1

I'm using Windows Server 2008 and Windows Vista and 7 for cross realm authentication using MIT Kerberos 1.6 but when i try to login with a user the KDC answers:

(wireshark output)

error_code: KRB5KDC_ERR_ETYPE_NOSUPP (14) ... e-text: BAD_ENCRYPTION_TYPE

I want to know how can I change the encryption type method to be compatible with the KDC (i tried a XP client and it worked fine).

(posted this yesterday on superuser, but I guess this is more a serverfault question)

Can anyone help me on this ?

Many thanks!

3 Answers3

1

The following two links have some detailed information on the SupportedEncryptionTypes configuration for Kerberos: http://msdn.microsoft.com/en-us/library/ms677827%28v=vs.85%29.aspx https://blogs.msdn.com/b/openspecification/archive/2009/09/12/msds-supportedencryptiontypes-episode-1-computer-accounts.aspx

In general, you need to have common algorithm between the KDC and your Windows machines. If you are running more recent version of MIT Kerberos, you should have AES support, but if your KDC is older one, you would need to use DES to interop. @tommed is correct that DES is disabled by default in Win7, but it should work fine on Vista.

Alternatively, capture the network traffic between the KDC and your client machine and look at what the client is offering and look at the KDC config to ensure you have at least one of the crypto algorithms in common.

Nasko
  • 727
  • 3
  • 5
0

What encryption type are you using? Did you specify the encryption type when you created the host policy? If not it'll probably be using DES which is disabled by default in Windows 7.

Try enabling DES and trying again. Also make sure your time is in sync with your server!

Hope that helps!! :)

Pang
  • 273
  • 3
  • 8
tommed
  • 289
  • 1
  • 3
  • 10
  • BTW, I'm trying to get the exact same thing working too, if you could help with my question I'd be very grateful! http://serverfault.com/questions/129854/authenticating-windows-7-against-mit-kerberos-5 – tommed Apr 06 '10 at 18:24
0

This sounds similar in principle to an SSL error I just worked through.
If a certificate is involved, make sure that it was generated using the CNG option in the certificate request wizard rather than the Legacy Key option.

Gary
  • 301
  • 1
  • 2
  • 7