krb5 1.15 interop with Windows 2000

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

krb5 1.15 interop with Windows 2000

Weijun Wang
I am running kinit against a Windows 2000 server and see

  kinit: KDC has no support for encryption type while getting initial credentials

After I remove the aes-sha2 etypes from default_tkt_enctypes from krb5.conf, kinit succeeds.

Looks like although Windows 2000 uses RC4-HMAC, it is aware of aes-sha1 etypes and allows them in etypes in AS-REQ. However, when aes-sha2 etypes appear there, it fails.

Is this an known issue?

Thanks
Max


_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: krb5 1.15 interop with Windows 2000

Greg Hudson
On 09/18/2017 08:49 AM, Weijun Wang wrote:
> I am running kinit against a Windows 2000 server and see
>
>   kinit: KDC has no support for encryption type while getting initial credentials
>
> After I remove the aes-sha2 etypes from default_tkt_enctypes from krb5.conf, kinit succeeds.
>
> Looks like although Windows 2000 uses RC4-HMAC, it is aware of aes-sha1 etypes and allows them in etypes in AS-REQ. However, when aes-sha2 etypes appear there, it fails.
>
> Is this an known issue?

It's not a familiar issue to me.  We also have Camellia enctypes in the
default list, so if the Windows 2000 KDC is simply erroring out on
unknown enctypes, one would think this issue would have manifested long ago.

If you put the aes-sha2 enctypes back but put them at the end rather
than third and fourth, does kinit still fail?  It's conceivable that
rc4-hmac needs to appear early enough in the list, or has to appear
before unknown enctypes, or something.
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: krb5 1.15 interop with Windows 2000

Weijun Wang

> On Sep 18, 2017, at 10:42 PM, Greg Hudson <[hidden email]> wrote:
>
> On 09/18/2017 08:49 AM, Weijun Wang wrote:
>> I am running kinit against a Windows 2000 server and see
>>
>>  kinit: KDC has no support for encryption type while getting initial credentials
>>
>> After I remove the aes-sha2 etypes from default_tkt_enctypes from krb5.conf, kinit succeeds.
>>
>> Looks like although Windows 2000 uses RC4-HMAC, it is aware of aes-sha1 etypes and allows them in etypes in AS-REQ. However, when aes-sha2 etypes appear there, it fails.
>>
>> Is this an known issue?
>
> It's not a familiar issue to me.  We also have Camellia enctypes in the
> default list, so if the Windows 2000 KDC is simply erroring out on
> unknown enctypes, one would think this issue would have manifested long ago.
>
> If you put the aes-sha2 enctypes back but put them at the end rather
> than third and fourth, does kinit still fail?  It's conceivable that
> rc4-hmac needs to appear early enough in the list, or has to appear
> before unknown enctypes, or something.

Just tried some different combinations of default_tkt_enctypes. This error only happens when aes256-sha2 is placed before rc4-hmac. All other etypes are safe.

BTW, the server does not complain with its 1st PREAUTH_REQUIRED response, and in my 2nd AS-REQ, if I provide a wrong password, the error is PASSWORD_INCORRECT. Only if I provide the correct password it returns this error. Seems like it decides to choose etype of 20 but only realize it's not supported after a while.

--Max


_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: krb5 1.15 interop with Windows 2000

Benjamin Kaduk-2
On Mon, Sep 18, 2017 at 11:06:20PM +0800, Weijun Wang wrote:
>
>
> Just tried some different combinations of default_tkt_enctypes. This error only happens when aes256-sha2 is placed before rc4-hmac. All other etypes are safe.
>
> BTW, the server does not complain with its 1st PREAUTH_REQUIRED response, and in my 2nd AS-REQ, if I provide a wrong password, the error is PASSWORD_INCORRECT. Only if I provide the correct password it returns this error. Seems like it decides to choose etype of 20 but only realize it's not supported after a while.

Just noting that this thread would be on-topic for the [hidden email] list
if you wanted to mention it there.

-Ben
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev