Skip to Main Content
Forums

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

KDC has no support for encryption type

843810Apr 13 2007 — edited Apr 13 2007
Hi,

I hope not too much people are not reading this post because of the very common error message. But I'm really somewhat confused:

For testing Kerberos 5 SSO I set up a little domain controller running Windows 2003 Server and a client in the domain running Windows XP. In the active directory I created a service account with the logon test-service and a user account test-user. The switch "Use DES encryption types for this account" is set for both accounts and I reseted the passwords after setting the switch. Additionally I added a service principal name test/test.krbtest.local to the service account.

On the client machine I execute a very simple JAVA client program that tries to obtain a service ticket for the service test/test.krbtest.local. If I configure the client to prompt for a password, the service ticket is obtained without a problem using etype 3 (sun.security.krb5.internal.crypto.DesCbcMd5EType). But when trying to read the existing TGT from the native windows cache the client exits with:
KDC has no support for encryption type (14)
The debug output tells the following:
>>> Obtained TGT from LSA: Credentials:
client=test-user@KRBTEST.LOCAL
server=krbtgt/KRBTEST.LOCAL@KRBTEST.LOCAL
authTime=20070413112833Z
startTime=20070413112833Z
endTime=20070413212833Z
renewTill=20070420112833Z
flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT
EType (int): 0
Principal is test-user@KRBTEST.LOCAL
Commit Succeeded

Found ticket for test-user@KRBTEST.LOCAL to go to krbtgt/KRBTEST.LOCAL@KRBTEST.LOCAL expiring on Fri Apr 13 23:28:33 CEST 2007
Entered Krb5Context.initSecContext with state=STATE_NEW
Found ticket for test-user@KRBTEST.LOCAL to go to krbtgt/KRBTEST.LOCAL@KRBTEST.LOCAL expiring on Fri Apr 13 23:28:33 CEST 2007
Service ticket not found in the subject

Credentials acquireServiceCreds: same realm
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 3 1 23 16 17.

CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType

EType: sun.security.krb5.internal.crypto.NullEType
...
Note that it says "Etype (int): 0" which I think is no valid encryption type at all. klist (from the windows resource kit) tells me that my tickets look like:
Server: krbtgt/KRBTEST.LOCAL@KRBTEST.LOCAL
    KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
    End Time: 4/13/2007 23:28:33
    Renew Time: 4/20/2007 13:28:33
...
But as mentioned above I set the option "Use DES encryption types for this account" for both the user and service account. Am I doing something wrong here??
Additionally I thought JAVA 1.5.11 would support RC4-HMAC, is that wrong?

Even more confusing:

If I remove the "Use DES encryption types for this account" switch for the two accounts and configure my JAVA client program to prompt for a password, a ticket is obtained using the RC4-HMAC encryption type 23 (sun.security.krb5.internal.crypto.ArcFourHmacEType). But using the ticket from the cache again does not work.

I'd appreciate any comments on that since I'm totally confused by now and have no idea on how to get this SSO thing working correctly in JAVA.

Cheers

P.S.:
I just wanted to mention that adding
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
to my krb5.ini has no effect on the desribed behaviour

Message was edited by:
sherazade
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on May 11 2007
Added on Apr 13 2007
#kerberos-java-gss-jgss
1 comment
529 views