KDC has no support for encryption type (14)

Question

I'm trying to implement SSO with kerberos using spring-security-kerberos extension.

I've created a keytab file and I get the following error when trying to access my webapp:

GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)

I tried to test my keytab according to this post.

The keytab was created with the following command:

ktpass /out http-web.keytab /mapuser [email protected] /princ HTTP/[email protected] /pass myPass /ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT /kvno 0

My krb5.conf is as follow

[libdefaults]
default_realm = MYDOMAIN.COM
permitted_enctypes =  aes256-cts arcfour-hmac-md5 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes256-cts arcfour-hmac-md5 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tkt_enctypes = aes256-cts arcfour-hmac-md5 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true

[realms]
MYDOMAIN.COM = {
kdc = controller1.mydomain.com:88
kdc = controler2.mydomain.com:88
kdc = controller3.mydomain.com:88
admin_server = controller3.mydomain.com
default_domain = MYDOMAIN.COM
}

[domain_realm]
.mydomain.com = MYDOMAIN.COM
mydomain.com = MYDOMAIN.COM

[login]
krb4_convert = true
krb4_get_tickets = false

I get the following error:

 KDC has no support for encryption type (14)

I've tried enabling DES, AES-128 and AES-256 for the account of the SPN but it didn't solve the problem.

What am I missing here?

Thanks, Lior

Answer 1

The solution for me was to check these two options of the AD user via the Active Directory Users and Computers tool on the account tab:

Answer 2

just bashed my head against the KrbException "KDC has no support for enryption type (14)" for several days in sequence. I have visited many places including some indepth MSDN blog posts (from Hongwei Sun, Sebastian Canevari) I cannot reference for lack of reputation.

Thanks, for your mention of kvno 0 and dsiabling DES it now also works on my side.

In the end it boiled down that I have my User Account setup with

userAccountControl: 0d66048 or 0x10200 which matches 0b10000001000000000 or ADS_UF_DONT_EXPIRE_PASSWD (0x00010000) and ADS_UF_NORMAL_ACCOUNT (0x00000200) but no UF_USE_DES_KEY_ONLY (0x200000) being set

and

msDS-SupportedEncryptionTypes: 0d16 or 0x10 which matches 0b10000 or AES256-CTS-HMAC-SHA1-96 (0x10) but no RC4-HMAC (0x04) being set.

ldapsearch -h masterdc.localnet.org -D 'spn_hostname' -w '*password*' -b 'ou=Accounts,dc=localnet,dc=org' -s sub 'userPrincipalName=HTTP/[email protected]' distinguishedName servicePrincipalName userPrincipalName msDS-SupportedEncryptionTypes userAccountControl
# extended LDIF
#
# LDAPv3
# base <ou=Accounts,dc=localnet,dc=org> with scope subtree
# filter: userPrincipalName=HTTP/[email protected]
# requesting: distinguishedName servicePrincipalName userPrincipalName msDS-SupportedEncryptionTypes userAccountControl
#

# spn_hostname, DokSvc, Services, Accounts, localnet.org
dn: CN=spn_hostname,OU=DokSvc,OU=Services,OU=Accounts,DC=localnet,DC=org
distinguishedName: CN=spn_hostname,OU=DokSvc,OU=Services,OU=Accounts,DC=localnet,DC=org
userAccountControl: 66048
userPrincipalName: HTTP/[email protected]
servicePrincipalName: HTTP/hostname.localnet.org
servicePrincipalName: HTTP/[email protected]
msDS-SupportedEncryptionTypes: 16

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

With this and the following in my /etc/krb5.conf I can reproducably provoke "KrbException KDC has no support for enryption type (14)" when removing rc4-hmac from the default_tkt_enctypes.

/etc/krb5.conf:

[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log
[libdefaults]
  default_realm = LOCALNET.DE
  default_tkt_enctypes = aes256-cts
  default_tgs_enctypes = aes256-cts
  permitted_enctypes = aes256-cts
[realms]
LOCALNET.ORG = {
  kdc = masterdc.localnet.org:88
  admin_server = masterdc.localnet.org
  default_domain = LOCALNET.ORG
}
[domain_realm]
  .localnet.org = LOCALNET.ORG
  localnet.org = LOCALNET.ORG
[appdefaults]
  autologin = true
  forward = true
  forwardable = true
  encrypt = true

However if you change it to default_tkt_enctypes = aes256-cts rc4-hmac it will succeed.

Note that you can also leave out specifying the default_tkt_enctypes directive in /etc/krb5.conf, in order to make it work.

Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23.

It therefor looks like Windows Server 2008 SP2 Active Directory does explicitly require RC4-HMAC in the Pre-Authentication phase:

         PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

I have updated JCE 1.8.0 policy files within my JDK's jre/lib/security folder in order for AES256 to be supported.

Kind regards, Stefan

---

The enctypes are specified under

Kerberos Parameters http://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml

etype   encryption type     Reference
1   des-cbc-crc     [RFC3961]
3   des-cbc-md5     [RFC3961]
17  aes128-cts-hmac-sha1-96     [RFC3962]
18  aes256-cts-hmac-sha1-96     [RFC3962]
23  rc4-hmac    [RFC4757]

---

Failure:

java -cp /somepath/krb5.jar -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Kinit -k -t /somepath/spn_hostname.keytab HTTP/[email protected]
>>>KinitOptions cache name is /tmp/krb5cc_723
Principal is HTTP/[email protected]
>>> Kinit using keytab
>>> Kinit keytab file name: /somepath/spn_hostname.keytab
Java config name: null
LSA: Found Ticket
LSA: Made NewWeakGlobalRef
LSA: Found PrincipalName
LSA: Made NewWeakGlobalRef
LSA: Found DerValue
LSA: Made NewWeakGlobalRef
LSA: Found EncryptionKey
LSA: Made NewWeakGlobalRef
LSA: Found TicketFlags
LSA: Made NewWeakGlobalRef
LSA: Found KerberosTime
LSA: Made NewWeakGlobalRef
LSA: Found String
LSA: Made NewWeakGlobalRef
LSA: Found DerValue constructor
LSA: Found Ticket constructor
LSA: Found PrincipalName constructor
LSA: Found EncryptionKey constructor
LSA: Found TicketFlags constructor
LSA: Found KerberosTime constructor
LSA: Finished OnLoad processing
Native config name: C:\Windows\krb5.ini
Loaded from native config
>>> Kinit realm name is LOCALNET.ORG
>>> Creating KrbAsReq
>>> KrbKdcReq local addresses for hostname.localnet.org are:

        hostname.localnet.org/192.168.1.2
IPv4 address
>>> KdcAccessibility: reset
>>> KeyTabInputStream, readName(): LOCALNET.ORG
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): hostname.localnet.org
>>> KeyTab: load() entry length: 64; type: 1
>>> KeyTabInputStream, readName(): LOCALNET.ORG
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): hostname.localnet.org
>>> KeyTab: load() entry length: 64; type: 3
>>> KeyTabInputStream, readName(): LOCALNET.ORG
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): hostname.localnet.org
>>> KeyTab: load() entry length: 72; type: 23
>>> KeyTabInputStream, readName(): LOCALNET.ORG
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): hostname.localnet.org
>>> KeyTab: load() entry length: 88; type: 18
>>> KeyTabInputStream, readName(): LOCALNET.ORG
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): hostname.localnet.org
>>> KeyTab: load() entry length: 72; type: 17
Looking for keys for: HTTP/[email protected]
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/[email protected]
Found unsupported keytype (1) for HTTP/[email protected]
default etypes for default_tkt_enctypes: 18.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=masterdc.localnet.org UDP:88, timeout=30000, number of retries =3, #bytes=216
>>> KDCCommunication: kdc=masterdc.localnet.org UDP:88, timeout=30000,Attempt =1, #bytes=216
>>> KrbKdcReq send: #bytes read=194
>>>Pre-Authentication Data:
         PA-DATA type = 19
         PA-ETYPE-INFO2 etype = 18, salt = LOCALNET.ORGHTTPhostname.localnet.org, s2kparams = null

>>>Pre-Authentication Data:
         PA-DATA type = 2
         PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
         PA-DATA type = 16

>>>Pre-Authentication Data:
         PA-DATA type = 15

>>> KdcAccessibility: remove masterdc.localnet.org:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
         sTime is Tue Jan 17 18:49:14 CET 2017 1484675354000
         suSec is 822386
         error code is 25
         error Message is Additional pre-authentication required
         sname is krbtgt/[email protected]
         eData provided.
         msgType is 30
>>>Pre-Authentication Data:
         PA-DATA type = 19
         PA-ETYPE-INFO2 etype = 18, salt = LOCALNET.ORGHTTPhostname.localnet.org, s2kparams = null

>>>Pre-Authentication Data:
         PA-DATA type = 2
         PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
         PA-DATA type = 16

>>>Pre-Authentication Data:
         PA-DATA type = 15

KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 18.
Looking for keys for: HTTP/[email protected]
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/[email protected]
Found unsupported keytype (1) for HTTP/[email protected]
Looking for keys for: HTTP/[email protected]
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/[email protected]
Found unsupported keytype (1) for HTTP/[email protected]
default etypes for default_tkt_enctypes: 18.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=masterdc.localnet.org UDP:88, timeout=30000, number of retries =3, #bytes=305
>>> KDCCommunication: kdc=masterdc.localnet.org UDP:88, timeout=30000,Attempt =1, #bytes=305
>>> KrbKdcReq send: #bytes read=93
>>> KdcAccessibility: remove masterdc.localnet.org:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
         sTime is Tue Jan 17 18:49:14 CET 2017 1484675354000
         suSec is 25186
         error code is 14
         error Message is KDC has no support for encryption type
         sname is krbtgt/[email protected]
         msgType is 30
Exception: krb_error 14 KDC has no support for encryption type (14) KDC has no support for encryption type
KrbException: KDC has no support for encryption type (14)
        at sun.security.krb5.KrbAsRep.<init>(Unknown Source)
        at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source)
        at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source)
        at sun.security.krb5.internal.tools.Kinit.<init>(Unknown Source)
        at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)
Caused by: KrbException: Identifier doesn't match expected value (906)
        at sun.security.krb5.internal.KDCRep.init(Unknown Source)
        at sun.security.krb5.internal.ASRep.init(Unknown Source)
        at sun.security.krb5.internal.ASRep.<init>(Unknown Source)
        ... 5 more

Success:

java -cp /home/wls0/webdav/krb5.jar -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Kinit -k -t /somepath/spn_hostname.keytab HTTP/[email protected]
>>>KinitOptions cache name is /tmp/krb5cc_723
Principal is HTTP/[email protected]
>>> Kinit using keytab
>>> Kinit keytab file name: /somepath/spn_hostname.keytab
Java config name: null
Native config name: /etc/krb5.conf
Loaded from native config
>>> Kinit realm name is LOCALNET.ORG
>>> Creating KrbAsReq
>>> KrbKdcReq local addresses for hostname.localnet.org are:

        hostname.localnet.org/192.168.1.2
IPv4 address
>>> KdcAccessibility: reset
>>> KeyTabInputStream, readName(): LOCALNET.ORG
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): hostname.localnet.org
>>> KeyTab: load() entry length: 64; type: 1
>>> KeyTabInputStream, readName(): LOCALNET.ORG
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): hostname.localnet.org
>>> KeyTab: load() entry length: 64; type: 3
>>> KeyTabInputStream, readName(): LOCALNET.ORG
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): hostname.localnet.org
>>> KeyTab: load() entry length: 72; type: 23
>>> KeyTabInputStream, readName(): LOCALNET.ORG
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): hostname.localnet.org
>>> KeyTab: load() entry length: 88; type: 18
>>> KeyTabInputStream, readName(): LOCALNET.ORG
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): hostname.localnet.org
>>> KeyTab: load() entry length: 72; type: 17
Looking for keys for: HTTP/[email protected]
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/[email protected]
Found unsupported keytype (1) for HTTP/[email protected]
default etypes for default_tkt_enctypes: 23 18.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=masterdc.localnet.org UDP:88, timeout=30000, number of retries =3, #bytes=180
>>> KDCCommunication: kdc=masterdc.localnet.org UDP:88, timeout=30000,Attempt =1, #bytes=180
>>> KrbKdcReq send: #bytes read=201
>>>Pre-Authentication Data:
         PA-DATA type = 19
         PA-ETYPE-INFO2 etype = 18, salt = LOCALNET.ORGHTTPhostname.localnet.org, s2kparams = null
         PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

>>>Pre-Authentication Data:
         PA-DATA type = 2
         PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
         PA-DATA type = 16

>>>Pre-Authentication Data:
         PA-DATA type = 15

>>> KdcAccessibility: remove masterdc.localnet.org
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
         sTime is Tue Jan 17 19:11:56 CET 2017 1484676716000
         suSec is 116308
         error code is 25
         error Message is Additional pre-authentication required
         sname is krbtgt/[email protected]
         eData provided.
         msgType is 30
>>>Pre-Authentication Data:
         PA-DATA type = 19
         PA-ETYPE-INFO2 etype = 18, salt = LOCALNET.ORGHTTPhostname.localnet.org, s2kparams = null
         PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

>>>Pre-Authentication Data:
         PA-DATA type = 2
         PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
         PA-DATA type = 16

>>>Pre-Authentication Data:
         PA-DATA type = 15

KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 23 18.
Looking for keys for: HTTP/[email protected]
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/[email protected]
Found unsupported keytype (1) for HTTP/[email protected]
Looking for keys for: HTTP/[email protected]
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/[email protected]
Found unsupported keytype (1) for HTTP/[email protected]
default etypes for default_tkt_enctypes: 23 18.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=masterdc.localnet.org UDP:88, timeout=30000, number of retries =3, #bytes=269
>>> KDCCommunication: kdc=masterdc.localnet.org UDP:88, timeout=30000,Attempt =1, #bytes=269
>>> KrbKdcReq send: #bytes read=94
>>> KrbKdcReq send: kdc=masterdc.localnet.org TCP:88, timeout=30000, number of retries =3, #bytes=269
>>> KDCCommunication: kdc=masterdc.localnet.org TCP:88, timeout=30000,Attempt =1, #bytes=269
>>>DEBUG: TCPClient reading 1615 bytes
>>> KrbKdcReq send: #bytes read=1615
>>> KdcAccessibility: remove masterdc.localnet.org
Looking for keys for: HTTP/[email protected]
Added key: 17version: 0
Added key: 18version: 0
Added key: 23version: 0
Found unsupported keytype (3) for HTTP/[email protected]
Found unsupported keytype (1) for HTTP/[email protected]
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/hostname.localnet.org
New ticket is stored in cache file /tmp/krb5cc_723

---

PS: You might want to extract the Kerberos 5 Tools from a Windows JDK because Oracle have removed it from the JDK 1.6 onwards. This gives you additional debug output on Linux platform with the Parameter (-Dsun.security.krb5.debug=true).

mkdir sun.security.krb5
cd sun.security.krb5
"C:\Oracle\Java\jdk1.8.0_112\bin\jar.exe" -xf C:\Oracle\Java\jre1.8.0_112\lib\rt.jar sun\security\krb5
"C:\Oracle\Java\jdk1.8.0_112\bin\jar.exe" -cf krb5.jar sun\security\krb5
dir

This works around JDK-6910497 : Kinit class missing http://bugs.java.com/bugdatabase/view_bug.do?bug_id=6910497

Answer 3

Finally got it working: When implementing kerberos authentication for Oracle JDK 6, one should use RC4-HMAC encryption, and so the DES and AES support should be disabled for the user account.

Why did I check them in the first place is another story....

Answer 4

What helped in my case was the switch

ktpass ... -crypto all ...

and I commented all of these in krb5.conf:

# default_tkt_enctypes = ...
# default_tgs_enctypes = ...
# permitted_enctypes   = ...

I guess it's default setup with rc4-hmac encoding that's most compatible.

No special settings were needed in Active Directory on my SPN account.

Windows Server 2008, Weblogic 10.3.6, Oracle JDK 1.7

Answer 5

I managed to solve this problem after few days. The root cause is that Java >= 11.0.17 disabled RC4-HMAC and other "weak" encryption algorithms.

One solution is to downgrade your Java version, but it is sometimes not possible. Another solution is to make the necessary changes in the AD (enable AES encryption for the account), if you have the possibility to change these values.

As I had neither option open to me, I could solve it using the following configuration:

1. Add rc4-hmac additionally in your *_enctypes entries to your krb.conf after your other encryption algorithms (e.g. aes256-...). It might also be working with arcfour-hmac instead of rc4-hmac. (The error should now disappear, if you are using Java < 11.0.17.)

2. Add allow_weak_crypto = true in your krb.conf (Now Java >= 11.0.17 will allow usage of the disabled algorithms.)