Hi Robert, Thanks for the reply, My problem is fixed, it was due to a wrong encryption type.
Warm Regards Prahsant On Sat, Aug 2, 2014 at 2:02 PM, vijaydpr [via Kerberos] < [email protected]> wrote: > Hi Robert, > > Thank you for the reply. > > We have fixed the problem yesterday. > You are absolutely right, as per the Windows 2008 R2 help documentation, > windows only supports the below encryption types > http://technet.microsoft.com/en-us/library/cc753771.aspx > > [/crypto > {DES-CBC-CRC|DES-CBC-MD5|RC4-HMAC-NT|AES256-SHA1|AES128-SHA1|All}] > > We had previously tried generating the keytab file with both AES 256-SHA1 > & the RC4-HMAC-NT. > However our ktpass command on the Windows AD had mentioned that DES > encryption type be not selected. > > ktpass -princ SBQADM/<Fully Qualified Hostname>[email protected] > -mapuser MYDOMAIN\SBQADM -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL > -mapop set *-DESONLY* -pass na8Exe12 -out sbq.keytab > > However , after the keytab was generated, the SBQADM user's settings > revealed that the DES encryption was still selected. However we didnt > realize this as the keytab file did not show us this at all. > They keytab shows us ARCFOUR-HMAC and nowhere does it mention that DES- > encryption is selected. > > orsapbisbx01:sbqadm 52> klist -e > Ticket cache: FILE:/tmp/krb5cc_500 > Default principal: SBQADM/<Fully Qualified Hostname>.mydomain.com>@ > MYDOMAIN.COM > > Valid starting Expires Service principal > 08/01/14 00:39:30 08/01/14 10:39:30 krbtgt/[email protected] > renew until 08/08/14 00:39:30, Etype (skey, tkt): *arcfour-hmac, > arcfour-hmac* > orsapbisbx01:sbqadm 53> > > But after we got the error via kvno , > orsapbisbx01:sbqadm 56> /usr/bin/kvno -k /etc/krb5.keytab SBQADM/<Fully > Qualified Hostname>.mydomain.com>@MYDOMAIN.COM > kvno: KDC has no support for encryption type while getting credentials for > SBQADM/<Fully Qualified Hostname>.mydomain.com>@MYDOMAIN.COM > > When we cross checked the user SBQADM on the AD , there was a checkbox > with the option DES encryption checked. This was causing the problem. The > moment , we unchecked this option on the AD for the user and regenerated > the Kerberos ticket via kinit ,the kvno was able to validate the kerberos > ticket validity and the encryption type. > > The SSO started working as well for us.Thanks a lot for your suggestion > and help. > > Warm Regards > Prashant Vijaydas > > > > ------------------------------ > If you reply to this email, your message will be added to the discussion > below: > > http://kerberos.996246.n3.nabble.com/KDC-has-no-support-for-encryption-type-tp41083p41105.html > To unsubscribe from KDC has no support for encryption type, click here > <http://kerberos.996246.n3.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=41083&code=cHJhc2hhbnQudmlqYXlhZGFzQGdtYWlsLmNvbXw0MTA4M3wtOTc5NDAzNDg2> > . > NAML > <http://kerberos.996246.n3.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> > -- View this message in context: http://kerberos.996246.n3.nabble.com/KDC-has-no-support-for-encryption-type-tp41083p41106.html Sent from the Kerberos - General mailing list archive at Nabble.com. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
