Home / server / Questions / 680289
In Process
lazzio
Asked: 2015-04-04 05:04:01 +0800 CST

Kerberos KDC has no support for encryption type while getting credentials

  • 772

I am configuring an apache/SSO authentication with an AD with Kerberos. My http server is a Debian Wheezy and the AD is a Windows Server 2012.

I generated keytabs files on WS2012 with kpass command for each encryption type available on WS2012.

When I try to open a session with a user [email protected] with kinit, it works.

When I try to open a session with my HTTP/[email protected], I get the message:

kvno HTTP/[email protected]
kvno: KDC has no support for encryption type while getting credentials for HTTP/[email protected]

Also, when I check encryption used for [email protected], I have:

root@SERVER:~# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]

Valid starting       Expires              Service principal
03/04/2015 12:48:21  03/04/2015 22:48:17  krbtgt/[email protected]
        renew until 04/04/2015 12:48:21, Etype (skey, tkt): arcfour-hmac, arcfour-hmac

I tried to customize my /etc/krb5.conf with:

  default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
  default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5

And by using the keytab file encrypted with arcfour-hmac without success.

I don't understand how to change encryption type used to communicate, why it always wants arcfour-hmac and why when I give it arcfour-hmac encryption, nothing change...

How to be sure that /etc/krb5.conf changes are effective and how to make the Kerberos ticket generation work too?

active-directory

2 Answers

  1. The encryption types supported by an Active Directory domain controller are listed in the msDS-SupportedEncryptionTypes attribute of the domain controller's computer object. In a default installation, they are typically something like:

    RC4_HMAC_MD5
AES128_CTS_HMAC_SHA1_96
AES256_CTS_HMAC_SHA1_96

    This is a bitmask which works out to decimal 28, so it'd be something like 00011100.

    So when you ask why the domain controller "always wants only ARC4-HMAC," it is because your client doesn't have any of the other two encryption types in common with the domain controller, so they are eliminated during the negotiation process.

    (Note: RC4_HMAC_MD5 is really the worst and weakest of all the possible encryption types here, but it is also sometimes necessary to support legacy scenarios and interoperability with non-Microsoft products.)

    I looked up some documentation and found an example of someone else's configuration file and thought this might be useful:

    http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos

    ; for Windows 2008 with AES
   default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
   default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
   permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

    Notice that, in addition to supporting better encryption types, they are also specifying rc4-hmac in their configuration, which is different from what you have, arcfour-hmac-md5. (Also don't forget the permitted_enctypes line, which I did not see in your post.)

    I'm not 100% sure that will solve your issue, as I'm not in a position to test it right now, but hopefully it'll help.

    • 9

  2. This is most generic problem while configuring kerberos, Please resolve this by doing the following,

    1) vi /var/kerberos/krb5kdc/kdc.conf

    2) check for supported_enctypes , use any encryption techniques mentioned in there.

    Hope this resolves the problem.

    • 0