KDC has no support for encryption type (14) After Set DES Accout

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

KDC has no support for encryption type (14) After Set DES Accout

david.turing
hi, I have dealing the problem for long time and no response in bea forum.
I feel very exhausted when checking mit's kerberos mailist and sun
security forum.
The problem is "KDC has no support for encryption type (14)"  when i
doing the SSO between MS domain and Weblogic.

I had set Account to use DES Encryption type for the host but have
nothing change .

My Steps are as below :
1)
first Generate the DES Encryption Type User Account for the weblogic
server, namely "weblogic" on Windows AD.


2)
then, I generate the keytab using w2k's ktpass on the AD SERVER:
c:\>ktpass -princ HTTP/[hidden email] -mapuser weblogic
-pass weblogic -out dlsvr_keytab -crypto des-cbc-crc

and it turn out to be successful.

c:\>ktab -k dlsvr_keytab -a HTTP/[hidden email]

and I place the dlsvr_keytab to the weblogic server[weblogic]
I use the kinit to check the keytab
kinit -k -t dlsvr_keytab  HTTP/[hidden email]

output is :New ticket is store in cache file C:\Documents and Setting ........

3) I modify the KDC Config file in c:\winnt

My W2KSP4 KDC Config is:
c:\winnt\krb5.ini-----------------------------

[libdefaults]

default_realm = DLSVR.COM
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
ticket_lifetime = 600

[realms]

DLSVR.COM = {
kdc = 192.168.2.231
admin_server = dlserver
default_domain = DLSVR.COM
}

[domain_realm]
.dlsvr.com= DLSVR.COM

[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true


The Log is shown in Weblogic, it told me that KDC has no support for
encryption type (14)
I try to modify the regstry entry as SUN mention in JGSS, changing the
allowtgtsessionkey
which locate in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
set allowtgtsessionkey=1, but nothing help to prevent the KDC has no
support for encryption type (14)

The Log in weblogic is as below:
------------------------------------

<2005-11-8 ....... CST> <Debug> <SecurityDebug> <000000> <Found
Negotiate with SPNEGO token>

>>> KeyTab: load() entry length: 50
>>> KeyTabInputStream, readName(): DLSVR.COM
>>> KeyTabInputStream, readName(): host
>>> KeyTabInputStream, readName(): weblogic
>>> KeyTab: load() entry length: 44
>>> KeyTabInputStream, readName(): dlsvr.com
>>> KeyTabInputStream, readName(): weblogic
>>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
>>>crc32: e9889c7a
>>>crc32: 11101001100010001001110001111010
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbAsReq etypes are: 1
>>> KrbKdcReq send: kdc=192.168.2.231 UDP:88, timeout=30000, number of
retries =3, #bytes=216
>>> KDCCommunication: kdc=192.168.2.231 UDP:88, timeout=30000,Attempt
=1, #bytes=216
>>> KrbKdcReq send: #bytes read=1217
>>> KrbKdcReq send: #bytes read=1217
>>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
>>>crc32: 54c176ae
>>>crc32: 1010100110000010111011010101110
>>> KrbAsRep cons in KrbAsReq.getReply host/weblogic
Found key for host/[hidden email]
Entered Krb5Context.acceptSecContext with state=STATE_NEW
<2005-11-8 ........ CST> <Debug> <SecurityDebug> <000000> <GSS
exception GSSException: Failure unspecified at GSS-API level
(Mechanism level: KDC has no support for encryption type (14))
GSSException: Failure unspecified at GSS-API level (Mechanism level:
KDC has no support for encryption type (14))
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:734)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:300)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246)
at weblogic.security.providers.utils.SPNEGONegotiateToken.getUsername(SPNEGONegotiateToken.java:371)
at weblogic.security.providers.authentication.SinglePassNegotiateIdentityAsserterProviderImpl.assertIdentity(SinglePassNegotiateIdentityAsserterProvider
Impl.java:201)
at weblogic.security.service.PrincipalAuthenticator .assertIdentity(PrincipalAuthenticator.java:553)
at weblogic.servlet.security.internal.CertSecurityModule.checkUserPerm(CertSecurityModule.java:104)
at weblogic.servlet.security.internal.SecurityModule.beginCheck(SecurityModule.java:199)
at weblogic.servlet.security.internal.CertSecurityModule.checkA(CertSecurityModule.java:86)
at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:145)
at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3685)
at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2644)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)


Any Help or Advice woud be highly appreciated!

david.turing

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: KDC has no support for encryption type (14) After Set DES Accout

Seema Malkani
It appears that your application is looking for
"host/[hidden email]" service principal, but you have setup keytab
with keys for "HTTP/[hidden email]" service principal. Please update
your application with the expected service principal
"HTTP/[hidden email]"

Seema

david.turing wrote On 11/09/05 16:46,:

>hi, I have dealing the problem for long time and no response in bea forum.
>I feel very exhausted when checking mit's kerberos mailist and sun
>security forum.
>The problem is "KDC has no support for encryption type (14)"  when i
>doing the SSO between MS domain and Weblogic.
>
>I had set Account to use DES Encryption type for the host but have
>nothing change .
>
>My Steps are as below :
>1)
>first Generate the DES Encryption Type User Account for the weblogic
>server, namely "weblogic" on Windows AD.
>
>
>2)
>then, I generate the keytab using w2k's ktpass on the AD SERVER:
>c:\>ktpass -princ HTTP/[hidden email] -mapuser weblogic
>-pass weblogic -out dlsvr_keytab -crypto des-cbc-crc
>
>and it turn out to be successful.
>
>c:\>ktab -k dlsvr_keytab -a HTTP/[hidden email]
>
>and I place the dlsvr_keytab to the weblogic server[weblogic]
>I use the kinit to check the keytab
>kinit -k -t dlsvr_keytab  HTTP/[hidden email]
>
>output is £ºNew ticket is store in cache file C:\Documents and Setting ........
>
>3) I modify the KDC Config file in c:\winnt
>
>My W2KSP4 KDC Config is:
>c:\winnt\krb5.ini-----------------------------
>
>[libdefaults]
>
>default_realm = DLSVR.COM
>default_tkt_enctypes = des-cbc-crc
>default_tgs_enctypes = des-cbc-crc
>ticket_lifetime = 600
>
>[realms]
>
>DLSVR.COM = {
>kdc = 192.168.2.231
>admin_server = dlserver
>default_domain = DLSVR.COM
>}
>
>[domain_realm]
>.dlsvr.com= DLSVR.COM
>
>[appdefaults]
>autologin = true
>forward = true
>forwardable = true
>encrypt = true
>
>
>The Log is shown in Weblogic, it told me that KDC has no support for
>encryption type (14)
>I try to modify the regstry entry as SUN mention in JGSS, changing the
>allowtgtsessionkey
>which locate in
>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
>set allowtgtsessionkey=1, but nothing help to prevent the KDC has no
>support for encryption type (14)
>
>The Log in weblogic is as below£º
>------------------------------------
>
><2005-11-8 ....... CST> <Debug> <SecurityDebug> <000000> <Found
>Negotiate with SPNEGO token>
>  
>
>>>>KeyTab: load() entry length: 50
>>>>KeyTabInputStream, readName(): DLSVR.COM
>>>>KeyTabInputStream, readName(): host
>>>>KeyTabInputStream, readName(): weblogic
>>>>KeyTab: load() entry length: 44
>>>>KeyTabInputStream, readName(): dlsvr.com
>>>>KeyTabInputStream, readName(): weblogic
>>>>EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
>>>>crc32: e9889c7a
>>>>crc32: 11101001100010001001110001111010
>>>>KrbAsReq calling createMessage
>>>>KrbAsReq in createMessage
>>>>KrbAsReq etypes are: 1
>>>>KrbKdcReq send: kdc=192.168.2.231 UDP:88, timeout=30000, number of
>>>>        
>>>>
>retries =3, #bytes=216
>  
>
>>>>KDCCommunication: kdc=192.168.2.231 UDP:88, timeout=30000,Attempt
>>>>        
>>>>
>=1, #bytes=216
>  
>
>>>>KrbKdcReq send: #bytes read=1217
>>>>KrbKdcReq send: #bytes read=1217
>>>>EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
>>>>crc32: 54c176ae
>>>>crc32: 1010100110000010111011010101110
>>>>KrbAsRep cons in KrbAsReq.getReply host/weblogic
>>>>        
>>>>
>Found key for host/[hidden email]
>Entered Krb5Context.acceptSecContext with state=STATE_NEW
><2005-11-8 ........ CST> <Debug> <SecurityDebug> <000000> <GSS
>exception GSSException: Failure unspecified at GSS-API level
>(Mechanism level: KDC has no support for encryption type (14))
>GSSException: Failure unspecified at GSS-API level (Mechanism level:
>KDC has no support for encryption type (14))
>at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:734)
>at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:300)
>at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246)
>at weblogic.security.providers.utils.SPNEGONegotiateToken.getUsername(SPNEGONegotiateToken.java:371)
>at weblogic.security.providers.authentication.SinglePassNegotiateIdentityAsserterProviderImpl.assertIdentity(SinglePassNegotiateIdentityAsserterProvider
>Impl.java:201)
>at weblogic.security.service.PrincipalAuthenticator .assertIdentity(PrincipalAuthenticator.java:553)
>at weblogic.servlet.security.internal.CertSecurityModule.checkUserPerm(CertSecurityModule.java:104)
>at weblogic.servlet.security.internal.SecurityModule.beginCheck(SecurityModule.java:199)
>at weblogic.servlet.security.internal.CertSecurityModule.checkA(CertSecurityModule.java:86)
>at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:145)
>at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3685)
>at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2644)
>at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
>at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)
>
>
>Any Help or Advice woud be highly appreciated!
>
>david.turing
>  
>
>------------------------------------------------------------------------
>
>________________________________________________
>Kerberos mailing list           [hidden email]
>https://mailman.mit.edu/mailman/listinfo/kerberos
>  
>


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: KDC has no support for encryption type (14) After Set DES Accout

david.turing
Thanks for reply,  I haven't try the "host/[hidden email]"  service prinipal,
I still cann't find the difference betwen "host/[hidden email]" and  "HTTP/[hidden email]" ,
but the  "HTTP/[hidden email]"  is OK and here is my successful stdout:

<2005-11-10 ??04?24?03? CST> <Debug> <SecurityDebug> <000000> <Found Negotiate with SPNEGO token>
>>> KeyTab: load() entry length: 46
>>> KeyTabInputStream, readName(): DLSVR
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): weblogic
 HTTP/[hidden email] ? Kerberos ??: weblogic

>>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
>>>crc32: eaaa376b
>>>crc32: 11101010101010100011011101101011
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbAsReq etypes are: 1 3 1
>>> KrbKdcReq send: kdc=192.168.2.231 UDP:88, timeout=30000, number of retries =3, #bytes=217
>>> KDCCommunication: kdc=192.168.2.231 UDP:88, timeout=30000,Attempt =1, #bytes=217
>>> KrbKdcReq send: #bytes read=1217
>>> KrbKdcReq send: #bytes read=1217
>>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
>>>crc32: 7d9497b0
>>>crc32: 1111101100101001001011110110000
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/weblogic
Found key for HTTP/[hidden email]
Entered Krb5Context.acceptSecContext with state=STATE_NEW
>>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
>>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
>>> Config reset default kdc DLSVR.COM
object 0: 1131611066395/395706
object 1: 1131610907423/423685
object 0: 1131611066395/395706
object 1: 1131610907423/423685
replay cache found.
>>> KrbApReq: authenticate succeed.
Krb5Context setting peerSeqNumber to: 674414680
>>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
Krb5Context setting mySeqNumber to: -1357
<2005-11-10 ??04?24?08? CST> <Debug> <SecurityDebug> <000000> <gssContext isEstablished true>
<2005-11-10 ??04?24?08? CST> <Debug> <SecurityDebug> <000000> <Out token
    0: 6068 0609 2a86 4886 f712 0102 0202 006f   `h..*.H........o
   16: 5930 57a0 0302 0105 a103 0201 0fa2 4b30   Y0W...........K0
   32: 49a0 0302 0103 a242 0440 c2b0 cf10 f078   I......B.@.....x
   48: d11a 749a 48f9 1b2a 5603 6159 99b7 5439   ..t.H..*V.aY..T9
   64: 4f20 a344 cd9a 9a4a bc72 0669 77e1 650f   O .D...J.r.iw.e.
   80: b596 ffde cca7 f08d daea 8875 e616 a1c9   ...........u....
   96: 4746 ab6c ad29 b748 df17                  GF.l.).H..
>
<2005-11-10 ??04?24?08? CST> <Debug> <SecurityDebug> <000000> <GSS name is [hidden email]>
<2005-11-10 ??04?24?08? CST> <Debug> <SecurityDebug> <000000> <User name is webserver>
<2005-11-10 ??04?24?08? CST> <Debug> <SecurityDebug> <000000> <User name is webserver>
<2005-11-10 ??04?24?08? CST> <Debug> <SecurityDebug> <000000> <LDAP ATN LoginModule initialized>
<2005-11-10 ??04?24?08? CST> <Debug> <SecurityDebug> <000000> <LDAP Atn Login>
<2005-11-10 ??04?24?08? CST> <Debug> <SecurityDebug> <000000> <LDAP Atn Login username: webserver>
<2005-11-10 ??04?24?08? CST> <Debug> <SecurityDebug> <000000> <userExists? user:webserver>

----- Original Message -----
From: "Seema Malkani" <[hidden email]>
To: "david.turing" <[hidden email]>
Cc: <[hidden email]>
Sent: Friday, November 11, 2005 8:59 AM
Subject: Re: KDC has no support for encryption type (14) After Set DES Accout


It appears that your application is looking for
"host/[hidden email]" service principal, but you have setup keytab
with keys for "HTTP/[hidden email]" service principal. Please update
your application with the expected service principal
"HTTP/[hidden email]"

Seema

david.turing wrote On 11/09/05 16:46,:

>hi, I have dealing the problem for long time and no response in bea forum.
>I feel very exhausted when checking mit's kerberos mailist and sun
>security forum.
>The problem is "KDC has no support for encryption type (14)"  when i
>doing the SSO between MS domain and Weblogic.
>
>I had set Account to use DES Encryption type for the host but have
>nothing change .
>
>My Steps are as below :
>1)
>first Generate the DES Encryption Type User Account for the weblogic
>server, namely "weblogic" on Windows AD.
>
>
>2)
>then, I generate the keytab using w2k's ktpass on the AD SERVER:
>c:\>ktpass -princ HTTP/[hidden email] -mapuser weblogic
>-pass weblogic -out dlsvr_keytab -crypto des-cbc-crc
>
>and it turn out to be successful.
>
>c:\>ktab -k dlsvr_keytab -a HTTP/[hidden email]
>
>and I place the dlsvr_keytab to the weblogic server[weblogic]
>I use the kinit to check the keytab
>kinit -k -t dlsvr_keytab  HTTP/[hidden email]
>
>output is £ºNew ticket is store in cache file C:\Documents and Setting ........
>
>3) I modify the KDC Config file in c:\winnt
>
>My W2KSP4 KDC Config is:
>c:\winnt\krb5.ini-----------------------------
>
>[libdefaults]
>
>default_realm = DLSVR.COM
>default_tkt_enctypes = des-cbc-crc
>default_tgs_enctypes = des-cbc-crc
>ticket_lifetime = 600
>
>[realms]
>
>DLSVR.COM = {
>kdc = 192.168.2.231
>admin_server = dlserver
>default_domain = DLSVR.COM
>}
>
>[domain_realm]
>.dlsvr.com= DLSVR.COM
>
>[appdefaults]
>autologin = true
>forward = true
>forwardable = true
>encrypt = true
>
>
>The Log is shown in Weblogic, it told me that KDC has no support for
>encryption type (14)
>I try to modify the regstry entry as SUN mention in JGSS, changing the
>allowtgtsessionkey
>which locate in
>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
>set allowtgtsessionkey=1, but nothing help to prevent the KDC has no
>support for encryption type (14)
>
>The Log in weblogic is as below£º
>------------------------------------
>
><2005-11-8 ....... CST> <Debug> <SecurityDebug> <000000> <Found
>Negotiate with SPNEGO token>
>  
>
>>>>KeyTab: load() entry length: 50
>>>>KeyTabInputStream, readName(): DLSVR.COM
>>>>KeyTabInputStream, readName(): host
>>>>KeyTabInputStream, readName(): weblogic
>>>>KeyTab: load() entry length: 44
>>>>KeyTabInputStream, readName(): dlsvr.com
>>>>KeyTabInputStream, readName(): weblogic
>>>>EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
>>>>crc32: e9889c7a
>>>>crc32: 11101001100010001001110001111010
>>>>KrbAsReq calling createMessage
>>>>KrbAsReq in createMessage
>>>>KrbAsReq etypes are: 1
>>>>KrbKdcReq send: kdc=192.168.2.231 UDP:88, timeout=30000, number of
>>>>        
>>>>
>retries =3, #bytes=216
>  
>
>>>>KDCCommunication: kdc=192.168.2.231 UDP:88, timeout=30000,Attempt
>>>>        
>>>>
>=1, #bytes=216
>  
>
>>>>KrbKdcReq send: #bytes read=1217
>>>>KrbKdcReq send: #bytes read=1217
>>>>EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
>>>>crc32: 54c176ae
>>>>crc32: 1010100110000010111011010101110
>>>>KrbAsRep cons in KrbAsReq.getReply host/weblogic
>>>>        
>>>>
>Found key for host/[hidden email]
>Entered Krb5Context.acceptSecContext with state=STATE_NEW
><2005-11-8 ........ CST> <Debug> <SecurityDebug> <000000> <GSS
>exception GSSException: Failure unspecified at GSS-API level
>(Mechanism level: KDC has no support for encryption type (14))
>GSSException: Failure unspecified at GSS-API level (Mechanism level:
>KDC has no support for encryption type (14))
>at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:734)
>at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:300)
>at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246)
>at weblogic.security.providers.utils.SPNEGONegotiateToken.getUsername(SPNEGONegotiateToken.java:371)
>at weblogic.security.providers.authentication.SinglePassNegotiateIdentityAsserterProviderImpl.assertIdentity(SinglePassNegotiateIdentityAsserterProvider
>Impl.java:201)
>at weblogic.security.service.PrincipalAuthenticator .assertIdentity(PrincipalAuthenticator.java:553)
>at weblogic.servlet.security.internal.CertSecurityModule.checkUserPerm(CertSecurityModule.java:104)
>at weblogic.servlet.security.internal.SecurityModule.beginCheck(SecurityModule.java:199)
>at weblogic.servlet.security.internal.CertSecurityModule.checkA(CertSecurityModule.java:86)
>at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:145)
>at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3685)
>at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2644)
>at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
>at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)
>
>
>Any Help or Advice woud be highly appreciated!
>
>david.turing
>  
>
>------------------------------------------------------------------------
>
>________________________________________________
>Kerberos mailing list           [hidden email]
>https://mailman.mit.edu/mailman/listinfo/kerberos
>  
>

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos