Re: KDC has no support for encryption type (14) After Set DES Accout - Kerberos

This is a discussion on Re: KDC has no support for encryption type (14) After Set DES Accout - Kerberos ; It appears that your application is looking for "host/weblogic@DLSVR.COM" service principal, but you have setup keytab with keys for "HTTP/weblogic@DLSVR.COM" service principal. Please update your application with the expected service principal "HTTP/weblogic@DLSVR.COM" Seema david.turing wrote On 11/09/05 16:46,: >hi, I ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Re: KDC has no support for encryption type (14) After Set DES Accout

  1. Re: KDC has no support for encryption type (14) After Set DES Accout

    It appears that your application is looking for
    "host/weblogic@DLSVR.COM" service principal, but you have setup keytab
    with keys for "HTTP/weblogic@DLSVR.COM" service principal. Please update
    your application with the expected service principal
    "HTTP/weblogic@DLSVR.COM"

    Seema

    david.turing wrote On 11/09/05 16:46,:

    >hi, I have dealing the problem for long time and no response in bea forum.
    >I feel very exhausted when checking mit's kerberos mailist and sun
    >security forum.
    >The problem is "KDC has no support for encryption type (14)" when i
    >doing the SSO between MS domain and Weblogic.
    >
    >I had set Account to use DES Encryption type for the host but have
    >nothing change .
    >
    >My Steps are as below :
    >1)
    >first Generate the DES Encryption Type User Account for the weblogic
    >server, namely "weblogic" on Windows AD.
    >
    >
    >2)
    >then, I generate the keytab using w2k's ktpass on the AD SERVER:
    >c:\>ktpass -princ HTTP/weblogic.dlsvr.com@DLSVR.COM -mapuser weblogic
    >-pass weblogic -out dlsvr_keytab -crypto des-cbc-crc
    >
    >and it turn out to be successful.
    >
    >c:\>ktab -k dlsvr_keytab -a HTTP/weblogic@DLSVR.COM
    >
    >and I place the dlsvr_keytab to the weblogic server[weblogic]
    >I use the kinit to check the keytab
    >kinit -k -t dlsvr_keytab HTTP/weblogic@DLSVR.COM
    >
    >output is £ºNew ticket is store in cache file C:\Documents and Setting ........
    >
    >3) I modify the KDC Config file in c:\winnt
    >
    >My W2KSP4 KDC Config is:
    >c:\winnt\krb5.ini-----------------------------
    >
    >[libdefaults]
    >
    >default_realm = DLSVR.COM
    >default_tkt_enctypes = des-cbc-crc
    >default_tgs_enctypes = des-cbc-crc
    >ticket_lifetime = 600
    >
    >[realms]
    >
    >DLSVR.COM = {
    >kdc = 192.168.2.231
    >admin_server = dlserver
    >default_domain = DLSVR.COM
    >}
    >
    >[domain_realm]
    >.dlsvr.com= DLSVR.COM
    >
    >[appdefaults]
    >autologin = true
    >forward = true
    >forwardable = true
    >encrypt = true
    >
    >
    >The Log is shown in Weblogic, it told me that KDC has no support for
    >encryption type (14)
    >I try to modify the regstry entry as SUN mention in JGSS, changing the
    >allowtgtsessionkey
    >which locate in
    >HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Lsa\Kerberos\Parameters
    >set allowtgtsessionkey=1, but nothing help to prevent the KDC has no
    >support for encryption type (14)
    >
    >The Log in weblogic is as below£º
    >------------------------------------
    >
    ><2005-11-8 ....... CST> <000000> >Negotiate with SPNEGO token>
    >
    >
    >>>>KeyTab: load() entry length: 50
    >>>>KeyTabInputStream, readName(): DLSVR.COM
    >>>>KeyTabInputStream, readName(): host
    >>>>KeyTabInputStream, readName(): weblogic
    >>>>KeyTab: load() entry length: 44
    >>>>KeyTabInputStream, readName(): dlsvr.com
    >>>>KeyTabInputStream, readName(): weblogic
    >>>>EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
    >>>>crc32: e9889c7a
    >>>>crc32: 11101001100010001001110001111010
    >>>>KrbAsReq calling createMessage
    >>>>KrbAsReq in createMessage
    >>>>KrbAsReq etypes are: 1
    >>>>KrbKdcReq send: kdc=192.168.2.231 UDP:88, timeout=30000, number of
    >>>>
    >>>>

    >retries =3, #bytes=216
    >
    >
    >>>>KDCCommunication: kdc=192.168.2.231 UDP:88, timeout=30000,Attempt
    >>>>
    >>>>

    >=1, #bytes=216
    >
    >
    >>>>KrbKdcReq send: #bytes read=1217
    >>>>KrbKdcReq send: #bytes read=1217
    >>>>EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
    >>>>crc32: 54c176ae
    >>>>crc32: 1010100110000010111011010101110
    >>>>KrbAsRep cons in KrbAsReq.getReply host/weblogic
    >>>>
    >>>>

    >Found key for host/weblogic@DLSVR.COM
    >Entered Krb5Context.acceptSecContext with state=STATE_NEW
    ><2005-11-8 ........ CST> <000000> >exception GSSException: Failure unspecified at GSS-API level
    >(Mechanism level: KDC has no support for encryption type (14))
    >GSSException: Failure unspecified at GSS-API level (Mechanism level:
    >KDC has no support for encryption type (14))
    >at sun.security.jgss.krb5.Krb5Context.acceptSecContex t(Krb5Context.java:734)
    >at sun.security.jgss.GSSContextImpl.acceptSecContext( GSSContextImpl.java:300)
    >at sun.security.jgss.GSSContextImpl.acceptSecContext( GSSContextImpl.java:246)
    >at weblogic.security.providers.utils.SPNEGONegotiateT oken.getUsername(SPNEGONegotiateToken.java:371)
    >at weblogic.security.providers.authentication.SingleP assNegotiateIdentityAsserterProviderImpl.assertIde ntity(SinglePassNegotiateIdentityAsserterProvider
    >Impl.java:201)
    >at weblogic.security.service.PrincipalAuthenticator .assertIdentity(PrincipalAuthenticator.java:553)
    >at weblogic.servlet.security.internal.CertSecurityMod ule.checkUserPerm(CertSecurityModule.java:104)
    >at weblogic.servlet.security.internal.SecurityModule. beginCheck(SecurityModule.java:199)
    >at weblogic.servlet.security.internal.CertSecurityMod ule.checkA(CertSecurityModule.java:86)
    >at weblogic.servlet.security.internal.ServletSecurity Manager.checkAccess(ServletSecurityManager.java:14 5)
    >at weblogic.servlet.internal.WebAppServletContext.inv okeServlet(WebAppServletContext.java:3685)
    >at weblogic.servlet.internal.ServletRequestImpl.execu te(ServletRequestImpl.java:2644)
    >at weblogic.kernel.ExecuteThread.execute(ExecuteThrea d.java:219)
    >at weblogic.kernel.ExecuteThread.run(ExecuteThread.ja va:178)
    >
    >
    >Any Help or Advice woud be highly appreciated!
    >
    >david.turing
    >
    >
    >------------------------------------------------------------------------
    >
    >________________________________________________
    >Kerberos mailing list Kerberos@mit.edu
    >https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >



    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: KDC has no support for encryption type (14) After Set DES Accout

    Thanks for reply, I haven't try the "host/weblogic@DLSVR.COM" service prinipal,
    I still cann't find the difference betwen "host/weblogic@DLSVR.COM" and "HTTP/weblogic@DLSVR.COM" ,
    but the "HTTP/weblogic@DLSVR.COM" is OK and here is my successful stdout:

    <2005-11-10 ??04?24?03? CST> <000000>
    >>> KeyTab: load() entry length: 46
    >>> KeyTabInputStream, readName(): DLSVR
    >>> KeyTabInputStream, readName(): HTTP
    >>> KeyTabInputStream, readName(): weblogic

    HTTP/weblogic@DLSVR.COM ? Kerberos ??: weblogic
    >>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
    >>>crc32: eaaa376b
    >>>crc32: 11101010101010100011011101101011
    >>> KrbAsReq calling createMessage
    >>> KrbAsReq in createMessage
    >>> KrbAsReq etypes are: 1 3 1
    >>> KrbKdcReq send: kdc=192.168.2.231 UDP:88, timeout=30000, number of retries =3, #bytes=217
    >>> KDCCommunication: kdc=192.168.2.231 UDP:88, timeout=30000,Attempt =1, #bytes=217
    >>> KrbKdcReq send: #bytes read=1217
    >>> KrbKdcReq send: #bytes read=1217
    >>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
    >>>crc32: 7d9497b0
    >>>crc32: 1111101100101001001011110110000
    >>> KrbAsRep cons in KrbAsReq.getReply HTTP/weblogic

    Found key for HTTP/weblogic@DLSVR.COM
    Entered Krb5Context.acceptSecContext with state=STATE_NEW
    >>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
    >>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
    >>> Config reset default kdc DLSVR.COM

    object 0: 1131611066395/395706
    object 1: 1131610907423/423685
    object 0: 1131611066395/395706
    object 1: 1131610907423/423685
    replay cache found.
    >>> KrbApReq: authenticate succeed.

    Krb5Context setting peerSeqNumber to: 674414680
    >>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType

    Krb5Context setting mySeqNumber to: -1357
    <2005-11-10 ??04?24?08? CST> <000000>
    <2005-11-10 ??04?24?08? CST> <000000> 0: 6068 0609 2a86 4886 f712 0102 0202 006f `h..*.H........o
    16: 5930 57a0 0302 0105 a103 0201 0fa2 4b30 Y0W...........K0
    32: 49a0 0302 0103 a242 0440 c2b0 cf10 f078 I......B.@.....x
    48: d11a 749a 48f9 1b2a 5603 6159 99b7 5439 ..t.H..*V.aY..T9
    64: 4f20 a344 cd9a 9a4a bc72 0669 77e1 650f O .D...J.r.iw.e.
    80: b596 ffde cca7 f08d daea 8875 e616 a1c9 ...........u....
    96: 4746 ab6c ad29 b748 df17 GF.l.).H..
    >

    <2005-11-10 ??04?24?08? CST> <000000> webserver@DLSVR.COM>
    <2005-11-10 ??04?24?08? CST> <000000>
    <2005-11-10 ??04?24?08? CST> <000000>
    <2005-11-10 ??04?24?08? CST> <000000>
    <2005-11-10 ??04?24?08? CST> <000000>
    <2005-11-10 ??04?24?08? CST> <000000>
    <2005-11-10 ??04?24?08? CST> <000000>

    ----- Original Message -----
    From: "Seema Malkani"
    To: "david.turing"
    Cc:
    Sent: Friday, November 11, 2005 8:59 AM
    Subject: Re: KDC has no support for encryption type (14) After Set DES Accout


    It appears that your application is looking for
    "host/weblogic@DLSVR.COM" service principal, but you have setup keytab
    with keys for "HTTP/weblogic@DLSVR.COM" service principal. Please update
    your application with the expected service principal
    "HTTP/weblogic@DLSVR.COM"

    Seema

    david.turing wrote On 11/09/05 16:46,:

    >hi, I have dealing the problem for long time and no response in bea forum.
    >I feel very exhausted when checking mit's kerberos mailist and sun
    >security forum.
    >The problem is "KDC has no support for encryption type (14)" when i
    >doing the SSO between MS domain and Weblogic.
    >
    >I had set Account to use DES Encryption type for the host but have
    >nothing change .
    >
    >My Steps are as below :
    >1)
    >first Generate the DES Encryption Type User Account for the weblogic
    >server, namely "weblogic" on Windows AD.
    >
    >
    >2)
    >then, I generate the keytab using w2k's ktpass on the AD SERVER:
    >c:\>ktpass -princ HTTP/weblogic.dlsvr.com@DLSVR.COM -mapuser weblogic
    >-pass weblogic -out dlsvr_keytab -crypto des-cbc-crc
    >
    >and it turn out to be successful.
    >
    >c:\>ktab -k dlsvr_keytab -a HTTP/weblogic@DLSVR.COM
    >
    >and I place the dlsvr_keytab to the weblogic server[weblogic]
    >I use the kinit to check the keytab
    >kinit -k -t dlsvr_keytab HTTP/weblogic@DLSVR.COM
    >
    >output is £ºNew ticket is store in cache file C:\Documents and Setting ........
    >
    >3) I modify the KDC Config file in c:\winnt
    >
    >My W2KSP4 KDC Config is:
    >c:\winnt\krb5.ini-----------------------------
    >
    >[libdefaults]
    >
    >default_realm = DLSVR.COM
    >default_tkt_enctypes = des-cbc-crc
    >default_tgs_enctypes = des-cbc-crc
    >ticket_lifetime = 600
    >
    >[realms]
    >
    >DLSVR.COM = {
    >kdc = 192.168.2.231
    >admin_server = dlserver
    >default_domain = DLSVR.COM
    >}
    >
    >[domain_realm]
    >.dlsvr.com= DLSVR.COM
    >
    >[appdefaults]
    >autologin = true
    >forward = true
    >forwardable = true
    >encrypt = true
    >
    >
    >The Log is shown in Weblogic, it told me that KDC has no support for
    >encryption type (14)
    >I try to modify the regstry entry as SUN mention in JGSS, changing the
    >allowtgtsessionkey
    >which locate in
    >HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Lsa\Kerberos\Parameters
    >set allowtgtsessionkey=1, but nothing help to prevent the KDC has no
    >support for encryption type (14)
    >
    >The Log in weblogic is as below£º
    >------------------------------------
    >
    ><2005-11-8 ....... CST> <000000> >Negotiate with SPNEGO token>
    >
    >
    >>>>KeyTab: load() entry length: 50
    >>>>KeyTabInputStream, readName(): DLSVR.COM
    >>>>KeyTabInputStream, readName(): host
    >>>>KeyTabInputStream, readName(): weblogic
    >>>>KeyTab: load() entry length: 44
    >>>>KeyTabInputStream, readName(): dlsvr.com
    >>>>KeyTabInputStream, readName(): weblogic
    >>>>EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
    >>>>crc32: e9889c7a
    >>>>crc32: 11101001100010001001110001111010
    >>>>KrbAsReq calling createMessage
    >>>>KrbAsReq in createMessage
    >>>>KrbAsReq etypes are: 1
    >>>>KrbKdcReq send: kdc=192.168.2.231 UDP:88, timeout=30000, number of
    >>>>
    >>>>

    >retries =3, #bytes=216
    >
    >
    >>>>KDCCommunication: kdc=192.168.2.231 UDP:88, timeout=30000,Attempt
    >>>>
    >>>>

    >=1, #bytes=216
    >
    >
    >>>>KrbKdcReq send: #bytes read=1217
    >>>>KrbKdcReq send: #bytes read=1217
    >>>>EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
    >>>>crc32: 54c176ae
    >>>>crc32: 1010100110000010111011010101110
    >>>>KrbAsRep cons in KrbAsReq.getReply host/weblogic
    >>>>
    >>>>

    >Found key for host/weblogic@DLSVR.COM
    >Entered Krb5Context.acceptSecContext with state=STATE_NEW
    ><2005-11-8 ........ CST> <000000> >exception GSSException: Failure unspecified at GSS-API level
    >(Mechanism level: KDC has no support for encryption type (14))
    >GSSException: Failure unspecified at GSS-API level (Mechanism level:
    >KDC has no support for encryption type (14))
    >at sun.security.jgss.krb5.Krb5Context.acceptSecContex t(Krb5Context.java:734)
    >at sun.security.jgss.GSSContextImpl.acceptSecContext( GSSContextImpl.java:300)
    >at sun.security.jgss.GSSContextImpl.acceptSecContext( GSSContextImpl.java:246)
    >at weblogic.security.providers.utils.SPNEGONegotiateT oken.getUsername(SPNEGONegotiateToken.java:371)
    >at weblogic.security.providers.authentication.SingleP assNegotiateIdentityAsserterProviderImpl.assertIde ntity(SinglePassNegotiateIdentityAsserterProvider
    >Impl.java:201)
    >at weblogic.security.service.PrincipalAuthenticator .assertIdentity(PrincipalAuthenticator.java:553)
    >at weblogic.servlet.security.internal.CertSecurityMod ule.checkUserPerm(CertSecurityModule.java:104)
    >at weblogic.servlet.security.internal.SecurityModule. beginCheck(SecurityModule.java:199)
    >at weblogic.servlet.security.internal.CertSecurityMod ule.checkA(CertSecurityModule.java:86)
    >at weblogic.servlet.security.internal.ServletSecurity Manager.checkAccess(ServletSecurityManager.java:14 5)
    >at weblogic.servlet.internal.WebAppServletContext.inv okeServlet(WebAppServletContext.java:3685)
    >at weblogic.servlet.internal.ServletRequestImpl.execu te(ServletRequestImpl.java:2644)
    >at weblogic.kernel.ExecuteThread.execute(ExecuteThrea d.java:219)
    >at weblogic.kernel.ExecuteThread.run(ExecuteThread.ja va:178)
    >
    >
    >Any Help or Advice woud be highly appreciated!
    >
    >david.turing
    >
    >
    >------------------------------------------------------------------------
    >
    >________________________________________________
    >Kerberos mailing list Kerberos@mit.edu
    >https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread