KDC has no support for encryption type (14) (Active Diretory)

[Vikas Gandhi]

Hi

I am following samples given at
http://java.sun.com/products/jndi/tutorial/ldap/security/gssapi.html
I am getting following error KDC has no support for encryption type
(14)

OS : Windows 2003
Client OS : Terminal client on Windows 2003 User is Mittest
DS: Active Directory 2003
J2SE: 1.05 beta2
Domain: DOMAIN
Machine name: MACHINENAME.DOMAIN
Test User: mittest

KRb5.conf details are
[libdefaults]
default_realm = QDMS.CO.IN
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
#default_checksum = rsa-md5
dns_lookup_kdc = true
noaddresses = false

>>>KinitOptions cache name is C:\Documents and
Settings\mittest.QDMS\krb5cc_mittest
>> Acquire default native Credentials
>>> Obtained TGT from LSA: Credentials:
client=mit...@QDMS.CO.IN
server=krbtgt/QDMS....@QDMS.CO.IN
authTime=20040602224515Z
startTime=20040602224515Z
endTime=20040603084515Z
renewTill=20040609224515Z
flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT
EType (int): 0

Found a principal
mit...@QDMS.CO.IN
comes in performJndiOperation
Found ticket for mit...@QDMS.CO.IN to go to
krbtgt/QDMS....@QDMS.CO.IN expiring on Thu Jun 03 14:15:15 GMT+05:30
2004
Entered Krb5Context.initSecContext with state=STATE_NEW
Found ticket for mit...@QDMS.CO.IN to go to
krbtgt/QDMS....@QDMS.CO.IN expiring on Thu Jun 03 14:15:15 GMT+05:30
2004
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 3 1 16.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.NullEType
>>> KrbKdcReq send: kdc=beetle.qdms.co.in UDP:88, timeout=30000,
number of retries =3, #bytes=1236
>>> KDCCommunication: kdc=beetle.qdms.co.in UDP:88,
timeout=30000,Attempt =1, #bytes=1236
>>> KrbKdcReq send: #bytes read=97
>>> KrbKdcReq send: #bytes read=97
>>> KDCRep: init() encoding tag is 126 req type is 13
KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.ah.a(Unknown Source)
at sun.security.krb5.internal.ag.a(Unknown Source)
at sun.security.krb5.internal.ag.<init>(Unknown Source)
at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
at sun.security.krb5.internal.a1.a(Unknown Source)
at sun.security.krb5.internal.a1.a(Unknown Source)
at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown
Source)
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)
at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown
Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.InitialContext.<init>(Unknown Source)
at javax.naming.directory.InitialDirContext.<init>(Unknown Source)
at JndiAction.performJndiOperation(GssExample.java:178)
at JndiAction.run(GssExample.java:141)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at GssExample.main(GssExample.java:124)
>>>KRBError:
sTime is Thu Jun 03 10:36:31 GMT+05:30 2004 1086239191000
suSec is 348275
error code is 14
error Message is KDC has no support for encryption type
realm is QDMS.CO.IN
sname is ldap/beetle.qdms.co.in
KrbException: KDC has no support for encryption type (14)
at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
at sun.security.krb5.internal.a1.a(Unknown Source)
at sun.security.krb5.internal.a1.a(Unknown Source)
at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown
Source)
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)
at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown
Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.InitialContext.<init>(Unknown Source)
at javax.naming.directory.InitialDirContext.<init>(Unknown Source)
at JndiAction.performJndiOperation(GssExample.java:178)
at JndiAction.run(GssExample.java:141)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at GssExample.main(GssExample.java:124)
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.ah.a(Unknown Source)
at sun.security.krb5.internal.ag.a(Unknown Source)
at sun.security.krb5.internal.ag.<init>(Unknown Source)
... 27 more
javax.naming.AuthenticationException: GSSAPI [Root exception is
javax.security.sasl.SaslException: GSS initiate failed [Caused by
GSSException: No valid credentials provided (Mechanism level: KDC has
no support for encryption type (14))]]
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)
at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown
Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.InitialContext.<init>(Unknown Source)
at javax.naming.directory.InitialDirContext.<init>(Unknown Source)
at JndiAction.performJndiOperation(GssExample.java:178)
at JndiAction.run(GssExample.java:141)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at GssExample.main(GssExample.java:124)
Caused by: javax.security.sasl.SaslException: GSS initiate failed
[Caused by GSSException: No valid credentials provided (Mechanism
level: KDC has no support for encryption type (14))]
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown
Source)
... 18 more
Caused by: GSSException: No valid credentials provided (Mechanism
level: KDC has no support for encryption type (14))
at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
... 19 more
Caused by: KrbException: KDC has no support for encryption type (14)
at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
at sun.security.krb5.internal.a1.a(Unknown Source)
at sun.security.krb5.internal.a1.a(Unknown Source)
at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
... 22 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.ah.a(Unknown Source)
at sun.security.krb5.internal.ag.a(Unknown Source)
at sun.security.krb5.internal.ag.<init>(Unknown Source)
... 27 more

FYI:
I tried to replace default_tkt_enctypes with des-cbc-crc:normal and
tried with des-cbc-md5 but no result at all
--Vikas

[Jeffrey Altman]

When using Java you must turn on DES encryption type support
for the principals being used by Java clients or Java servers.

The encryption type being requested is not 14, it is 1.
Encryption type one is DES-CBC-CRC. This is what you have
specified in your krb5.conf file.

As a note to all readers. it is strongly advised that you
not use the default_tkt_enctypes or default_tgs_enctypes
libdefaults in the krb5.conf. Specifying arbitrary restrictions
on the client via the krb5.conf file will make interop
exceedingly difficult. The KDC will choose the best key type
available based upon its knowledge of the client and the
service. Knowledge of the client's supported enctypes will
be determined by examining the TGS_REQ. Knowledge of the
service's supported enctypes is determined by looking at
the enctypes for which keys were generated in the Kerberos
database.

Jeffrey Altman

--
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu