Kerberos Encryption Types in 2008/2008R2 - DES methods not available affecting SSO for SAP/J2EE apps
Good Evening,I have recently stood up a 2008 R2 Domain Controller (and GC). All was running well, but we have found issues with the KDC on this server not issuing tickets for users of a few of our web apps that utilise SSO, namely SAP Portal (J2EE) and Duet (the same).Both these apps utilise the DES_CBC_MD5 encryption type. The user accounts they run as are configured in AD to "use DES encryption methods". This works absolutely perfectly with our existing 2003 Domain controllers, tickets are issued successfully and users are logged on.Users who authenticate against the new 2008 server however do NOT get issued a kerberos ticket at all. The server logs an event 16, Kerberos-Key-Distribution-Center error, with the following text: While processing a TGS request for the target server HTTP/sapserver.domain.tld, the account user@DOMAIN.TLD did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 9). The requested etypes were 3 1. The accounts available etypes were 23 -133 -128. Changing or resetting the password ofService Accountwill generate a proper key.The requested etypes are the DES methods, DES-CBC-MD5 and DES-CBC-CRC. I do NOT want to try and reset the service account until I have tried everything possible, especially as it appears to be working at the moment.Capturing network traffic shows the server returning a ETYPE_NOT_SUPPORTED error.We do have other web apps using SSO using kerberos tickets that work no problem with the new 2008R2 DC, however these use RC4 encryption methods. What I have tried:1. I have enabled these DES methods, under Computer Configuration/Windows Settings/Local Policies/Security Options/Network Security: Configure available encryption types for Kerberos, enabling All but "Future Encryption Types". Rebooted DC, same issue.2. As per http://support.microsoft.com/default.aspx/kb/961302I configured the KdcUseRequestedEtypesForTickets key. Restarted server. I was then issued a ticket, but the Ticket Encryption type was RC4, while the key encryption type was DES-CBC-MD5, which meant SSO did not work.3. Various debugging/extra logging etc, nothing useful beyond the first error.Does anyone have any ideas or experience with this type of situation. The 2008 DC is currently powered off and holding up our NPS/NAP deployment until I can get this resolved.Thanks,-Jeff McLuckie
August 24th, 2009 11:31am

Hi Jeff, What did you mean saying "I do NOT want to try and reset the service account until I have tried everything possible, especially as it appears to be working at the moment"? If "as it appears to be working at the moment", when did the issue occur? Also, as far as I know, you have tried all possible method to troubleshoot this problem, if you need further, please try to reset the account password. Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
August 25th, 2009 8:51am

I meant that it is working fine on the existing 2003 domain controllers.I guess we'll have to try the password reset. erk.
August 26th, 2009 1:35am

We are going ahead with the password reset option. We tested by : 1. creating a test site in AD, 2. putting the DC and a workstation there 3. disabling all replication in and out of the 2008DC 4. Take a snapshot of the DC (VMWare) 5. Test on workstation - no ticket issued, unsupported etype error on DC 6. Reset password on account on 2008 DC 7. Visit page, ticket issued from server, everything fine 8. Revert to snapshot, turn replication on again. Will be doing the live reset on tuesday next week so fingers crossed. It is aggravating that this needs to happen.
Free Windows Admin Tool Kit Click here and download it now
August 28th, 2009 5:00am

How did your test go Jeff? We are experiencing the same issue as you have identified, only TGS request is coming from/for an IBM iSeries for SSO (EIM). Same requested ETYPEs (3 1). On our 2003 DCs we can use KTPASS and DSADD to manually add the accounts and assign the SPN values and it works fine for users authenticating to those 2003 DCs, but the exact same commands fail on 2008 R2 with an Access Denied, very odd. The commands are listed below; DSADD user cn=test_krbsvr400,cn=users,dc=TESTDOMAIN,dc=ORG -pwd testpassword -display test_krbsvr400 KTPASS -MAPUSER test_krbsvr400 -PRINC krbsvr400/test.testdomain.org@TESTDOMAIN.ORG -PASS testpassword -mapop set +DesOnly -ptype KRB5_NT_PRINCIPAL Resetting the password had no effect.
September 2nd, 2009 5:22pm

Afternoon,After much hand wringing we went ahead and reset the passwords on these service accounts.Password was reset to the same password, but performed on the 2008 domain controller. All is now working perfectly.So it appears to be a combination of 1. Enabling DES encryption types on the 2008 domain controllers (see 1st post) then2. Resetting passwords on those accounts to generate the correct keys.I don't understand why this is necessary. I did try to demote and promote the DC after I enabled the DES encryption types without any luck. I will be interested to see what happens when our next 2008 DC is stood up, hopefully I don't have to go through all this again.
Free Windows Admin Tool Kit Click here and download it now
September 7th, 2009 7:19am

Sorry just re-read your post. Did you enable the DES encryption types on your 2008 DCs?From my first post:I have enabled these DES methods, under Computer Configuration/Windows Settings/Local Policies/Security Options/Network Security: Configure available encryption types for Kerberos, enabling All but "Future Encryption Types". Rebooted DC, same issue.Do that in your Domain Controller policy or local group policy on the DC to test.
September 7th, 2009 7:21am

The encryption types are definitely set properly and the policy is being applied on the DC. What did you use to change the password? ADUC or ktpass?
Free Windows Admin Tool Kit Click here and download it now
September 8th, 2009 7:21pm

Just ADUC.
September 9th, 2009 3:35am

The password reset worked. Thanks Jeff.
Free Windows Admin Tool Kit Click here and download it now
September 9th, 2009 6:16pm

Glad to hear it. Still trying to understand why this needs to be done. Surely this key info could be replicate from 2k3 DCs.
September 10th, 2009 1:14am

I'll have our next 2008 R2 DC up in about a week or so, I'll update this thread and let you know whether it makes a difference. I suspect now that the password has been rewritten on the new DC, it will replcate properly to all new ones.
Free Windows Admin Tool Kit Click here and download it now
September 10th, 2009 1:34am

I have a similar problem I have a Win2008 Sp2 But I can't find DES methods, under Computer Configuration/Windows Settings/Local Policies/Security Options/Network Security is the patch correct ? stpreda
February 10th, 2010 6:13pm

I have a similar problem I have a Win2008 Sp2 But I can't find DES methods, under Computer Configuration/Windows Settings/Local Policies/Security Options/Network Security is this correct ? stpreda
Free Windows Admin Tool Kit Click here and download it now
February 10th, 2010 6:14pm

see http://support.microsoft.com/kb/977321 and http://support.microsoft.com/kb/978055
March 26th, 2010 6:44pm

What service account are talking about resetting? Not the krbtgt account right?Travis
Free Windows Admin Tool Kit Click here and download it now
January 21st, 2011 3:25pm

See SAP Note 1457499 https://service.sap.com/sap/support/notes/1457499 This Note is already included on SP23 of Netweaver 7.0, not sure about the SP number for 7.01 and 7.02, and the spnego wizard is actually located on http://<host>:<port>/spnego instead of the location on the guide on this note says, but pretty much, everything else on the guide applies. Also, take a look at thi blog: http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/18567
February 1st, 2011 12:52pm

Good Day, I have a problem. I have a machine on Fedora 14 x86 with Kerberos and Samba, and Win2k3 server Domain controller. When I trying to connect DC using kinit command, it says: [root@samba1 etc]# kinit admin@TESTDOMAIN1.COM kinit: No supported encryption types (config file error?) while getting initial credentials Here is two strings from my krb5.conf file: default_tgs_enctypes = des-cbc-crc des-cbc-md5 default_tkt_enctypes = des-cbc-crc des-cbc-md5 Both mashines setted up on VMWare 7, with bridged network. ping is ok. Should I use another enctypes? And what are they, if I should? P.S. Sorry for my English. :)
Free Windows Admin Tool Kit Click here and download it now
February 18th, 2011 7:25am

This option is new in Windows Server 2008 R2, NOT Windows Server 2008 (Standard). R2, not SP2. Hope that helps.
March 3rd, 2011 2:42pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics