11

I am configuring an apache/SSO authentication with an AD with Kerberos. My http server is a Debian Wheezy and the AD is a Windows Server 2012.

I generated keytabs files on WS2012 with kpass command for each encryption type available on WS2012.

When I try to open a session with a user test@DOMAIN.COM with kinit, it works.

When I try to open a session with my HTTP/web.domain.com@DOMAIN.COM, I get the message:

kvno HTTP/web.domain.com@DOMAIN.COM
kvno: KDC has no support for encryption type while getting credentials for HTTP/web.domain.com@DOMAIN.COM

Also, when I check encryption used for test@DOMAIN.COM, I have:

root@SERVER:~# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: test@DOMAIN.COM

Valid starting       Expires              Service principal
03/04/2015 12:48:21  03/04/2015 22:48:17  krbtgt/DOMAIN.COM@DOMAIN.COM
        renew until 04/04/2015 12:48:21, Etype (skey, tkt): arcfour-hmac, arcfour-hmac

I tried to customize my /etc/krb5.conf with:

  default_tgs_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
  default_tkt_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5

And by using the keytab file encrypted with arcfour-hmac without success.

I don't understand how to change encryption type used to communicate, why it always wants arcfour-hmac and why when I give it arcfour-hmac encryption, nothing change...

How to be sure that /etc/krb5.conf changes are effective and how to make the Kerberos ticket generation work too?

slm
  • 7,355
  • 16
  • 54
  • 72
lazzio
  • 306
  • 1
  • 2
  • 11

2 Answers2

9

The encryption types supported by an Active Directory domain controller are listed in the msDS-SupportedEncryptionTypes attribute of the domain controller's computer object. In a default installation, they are typically something like:

RC4_HMAC_MD5
AES128_CTS_HMAC_SHA1_96
AES256_CTS_HMAC_SHA1_96

This is a bitmask which works out to decimal 28, so it'd be something like 00011100.

So when you ask why the domain controller "always wants only ARC4-HMAC," it is because your client doesn't have any of the other two encryption types in common with the domain controller, so they are eliminated during the negotiation process.

(Note: RC4_HMAC_MD5 is really the worst and weakest of all the possible encryption types here, but it is also sometimes necessary to support legacy scenarios and interoperability with non-Microsoft products.)

I looked up some documentation and found an example of someone else's configuration file and thought this might be useful:

http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos

; for Windows 2008 with AES
   default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
   default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
   permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

Notice that, in addition to supporting better encryption types, they are also specifying rc4-hmac in their configuration, which is different from what you have, arcfour-hmac-md5. (Also don't forget the permitted_enctypes line, which I did not see in your post.)

I'm not 100% sure that will solve your issue, as I'm not in a position to test it right now, but hopefully it'll help.

Ryan Ries
  • 55,011
  • 9
  • 138
  • 197
0

This is most generic problem while configuring kerberos, Please resolve this by doing the following,

1) vi /var/kerberos/krb5kdc/kdc.conf

2) check for supported_enctypes , use any encryption techniques mentioned in there.

Hope this resolves the problem.

Chinmay Das
  • 1