Hi Robert, Thank you for the reply.
We have fixed the problem yesterday. You are absolutely right, as per the Windows 2008 R2 help documentation, windows only supports the below encryption types http://technet.microsoft.com/en-us/library/cc753771.aspx [/crypto {DES-CBC-CRC|DES-CBC-MD5|RC4-HMAC-NT|AES256-SHA1|AES128-SHA1|All}] We had previously tried generating the keytab file with both AES 256-SHA1 & the RC4-HMAC-NT. However our ktpass command on the Windows AD had mentioned that DES encryption type be not selected. ktpass -princ SBQADM/<Fully Qualified Hostname>[email protected] -mapuser MYDOMAIN\SBQADM -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop set *-DESONLY* -pass na8Exe12 -out sbq.keytab However , after the keytab was generated, the SBQADM user's settings revealed that the DES encryption was still selected. However we didnt realize this as the keytab file did not show us this at all. They keytab shows us ARCFOUR-HMAC and nowhere does it mention that DES- encryption is selected. orsapbisbx01:sbqadm 52> klist -e Ticket cache: FILE:/tmp/krb5cc_500 Default principal: SBQADM/<Fully Qualified Hostname>.mydomain.com>@MYDOMAIN.COM Valid starting Expires Service principal 08/01/14 00:39:30 08/01/14 10:39:30 krbtgt/[email protected] renew until 08/08/14 00:39:30, Etype (skey, tkt): *arcfour-hmac, arcfour-hmac* orsapbisbx01:sbqadm 53> But after we got the error via kvno , orsapbisbx01:sbqadm 56> /usr/bin/kvno -k /etc/krb5.keytab SBQADM/<Fully Qualified Hostname>.mydomain.com>@MYDOMAIN.COM kvno: KDC has no support for encryption type while getting credentials for SBQADM/<Fully Qualified Hostname>.mydomain.com>@MYDOMAIN.COM When we cross checked the user SBQADM on the AD , there was a checkbox with the option DES encryption checked. This was causing the problem. The moment , we unchecked this option on the AD for the user and regenerated the Kerberos ticket via kinit ,the kvno was able to validate the kerberos ticket validity and the encryption type. The SSO started working as well for us.Thanks a lot for your suggestion and help. Warm Regards Prashant Vijaydas -- View this message in context: http://kerberos.996246.n3.nabble.com/KDC-has-no-support-for-encryption-type-tp41083p41105.html Sent from the Kerberos - General mailing list archive at Nabble.com. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
