KDC has no support for encryption type
Hi,
I hope not too much people are not reading this post because of the very common error message. But I'm really somewhat confused:
For testing Kerberos 5 SSO I set up a little domain controller running Windows 2003 Server and a client in the domain running Windows XP. In the active directory I created a service account with the logon test-service and a user account test-user. The switch "Use DES encryption types for this account" is set for both accounts and I reseted the passwords after setting the switch. Additionally I added a service principal name test/test.krbtest.local to the service account.
On the client machine I execute a very simple JAVA client program that tries to obtain a service ticket for the service test/test.krbtest.local. If I configure the client to prompt for a password, the service ticket is obtained without a problem using etype 3 (sun.security.krb5.internal.crypto.DesCbcMd5EType). But when trying to read the existing TGT from the native windows cache the client exits with:
KDC has no supportfor encryption type (14)
The debug output tells the following:
>>> Obtained TGT from LSA: Credentials:
client=test-user@KRBTEST.LOCAL
server=krbtgt/KRBTEST.LOCAL@KRBTEST.LOCAL
authTime=20070413112833Z
startTime=20070413112833Z
endTime=20070413212833Z
renewTill=20070420112833Z
flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT
EType (int): 0
Principal is test-user@KRBTEST.LOCAL
Commit Succeeded
Found ticketfor test-user@KRBTEST.LOCAL to go to krbtgt/KRBTEST.LOCAL@KRBTEST.LOCAL expiring on Fri Apr 13 23:28:33 CEST 2007
Entered Krb5Context.initSecContext with state=STATE_NEW
Found ticketfor test-user@KRBTEST.LOCAL to go to krbtgt/KRBTEST.LOCAL@KRBTEST.LOCAL expiring on Fri Apr 13 23:28:33 CEST 2007
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
Using builtindefault etypesfor default_tgs_enctypes
default etypesfor default_tgs_enctypes: 3 1 23 16 17.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.NullEType
...
Note that it says "Etype (int): 0" which I think is no valid encryption type at all. klist (from the windows resource kit) tells me that my tickets look like:
Server: krbtgt/KRBTEST.LOCAL@KRBTEST.LOCAL
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 4/13/2007 23:28:33
Renew Time: 4/20/2007 13:28:33
...
But as mentioned above I set the option "Use DES encryption types for this account" for both the user and service account. Am I doing something wrong here?
Additionally I thought JAVA 1.5.11 would support RC4-HMAC, is that wrong?
Even more confusing:
If I remove the "Use DES encryption types for this account" switch for the two accounts and configure my JAVA client program to prompt for a password, a ticket is obtained using the RC4-HMAC encryption type 23 (sun.security.krb5.internal.crypto.ArcFourHmacEType). But using the ticket from the cache again does not work.
I'd appreciate any comments on that since I'm totally confused by now and have no idea on how to get this SSO thing working correctly in JAVA.
Cheers
P.S.:
I just wanted to mention that adding
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
to my krb5.ini has no effect on the desribed behaviour
Message was edited by:
sherazade
