Kerberos Encryption Types in 2008/2008R2 - DES methods not available affecting SSO for SAP/J2EE apps
-
Monday, August 24, 2009 8:31 AMGood Evening,
I have recently stood up a 2008 R2 Domain Controller (and GC). All was running well, but we have found issues with the KDC on this server not issuing tickets for users of a few of our web apps that utilise SSO, namely SAP Portal (J2EE) and Duet (the same).
Both these apps utilise the DES_CBC_MD5 encryption type. The user accounts they run as are configured in AD to "use DES encryption methods". This works absolutely perfectly with our existing 2003 Domain controllers, tickets are issued successfully and users are logged on.
Users who authenticate against the new 2008 server however do NOT get issued a kerberos ticket at all. The server logs an event 16, Kerberos-Key-Distribution-Center error, with the following text:
While processing a TGS request for the target server HTTP/sapserver.domain.tld, the account user@DOMAIN.TLD did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 9). The requested etypes were 3 1. The accounts available etypes were 23 -133 -128. Changing or resetting the password of Service Account will generate a proper key.
The requested etypes are the DES methods, DES-CBC-MD5 and DES-CBC-CRC. I do NOT want to try and reset the service account until I have tried everything possible, especially as it appears to be working at the moment.
Capturing network traffic shows the server returning a ETYPE_NOT_SUPPORTED error.
We do have other web apps using SSO using kerberos tickets that work no problem with the new 2008R2 DC, however these use RC4 encryption methods.
What I have tried:
1. I have enabled these DES methods, under Computer Configuration/Windows Settings/Local Policies/Security Options/Network Security: Configure available encryption types for Kerberos, enabling All but "Future Encryption Types". Rebooted DC, same issue.
2. As per http://support.microsoft.com/default.aspx/kb/961302 I configured the KdcUseRequestedEtypesForTickets key. Restarted server. I was then issued a ticket, but the Ticket Encryption type was RC4, while the key encryption type was DES-CBC-MD5, which meant SSO did not work.
3. Various debugging/extra logging etc, nothing useful beyond the first error.
Does anyone have any ideas or experience with this type of situation. The 2008 DC is currently powered off and holding up our NPS/NAP deployment until I can get this resolved.
Thanks,
-Jeff McLuckie
Answers
-
Monday, September 07, 2009 4:19 AM Afternoon,
After much hand wringing we went ahead and reset the passwords on these service accounts.
Password was reset to the same password, but performed on the 2008 domain controller. All is now working perfectly.
So it appears to be a combination of
1. Enabling DES encryption types on the 2008 domain controllers (see 1st post) then
2. Resetting passwords on those accounts to generate the correct keys.
I don't understand why this is necessary. I did try to demote and promote the DC after I enabled the DES encryption types without any luck. I will be interested to see what happens when our next 2008 DC is stood up, hopefully I don't have to go through all this again.- Marked As Answer by Jeff McLuckie Monday, September 07, 2009 4:19 AM
All Replies
-
Tuesday, August 25, 2009 5:51 AMModerator
Hi Jeff,
What did you mean saying "I do NOT want to try and reset the service account until I have tried everything possible, especially as it appears to be working at the moment"?
If "as it appears to be working at the moment", when did the issue occur?
Also, as far as I know, you have tried all possible method to troubleshoot this problem, if you need further, please try to reset the account password.
Thanks.
This posting is provided "AS IS" with no warranties, and confers no rights. -
Tuesday, August 25, 2009 10:35 PMI meant that it is working fine on the existing 2003 domain controllers.
I guess we'll have to try the password reset. erk. -
Friday, August 28, 2009 2:00 AMWe are going ahead with the password reset option.
We tested by :
1. creating a test site in AD,
2. putting the DC and a workstation there
3. disabling all replication in and out of the 2008DC
4. Take a snapshot of the DC (VMWare)
5. Test on workstation - no ticket issued, unsupported etype error on DC
6. Reset password on account on 2008 DC
7. Visit page, ticket issued from server, everything fine
8. Revert to snapshot, turn replication on again.
Will be doing the live reset on tuesday next week so fingers crossed. It is aggravating that this needs to happen. -
Wednesday, September 02, 2009 2:22 PMHow did your test go Jeff?
We are experiencing the same issue as you have identified, only TGS request is coming from/for an IBM iSeries for SSO (EIM). Same requested ETYPEs (3 1).
On our 2003 DCs we can use KTPASS and DSADD to manually add the accounts and assign the SPN values and it works fine for users authenticating to those 2003 DCs, but the exact same commands fail on 2008 R2 with an Access Denied, very odd. The commands are listed below;
DSADD user cn=test_krbsvr400,cn=users,dc=TESTDOMAIN,dc=ORG -pwd testpassword -display test_krbsvr400
KTPASS -MAPUSER test_krbsvr400 -PRINC krbsvr400/test.testdomain.org@TESTDOMAIN.ORG -PASS testpassword -mapop set +DesOnly -ptype KRB5_NT_PRINCIPAL
Resetting the password had no effect. -
Monday, September 07, 2009 4:19 AM Afternoon,
After much hand wringing we went ahead and reset the passwords on these service accounts.
Password was reset to the same password, but performed on the 2008 domain controller. All is now working perfectly.
So it appears to be a combination of
1. Enabling DES encryption types on the 2008 domain controllers (see 1st post) then
2. Resetting passwords on those accounts to generate the correct keys.
I don't understand why this is necessary. I did try to demote and promote the DC after I enabled the DES encryption types without any luck. I will be interested to see what happens when our next 2008 DC is stood up, hopefully I don't have to go through all this again.- Marked As Answer by Jeff McLuckie Monday, September 07, 2009 4:19 AM
-
Monday, September 07, 2009 4:21 AMSorry just re-read your post. Did you enable the DES encryption types on your 2008 DCs?
From my first post:
I have enabled these DES methods, under Computer Configuration/Windows Settings/Local Policies/Security Options/Network Security: Configure available encryption types for Kerberos, enabling All but "Future Encryption Types". Rebooted DC, same issue.
Do that in your Domain Controller policy or local group policy on the DC to test. -
Tuesday, September 08, 2009 4:21 PMThe encryption types are definitely set properly and the policy is being applied on the DC.
What did you use to change the password? ADUC or ktpass? -
Wednesday, September 09, 2009 12:35 AMJust ADUC.
-
Wednesday, September 09, 2009 3:16 PMThe password reset worked. Thanks Jeff.
-
Wednesday, September 09, 2009 10:14 PMGlad to hear it. Still trying to understand why this needs to be done. Surely this key info could be replicate from 2k3 DCs.
-
Wednesday, September 09, 2009 10:34 PMI'll have our next 2008 R2 DC up in about a week or so, I'll update this thread and let you know whether it makes a difference. I suspect now that the password has been rewritten on the new DC, it will replcate properly to all new ones.
-
Wednesday, February 10, 2010 3:13 PMI have a similar problem
I have a Win2008 Sp2
But I can't find
DES methods, under Computer Configuration/Windows Settings/Local Policies/Security Options/Network Security
is the patch correct ?
stpreda -
Wednesday, February 10, 2010 3:14 PMI have a similar problem
I have a Win2008 Sp2
But I can't find
DES methods, under Computer Configuration/Windows Settings/Local Policies/Security Options/Network Security
is this correct ?
stpreda -
Friday, March 26, 2010 3:44 PM
-
Friday, January 21, 2011 8:20 PMWhat service account are talking about resetting? Not the krbtgt account right?
Travis -
Tuesday, February 01, 2011 5:51 PM
See SAP Note 1457499
https://service.sap.com/sap/support/notes/1457499
This Note is already included on SP23 of Netweaver 7.0, not sure about the SP number for 7.01 and 7.02, and the spnego wizard is actually located on http://<host>:<port>/spnego instead of the location on the guide on this note says, but pretty much, everything else on the guide applies.
Also, take a look at thi blog:
http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/18567
-
Friday, February 18, 2011 12:24 PM
Good Day,
I have a problem.
I have a machine on Fedora 14 x86 with Kerberos and Samba, and Win2k3 server Domain controller.
When I trying to connect DC using kinit command, it says:
[root@samba1 etc]# kinit admin@TESTDOMAIN1.COM
kinit: No supported encryption types (config file error?) while getting initial credentialsHere is two strings from my krb5.conf file:
default_tgs_enctypes = des-cbc-crc des-cbc-md5
default_tkt_enctypes = des-cbc-crc des-cbc-md5Both mashines setted up on VMWare 7, with bridged network. ping is ok.
Should I use another enctypes? And what are they, if I should?
P.S. Sorry for my English. :)
-
Thursday, March 03, 2011 7:41 PM
This option is new in Windows Server 2008 R2, NOT Windows Server 2008 (Standard).
R2, not SP2.
Hope that helps.
.png){kind=spacer}
