none
Kerberos Encryption Types in 2008/2008R2 - DES methods not available affecting SSO for SAP/J2EE apps

    Domanda

  • Good Evening,
    I have recently stood up a 2008 R2 Domain Controller (and GC). All was running well, but we have found issues with the KDC on this server not issuing tickets for users of a few of our web apps that utilise SSO, namely SAP Portal (J2EE) and Duet (the same).

    Both these apps utilise the DES_CBC_MD5 encryption type. The user accounts they run as are configured in AD to "use DES encryption methods". This works absolutely perfectly with our existing 2003 Domain controllers, tickets are issued successfully and users are logged on.

    Users who authenticate against the new 2008 server however do NOT get issued a kerberos ticket at all. The server logs an event 16, Kerberos-Key-Distribution-Center error, with the following text:

    While processing a TGS request for the target server HTTP/sapserver.domain.tld, the account user@DOMAIN.TLD did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 9). The requested etypes were 3 1. The accounts available etypes were 23 -133 -128. Changing or resetting the password of Service Account will generate a proper key.

    The requested etypes are the DES methods, DES-CBC-MD5 and DES-CBC-CRC. I do NOT want to try and reset the service account until I have tried everything possible, especially as it appears to be working at the moment.

    Capturing network traffic shows the server returning a ETYPE_NOT_SUPPORTED error.

    We do have other web apps using SSO using kerberos tickets that work no problem with the new 2008R2 DC, however these use RC4 encryption methods.

    What I have tried:
    1. I have enabled these DES methods, under Computer Configuration/Windows Settings/Local Policies/Security Options/Network Security: Configure available encryption types for Kerberos, enabling All but "Future Encryption Types". Rebooted DC, same issue.
    2. As per http://support.microsoft.com/default.aspx/kb/961302 I configured the KdcUseRequestedEtypesForTickets key. Restarted server. I was then issued a ticket, but the Ticket Encryption type was RC4, while the key encryption type was DES-CBC-MD5, which meant SSO did not work.
    3. Various debugging/extra logging etc, nothing useful beyond the first error.

    Does anyone have any ideas or experience with this type of situation. The 2008 DC is currently powered off and holding up our NPS/NAP deployment until I can get this resolved.

    Thanks,
    -Jeff McLuckie

    lunedì 24 agosto 2009 08:31

Risposte

  • Afternoon,
    After much hand wringing we went ahead and reset the passwords on these service accounts.

    Password was reset to the same password, but performed on the 2008 domain controller. All is now working perfectly.

    So it appears to be a combination of
    1. Enabling DES encryption types on the 2008 domain controllers (see 1st post) then
    2. Resetting passwords on those accounts to generate the correct keys.

    I don't understand why this is necessary. I did try to demote and promote the DC after I enabled the DES encryption types without any luck. I will be interested to see what happens when our next 2008 DC is stood up, hopefully I don't have to go through all this again.



    • Contrassegnato come risposta Jeff McLuckie lunedì 7 settembre 2009 04:19
    lunedì 7 settembre 2009 04:19

Tutte le risposte

  • Hi Jeff,

     

    What did you mean saying "I do NOT want to try and reset the service account until I have tried everything possible, especially as it appears to be working at the moment"?

     

    If "as it appears to be working at the moment", when did the issue occur?

     

    Also, as far as I know, you have tried all possible method to troubleshoot this problem, if you need further, please try to reset the account password.

     

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    martedì 25 agosto 2009 05:51
  • I meant that it is working fine on the existing 2003 domain controllers.

    I guess we'll have to try the password reset. erk.
    martedì 25 agosto 2009 22:35
  • We are going ahead with the password reset option.

    We tested by :

    1. creating a test site in AD,
    2. putting the DC and a workstation there
    3. disabling all replication in and out of the 2008DC
    4. Take a snapshot of the DC (VMWare)
    5. Test on workstation - no ticket issued, unsupported etype error on DC
    6. Reset password on account on 2008 DC
    7. Visit page, ticket issued from server, everything fine
    8. Revert to snapshot, turn replication on again.

    Will be doing the live reset on tuesday next week so fingers crossed. It is aggravating that this needs to happen.
    venerdì 28 agosto 2009 02:00
  • How did your test go Jeff?

    We are experiencing the same issue as you have identified, only TGS request is coming from/for an IBM iSeries for SSO (EIM).  Same requested ETYPEs (3 1).

    On our 2003 DCs we can use KTPASS and DSADD to manually add the accounts and assign the SPN values and it works fine for users authenticating to those 2003 DCs, but the exact same commands fail on 2008 R2 with an Access Denied, very odd.  The commands are listed below;

    DSADD user cn=test_krbsvr400,cn=users,dc=TESTDOMAIN,dc=ORG -pwd testpassword -display test_krbsvr400

    KTPASS -MAPUSER test_krbsvr400 -PRINC krbsvr400/test.testdomain.org@TESTDOMAIN.ORG -PASS testpassword -mapop set +DesOnly -ptype KRB5_NT_PRINCIPAL

    Resetting the password had no effect.
    mercoledì 2 settembre 2009 14:22
  • Afternoon,
    After much hand wringing we went ahead and reset the passwords on these service accounts.

    Password was reset to the same password, but performed on the 2008 domain controller. All is now working perfectly.

    So it appears to be a combination of
    1. Enabling DES encryption types on the 2008 domain controllers (see 1st post) then
    2. Resetting passwords on those accounts to generate the correct keys.

    I don't understand why this is necessary. I did try to demote and promote the DC after I enabled the DES encryption types without any luck. I will be interested to see what happens when our next 2008 DC is stood up, hopefully I don't have to go through all this again.



    • Contrassegnato come risposta Jeff McLuckie lunedì 7 settembre 2009 04:19
    lunedì 7 settembre 2009 04:19
  • Sorry just re-read your post. Did you enable the DES encryption types on your 2008 DCs?

    From my first post:
    I have enabled these DES methods, under Computer Configuration/Windows Settings/Local Policies/Security Options/Network Security: Configure available encryption types for Kerberos, enabling All but "Future Encryption Types". Rebooted DC, same issue.

    Do that in your Domain Controller policy or local group policy on the DC to test.
    lunedì 7 settembre 2009 04:21
  • The encryption types are definitely set properly and the policy is being applied on the DC.

    What did you use to change the password?  ADUC or ktpass?
    martedì 8 settembre 2009 16:21
  • Just ADUC.
    mercoledì 9 settembre 2009 00:35
  • The password reset worked.   Thanks Jeff.
    mercoledì 9 settembre 2009 15:16
  • Glad to hear it. Still trying to understand why this needs to be done. Surely this key info could be replicate from 2k3 DCs.
    mercoledì 9 settembre 2009 22:14
  • I'll have our next 2008 R2 DC up in about a week or so, I'll update this thread and let you know whether it makes a difference. I suspect now that the password has been rewritten on the new DC, it will replcate properly to all new ones.
    mercoledì 9 settembre 2009 22:34
  • I have a similar problem
    I have a Win2008 Sp2
    But I can't find
    DES methods, under Computer Configuration/Windows Settings/Local Policies/Security Options/Network Security

    is the patch correct ?

    stpreda
    mercoledì 10 febbraio 2010 15:13
  • I have a similar problem
    I have a Win2008 Sp2
    But I can't find
    DES methods, under Computer Configuration/Windows Settings/Local Policies/Security Options/Network Security

    is this correct ?

    stpreda
    mercoledì 10 febbraio 2010 15:14
  • What service account are talking about resetting?  Not the krbtgt account right?
    Travis
    venerdì 21 gennaio 2011 20:20
  • See SAP Note 1457499

    https://service.sap.com/sap/support/notes/1457499

    This Note is already included on SP23 of Netweaver 7.0, not sure about the SP number for 7.01 and 7.02, and the spnego wizard is actually located on http://<host>:<port>/spnego instead of the location on the guide on this note says, but pretty much, everything else on the guide applies.

     

    Also, take a look at thi blog:

    http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/18567

    martedì 1 febbraio 2011 17:51
  • Good Day,

    I have a problem.

    I have a machine on Fedora 14 x86 with Kerberos and Samba, and Win2k3 server  Domain controller.

    When I trying to connect DC using kinit command, it says:

    [root@samba1 etc]# kinit admin@TESTDOMAIN1.COM
    kinit: No supported encryption types (config file error?) while getting initial credentials

    Here is two strings from my krb5.conf file:

    default_tgs_enctypes =  des-cbc-crc des-cbc-md5
    default_tkt_enctypes =  des-cbc-crc des-cbc-md5

    Both mashines setted up on VMWare 7, with bridged network. ping is ok.

    Should I use another enctypes? And what are they, if I should?

    P.S. Sorry for my English. :)

    venerdì 18 febbraio 2011 12:24
  • This option is new in Windows Server 2008 R2, NOT Windows Server 2008 (Standard).

    R2, not SP2.

    Hope that helps.

     

    giovedì 3 marzo 2011 19:41