Kerberos authentication only works with aes256-cts-hmac-sha1-96 for Windows 10

222 views Asked by At

I have a Windows 10 server joined to a RedHat IDM realm that is using Kerberos. When a user tries to authenticate on a Windows 10 server, the following error is shown enter image description here

On the IDM, looking at the /var/log/krb5kdc.log, I see the following...

Nov 30 23:08:17 idm.server.local krb5kdc[11775](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), UNSUPPORTED:(-135), UNSUPPORTED:des-cbc-md5(3)}) 192.168.124.55: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required
Nov 30 23:08:17 idm.server.local krb5kdc[11774](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), UNSUPPORTED:(-135), UNSUPPORTED:des-cbc-md5(3)}) 192.168.124.55: ISSUE: authtime 1701385697, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha384-192(20), ses=aes256-cts-hmac-sha1-96(18)}, [email protected] for krbtgt/[email protected]
Nov 30 23:08:17 idm.server.local krb5kdc[11775](info): TGS_REQ (5 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), UNSUPPORTED:(-135)}) 192.168.124.55: ISSUE: authtime 1701385697, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, [email protected] for host/[email protected]

In the /etc/crypto-policies/back-ends/krb5.config, libdefaults has been set to

[libdefaults]
permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac

Interestingly, if all encryption types are removed except aes256-cts-hmac-sha1-96 from the permitted_enctypes, the authentication on the Windows 10 is successful.

Any idea why only setting to aes256-cts-hmac-sha1-96 works while a list of supported methods including aes256-cts-hmac-sha1-96 does not?

0

There are 0 answers