Windows Server 2016 - KDC has no support for encryption type while getting initial credentials

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Windows Server 2016 - KDC has no support for encryption type while getting initial credentials

Silambarasan Madhappan
Hi,

I am new to Kerberos.  I am not able to obtain Kerberos
ticket-granting tickets with strong encryption types from "Windows
Server 2016 AD"

My client kerberos configuration as below
========================

$ cat /etc/krb5.conf
[libdefaults]
default_realm = CIFS.COM
default_tkt_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96
default_tgs_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96
preferred_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96
ccache_type = 2

[realms]
CIFS.COM = {
kdc = WIN.cifs.com:88
}

[domain_realm]
.cifs.com = CIFS.COM

[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
[bash4.2]$

Issue :
=====
$ kinit Administrator
kinit(v5): KDC has no support for encryption type while getting
initial credentials
$

Please let me know  where can I find the kdc configuration types in
Active Directory (Windows Server 2016) ?
Do I have to change any configuration on Kerberos Client or Server ?
Please help me on this.

Thanks,
Silambarasan M
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Windows Server 2016 - KDC has no support for encryption type while getting initial credentials

Todd Grayson
You are hard forcing AES for initial ticket granting ticket with the
settings you are using for enctypes.   Unset (comment out) the 3 enctype
lines for one of your tests.  How to comment out lines in the krb5.conf is
covered in the second paragraph here:

https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html

Use klist -ef after you successfully authenticate and inspect the ticket
encryption types used.  It will look something like this after commenting
out those lines I mentioned and then retrying your kinit:

dude@host:~$ kinit [hidden email]
Password for [hidden email]:
dude@host:~$ klist -ef
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: [hidden email]

Valid starting       Expires              Service principal
11/08/2018 09:16:00  11/08/2018 19:16:00  krbtgt/
[hidden email]
renew until 11/15/2018 09:15:53, Flags: FRIA
Etype (skey, tkt): arcfour-hmac, aes256-cts-hmac-sha1-96

You can see on the Etype line, by default the inital session key is actualy
rc4-hmac  (arcfour-hmac is same thing, just different names) But the actual
ticket granting ticket. The above example is against a windows 2008 KDC,
but 2016 is probably doing the same thing for backward comparability.


Kerberos will negotiate strongest encryption types by default within the
available configuration.

AD exposes per user account settings in the properties dialog, under
account details, that allow you to set using AES encryption types.  Doing
it for all accounts would be a global policy in AD.  This mail list does
not really cover how to manage active directory as a KDC at that level,
microsoft discussion boards would be best there.

Given you are new to kerberos, I would suggest starting here, reading this
will help you understand your terminology, what to search/google for, how
things work in kerberos, etc.

http://www.kerberos.org/software/tutorial.html

The administration guide would be next step.

Microsoft AD kerberos info is here, I would start with this AFTER going
through the kerberos tutorial.

https://docs.microsoft.com/en-us/windows/desktop/secauthn/microsoft-kerberos



On Thu, Nov 8, 2018 at 9:03 AM Silambarasan Madhappan <
[hidden email]> wrote:

> Hi,
>
> I am new to Kerberos.  I am not able to obtain Kerberos
> ticket-granting tickets with strong encryption types from "Windows
> Server 2016 AD"
>
> My client kerberos configuration as below
> ========================
>
> $ cat /etc/krb5.conf
> [libdefaults]
> default_realm = CIFS.COM
> default_tkt_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96
> default_tgs_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96
> preferred_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96
> ccache_type = 2
>
> [realms]
> CIFS.COM = {
> kdc = WIN.cifs.com:88
> }
>
> [domain_realm]
> .cifs.com = CIFS.COM
>
> [logging]
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmin.log
> default = FILE:/var/log/krb5lib.log
> [bash4.2]$
>
> Issue :
> =====
> $ kinit Administrator
> kinit(v5): KDC has no support for encryption type while getting
> initial credentials
> $
>
> Please let me know  where can I find the kdc configuration types in
> Active Directory (Windows Server 2016) ?
> Do I have to change any configuration on Kerberos Client or Server ?
> Please help me on this.
>
> Thanks,
> Silambarasan M
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>


--
Todd Grayson
Customer Operations Engineering
Security SME
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Windows Server 2016 - KDC has no support for encryption type while getting initial credentials

Todd Grayson
oops, typo by me:

You are hard forcing AES for initial ticket granting ticket with the
settings you are using for enctypes.

Should read

You are hard forcing AES for initial session key and ticket granting ticket
with the settings you are using for enctypes.

On Thu, Nov 8, 2018 at 9:35 AM Todd Grayson <[hidden email]> wrote:

> You are hard forcing AES for initial ticket granting ticket with the
> settings you are using for enctypes.   Unset (comment out) the 3 enctype
> lines for one of your tests.  How to comment out lines in the krb5.conf is
> covered in the second paragraph here:
>
>
> https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html
>
> Use klist -ef after you successfully authenticate and inspect the ticket
> encryption types used.  It will look something like this after commenting
> out those lines I mentioned and then retrying your kinit:
>
> dude@host:~$ kinit [hidden email]
> Password for [hidden email]:
> dude@host:~$ klist -ef
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: [hidden email]
>
> Valid starting       Expires              Service principal
> 11/08/2018 09:16:00  11/08/2018 19:16:00  krbtgt/
> [hidden email]
> renew until 11/15/2018 09:15:53, Flags: FRIA
> Etype (skey, tkt): arcfour-hmac, aes256-cts-hmac-sha1-96
>
> You can see on the Etype line, by default the inital session key is
> actualy rc4-hmac  (arcfour-hmac is same thing, just different names) But
> the actual ticket granting ticket. The above example is against a windows
> 2008 KDC, but 2016 is probably doing the same thing for backward
> comparability.
>
>
> Kerberos will negotiate strongest encryption types by default within the
> available configuration.
>
> AD exposes per user account settings in the properties dialog, under
> account details, that allow you to set using AES encryption types.  Doing
> it for all accounts would be a global policy in AD.  This mail list does
> not really cover how to manage active directory as a KDC at that level,
> microsoft discussion boards would be best there.
>
> Given you are new to kerberos, I would suggest starting here, reading this
> will help you understand your terminology, what to search/google for, how
> things work in kerberos, etc.
>
> http://www.kerberos.org/software/tutorial.html
>
> The administration guide would be next step.
>
> Microsoft AD kerberos info is here, I would start with this AFTER going
> through the kerberos tutorial.
>
>
> https://docs.microsoft.com/en-us/windows/desktop/secauthn/microsoft-kerberos
>
>
>
> On Thu, Nov 8, 2018 at 9:03 AM Silambarasan Madhappan <
> [hidden email]> wrote:
>
>> Hi,
>>
>> I am new to Kerberos.  I am not able to obtain Kerberos
>> ticket-granting tickets with strong encryption types from "Windows
>> Server 2016 AD"
>>
>> My client kerberos configuration as below
>> ========================
>>
>> $ cat /etc/krb5.conf
>> [libdefaults]
>> default_realm = CIFS.COM
>> default_tkt_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96
>> default_tgs_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96
>> preferred_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96
>> ccache_type = 2
>>
>> [realms]
>> CIFS.COM = {
>> kdc = WIN.cifs.com:88
>> }
>>
>> [domain_realm]
>> .cifs.com = CIFS.COM
>>
>> [logging]
>> kdc = FILE:/var/log/krb5kdc.log
>> admin_server = FILE:/var/log/kadmin.log
>> default = FILE:/var/log/krb5lib.log
>> [bash4.2]$
>>
>> Issue :
>> =====
>> $ kinit Administrator
>> kinit(v5): KDC has no support for encryption type while getting
>> initial credentials
>> $
>>
>> Please let me know  where can I find the kdc configuration types in
>> Active Directory (Windows Server 2016) ?
>> Do I have to change any configuration on Kerberos Client or Server ?
>> Please help me on this.
>>
>> Thanks,
>> Silambarasan M
>> ________________________________________________
>> Kerberos mailing list           [hidden email]
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
> --
> Todd Grayson
> Customer Operations Engineering
> Security SME
>
>

--
Todd Grayson
Customer Operations Engineering
Security SME
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Windows Server 2016 - KDC has no support for encryption type while getting initial credentials

Silambarasan Madhappan
Thank you, Todd Grayson for detailed information.
On Thu, Nov 8, 2018 at 10:07 PM Todd Grayson <[hidden email]> wrote:

>
> oops, typo by me:
>
> You are hard forcing AES for initial ticket granting ticket with the settings you are using for enctypes.
>
> Should read
>
> You are hard forcing AES for initial session key and ticket granting ticket with the settings you are using for enctypes.
>
> On Thu, Nov 8, 2018 at 9:35 AM Todd Grayson <[hidden email]> wrote:
>>
>> You are hard forcing AES for initial ticket granting ticket with the settings you are using for enctypes.   Unset (comment out) the 3 enctype lines for one of your tests.  How to comment out lines in the krb5.conf is covered in the second paragraph here:
>>
>> https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html
>>
>> Use klist -ef after you successfully authenticate and inspect the ticket encryption types used.  It will look something like this after commenting out those lines I mentioned and then retrying your kinit:
>>
>> dude@host:~$ kinit [hidden email]
>> Password for [hidden email]:
>> dude@host:~$ klist -ef
>> Ticket cache: FILE:/tmp/krb5cc_1000
>> Default principal: [hidden email]
>>
>> Valid starting       Expires              Service principal
>> 11/08/2018 09:16:00  11/08/2018 19:16:00  krbtgt/[hidden email]
>> renew until 11/15/2018 09:15:53, Flags: FRIA
>> Etype (skey, tkt): arcfour-hmac, aes256-cts-hmac-sha1-96
>>
>> You can see on the Etype line, by default the inital session key is actualy rc4-hmac  (arcfour-hmac is same thing, just different names) But the actual ticket granting ticket. The above example is against a windows 2008 KDC, but 2016 is probably doing the same thing for backward comparability.
>>
>>
>> Kerberos will negotiate strongest encryption types by default within the available configuration.
>>
>> AD exposes per user account settings in the properties dialog, under account details, that allow you to set using AES encryption types.  Doing it for all accounts would be a global policy in AD.  This mail list does not really cover how to manage active directory as a KDC at that level, microsoft discussion boards would be best there.
>>
>> Given you are new to kerberos, I would suggest starting here, reading this will help you understand your terminology, what to search/google for, how things work in kerberos, etc.
>>
>> http://www.kerberos.org/software/tutorial.html
>>
>> The administration guide would be next step.
>>
>> Microsoft AD kerberos info is here, I would start with this AFTER going through the kerberos tutorial.
>>
>> https://docs.microsoft.com/en-us/windows/desktop/secauthn/microsoft-kerberos
>>
>>
>>
>> On Thu, Nov 8, 2018 at 9:03 AM Silambarasan Madhappan <[hidden email]> wrote:
>>>
>>> Hi,
>>>
>>> I am new to Kerberos.  I am not able to obtain Kerberos
>>> ticket-granting tickets with strong encryption types from "Windows
>>> Server 2016 AD"
>>>
>>> My client kerberos configuration as below
>>> ========================
>>>
>>> $ cat /etc/krb5.conf
>>> [libdefaults]
>>> default_realm = CIFS.COM
>>> default_tkt_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96
>>> default_tgs_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96
>>> preferred_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96
>>> ccache_type = 2
>>>
>>> [realms]
>>> CIFS.COM = {
>>> kdc = WIN.cifs.com:88
>>> }
>>>
>>> [domain_realm]
>>> .cifs.com = CIFS.COM
>>>
>>> [logging]
>>> kdc = FILE:/var/log/krb5kdc.log
>>> admin_server = FILE:/var/log/kadmin.log
>>> default = FILE:/var/log/krb5lib.log
>>> [bash4.2]$
>>>
>>> Issue :
>>> =====
>>> $ kinit Administrator
>>> kinit(v5): KDC has no support for encryption type while getting
>>> initial credentials
>>> $
>>>
>>> Please let me know  where can I find the kdc configuration types in
>>> Active Directory (Windows Server 2016) ?
>>> Do I have to change any configuration on Kerberos Client or Server ?
>>> Please help me on this.
>>>
>>> Thanks,
>>> Silambarasan M
>>> ________________________________________________
>>> Kerberos mailing list           [hidden email]
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>>
>> --
>> Todd Grayson
>> Customer Operations Engineering
>> Security SME
>>
>
>
> --
> Todd Grayson
> Customer Operations Engineering
> Security SME
>

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos