13

I am configuring an apache/SSO authentication with an AD with Kerberos. My http server is a Debian Wheezy and the AD is a Windows Server 2012.

I generated keytabs files on WS2012 with kpass command for each encryption type available on WS2012.

When I try to open a session with a user [email protected] with kinit, it works.

When I try to open a session with my HTTP/[email protected], I get the message:

kvno HTTP/[email protected] kvno: KDC has no support for encryption type while getting credentials for HTTP/[email protected]

Also, when I check encryption used for [email protected], I have:

root@SERVER:~# klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 03/04/2015 12:48:21 03/04/2015 22:48:17 krbtgt/[email protected] renew until 04/04/2015 12:48:21, Etype (skey, tkt): arcfour-hmac, arcfour-hmac

I tried to customize my /etc/krb5.conf with:

 default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5 default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5

And by using the keytab file encrypted with arcfour-hmac without success.

I don't understand how to change encryption type used to communicate, why it always wants arcfour-hmac and why when I give it arcfour-hmac encryption, nothing change...

How to be sure that /etc/krb5.conf changes are effective and how to make the Kerberos ticket generation work too?

Improve this question
1
  • The KDC told you the error. What enc types does the service principal have? Commented Nov 1, 2015 at 4:49

2 Answers 2

Reset to default
9

The encryption types supported by an Active Directory domain controller are listed in the msDS-SupportedEncryptionTypes attribute of the domain controller's computer object. In a default installation, they are typically something like:

RC4_HMAC_MD5 AES128_CTS_HMAC_SHA1_96 AES256_CTS_HMAC_SHA1_96

This is a bitmask which works out to decimal 28, so it'd be something like 00011100.

So when you ask why the domain controller "always wants only ARC4-HMAC," it is because your client doesn't have any of the other two encryption types in common with the domain controller, so they are eliminated during the negotiation process.

(Note: RC4_HMAC_MD5 is really the worst and weakest of all the possible encryption types here, but it is also sometimes necessary to support legacy scenarios and interoperability with non-Microsoft products.)

I looked up some documentation and found an example of someone else's configuration file and thought this might be useful:

http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos

; for Windows 2008 with AES default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

Notice that, in addition to supporting better encryption types, they are also specifying rc4-hmac in their configuration, which is different from what you have, arcfour-hmac-md5. (Also don't forget the permitted_enctypes line, which I did not see in your post.)

I'm not 100% sure that will solve your issue, as I'm not in a position to test it right now, but hopefully it'll help.

Improve this answer
0

This is most generic problem while configuring kerberos, Please resolve this by doing the following,

1) vi /var/kerberos/krb5kdc/kdc.conf

2) check for supported_enctypes , use any encryption techniques mentioned in there.

Hope this resolves the problem.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.