On Thu, Jul 28, 2011 at 2:22 PM, Sabharanjak, Ravi <[email protected]> wrote: > Hello all, > > I am not able to get a ticket from a server 2008 or a server 2008 R2 KDC from > a Java, Solaris or Linux client unless I constrain the client to use RC4-HMAC > for the encryption types. (Have tried this using kfw-3-2-2 on Windows as > well). Is server2008+ not interoperable with these Kerberos implementations? > > A brief background - if the domain is not in server 2008+ functionality mode > (ie there are 2003 or older domain controllers in the environment), server > 2008+ does not enable support for AES encryption (unless the client is a > vista+ client that has updated the msDS-SupportedEncryptionTypes attribute in > its user object). Server 2008+ also does not enable support for DES by > default. > > In the network traces, I can see clients proposing to use DES, RC4-HMAC and > AES for the AS-REQ if they are not configured to be limited to using > RC4-HMAC. I am expecting the client and the KDC to settle on the use of > RC4-HMAC, however the KDC replies with KRB5KDC_ERR_ETYPE_NOSUPP. > > I don't want to constrain the clients to use just RC4-HMAC, as I want them to > switch to AES automatically when the domain functional level is upgraded and > AES support becomes available on the DC. > > The Java version is the latest off Java.com. The linux and Solaris versions > are fairly current. > > Wireshark traces attached. Any help you can provide or insights into why this > is not working out would be greatly appreciated.
Hi Ravi, I think you probably need to do something like: permitted_enctypes = aes128-cts rc4-hmac [But I just typed this in from memory, double check at your end what the right parameter values are.] It sounds like Windows does not like clients even offering to do DES maybe. I agree that the Windows KDC should probably just ignore DES but maybe that's Windows' way of disabling DES at the front door as a precaution in the case were old accounts still have DES keys laying around. Java shouldn't even be trying DES anymore. Make sure you're not using an old Java. But I would not be surprised if Java is still trying to do DES. The Java Kerberos implementation is not particularly good and it has had a sorry history. Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
