KDC has no support for encryption type (14)
Hi
I am trying to get AD authentication working.I can set it up on the "Array Manager" and
kinit work for the user set in t "Array manager" and for the user trying to login.
However seting the log filter for login errors I see the following problem
Exception was: javax.naming.AuthenticationException: KDC has no support for encryption type (14) [Root exception is KrbException: KDC has no support for encryption type (14)]
at com.sco.tta.server.security.java14.KerberosAuth.login(KerberosAuth.java:286)
at com.sco.tta.server.login.ADLoginAuthority.authenticate(ADLoginAuthority.java:39 0)
....
I have tried changing the values in krb5.conf but I keep getting the above error.
I am testing SGD on a T2000 cool server.
[788 byte] By [
readuni1] at [2007-11-25 22:25:09]
# 1
This error suggests a problem with your kerberos config file, specifically a mismatch between supported encryption tpyes. Have you specified the default_tkt_enctypes and/or default_tgs_enctypes keywords in your krb5.conf file? AFAIK, the only common encryptions between MIT krb5 and AD is "des-cbc-crc" and "des-cbc-md5"; if you have something different, this will fail.
Also, I don't know if this applies, but I found this:
Cause 2: This exception is thrown when using native ticket cache on some Windows platforms. Microsoft has added a new feature in which they no longer export the session keys for Ticket-Granting Tickets (TGTs). As a result, the native TGT obtained on Windows has an "empty" session key and null EType. The effected platforms include: Windows Server 2003, Windows 2000 Server Service Pack 4 (SP4) and Windows XP SP2.
Solution 2: You need to update the Windows registry to disable this new feature. The registry key allowtgtsessionkey should be added--and set correctly--to allow session keys to be sent in the Kerberos Ticket-Granting Ticket.
On the Windows Server 2003 and Windows 2000 SP4, here is the required registry setting:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Value Name: allowtgtsessionkey
Value Type: REG_DWORD
Value: 0x01 ( default is 0 )
By default, the value is 0; setting it to "0x01" allows a session key to be included in the TGT.
Here is the location of the registry setting on Windows XP SP2:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\
Value Name: allowtgtsessionkey
Value Type: REG_DWORD
Value: 0x01
from this page: http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/Troubleshooti ng.html
Some other possibly useful urls:
http://docs.sun.com/source/819-4309-10/en-us/base/standard/activedir_auth_enabl ing.html
http://docs.sun.com/app/docs/doc/816-5174/6mbb98ugh?a=view
http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/Troubleshooti ng.html
Hope this helps.
