn't liking this. As per this document > (http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems), my > suspicions were confirmed that it is indeed an encryption problem, but > I am unsure as to how to go about fixing this on the AD DC. Could > anyone help shed some light on what is happening or provide some ideas > for how to fix this? > > Thank you in advance for any help you can provide, > -- > Grant Cohoe > > System Administrator, Computer Science House > Applied Networking and System Administration > Rochester Institute of Technology > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > -- Grant Cohoe System Administrator, Computer Science House Applied Networking and System Administration Rochester Institute of Technology ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
