Authenticating UNIX/Linux to Windows 2008R2. Part 5 : Kerberos Encryption Types

Background

There is a particular difficulty in Kerberos with Windows: What encryption type to use.

Encryption is used for both the ticket-granting-ticket and session tickets.

NB. I strongly suggest to use the a strong same encryption type for both, and to hard code that type at both ends.

In Windows, this is done through Group Policy:

To confirm whether an encyption type is supported, edit krb5.conf, and insert into the libdefaults section:

[libdefaults]
         default_tkt_enctypes = rc4-hmac
         default_tgs_enctypes = rc4-hmac
         permitted_enctypes = rc4-hmac

There exists a handy too from http://www.css-security.com/downloads/ called GetTicket , which can be used to test whether a Ticket-Granting-Ticket and Service-Ticket can be obtained.

default_tkt_enctypes controls the ticket granting ticket, and default_tgs_enctypes controls the service ticket.

Typical Errors

Poor Granting Ticket (default_tkt_enctypes):

# /opt/cssi/gettkt_2.3.2/bin/css_gettkt -v -p host/sol10host1.example.com@EXAMPLE.COM gettgt

v2.3.2 - February 2007

keytab:
credentials cache:
client principal:   host/sol10host1.example.com@EXAMPLE.COM
service principal:
css_gettkt: Key table entry not found while getting initial credentials
# echo $?
181

Poor Service Ticket (default_tgs_enctypes):

# /opt/cssi/gettkt_2.3.2/bin/css_gettkt -v -s host/sol10host1.example.com getsrvtkt

v2.3.2 - February 2007

keytab:
credentials cache:
client principal:
service principal:  host/sol10host1.example.com
css_gettkt: No credentials found with supported encryption types while getting credentials
# echo $?
200

or

# /opt/cssi/gettkt_2.3.2/bin/css_gettkt -v -s host/sol10host1.example.com getsrvtkt

v2.3.2 - February 2007

keytab:
credentials cache:
client principal:
service principal:  host/sol10host1.example.com
css_gettkt: KDC has no support for encryption type while getting credentials
# echo $?
14

Finding an acceptable encryption type

There are a couple of Windows Knowledge Base articles which seem to suggest that whilst AES is a preferred encryption

http://support.microsoft.com/kb/833708

and

http://support.microsoft.com/kb/961302

Specifically, it says:

AES encryption cannot be used for Kerberos negotiation with cluster names; only up to RC4-HMAC is supported.

DES is frowned upon, due to lack of security (56 bits only). So, when generating host keytabs, I want to use RC4 (the only remaining option):

C:\>;ktpass /princ host/rhel5host1.example.com@EXAMPLE.COM \
/ptype KRB5_NT_PRINCIPAL /out C:\temp\rhel5host1.keytab /pass mypass \
/crypto RC4-HMAC-NT /mapuser EXAMPLE\rhel5host1
Targeting domain controller: adserver.example.com
Successfully mapped host/rhel5host1.example.com to RHEL5HOST1$.
WARNING: Account RHEL5HOST1$ is not a user account (uacflags=0x1021).
WARNING: Resetting RHEL5HOST1$'s password may cause authentication problems if RHEL5HOST1$ is being used as a server.

Reset RHEL5HOST1$'s password [y/n]?  y
Password succesfully set!
WARNING: pType and account type do not match. This might cause problems.
Key created.
Output keytab to C:\temp\rhel5host1.keytab:
Keytab version: 0x502
keysize 72 host/rhel5host1.example.com@EXAMPLE.COM ptype 1 (KRB5_NT_PRINCIPAL) vno
3 etype 0x17 (RC4-HMAC) keylength 16 (0xe0c32cda6f6ecc163f442d002bba3daf)

# kinit -k
# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 host/rhel5host1.example.com@EXAMPLE.COM (ArcFour with HMAC/md5)
Advertisements

3 Responses to Authenticating UNIX/Linux to Windows 2008R2. Part 5 : Kerberos Encryption Types

  1. Pingback: krb5 | Pearltrees

  2. saaki says:

    Thanks a lot for the post, my errors while accessing SAP from SAP GUI in SSO was as below

    Key table entry not found while getting initial credentials

    After a lot of mind boggling and 2.5 weeks of searching and trying various configurations / new kerberos keytabs , I stumbled across your blog.

    Your post nailed the problem, we were getting these problems due to the DES encryption enabled on the AD level user [ check box ] , even though we had generated the SPN using RC4-HMAC encyrption.

    Thanks for this wonderful blog and putting up these error messages.
    Heartfelt gratitude my friend !!

    Cheers
    Prashant Vijaydas

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: