none
Not able to perform single sign on even while configuring the multiple encryption type using ktpass command

    Question

  • Hello,

    I am trying to test various encryption methods for the single sign on using Windows AD DC server (win2012 R2), windows client machine (windows 8.1) and BS2000 machine.

    we have created many keytab files for various encryption types for the same domain user using the ktpass command.

    and setup the Kerberos key on BS2000 machine using /ADD-KEYTAB-ENTRY command and windows ID access authorization are defined for BS2000 user ID for the single sign on by /MODIFY-LOGON-PROTECTION command.

    but after login in the windows client machine with the domain user which is used in the ktpass command and trying to login into the BS2000 machine without password, login gets failed [with the error key version mismatch or encryption type is not defined].

    we have configured AES128-SHA1 and AES256-SHA1 by using the ktpass command and confirmed both are supported on BS2000 machine.

    1. After login into the windows client machine using the domain user which is used in the ktpass command and from windows client machine while trying to login into BS2000 machine, login gets failed with error [with the error key version mismatch or encryption type is not defined]. please help to resolve this problem.

    2. While login into the windows client machine with the domain user [which is used in ktpass command] and when check the cached token by using the ktlist command only the ticket related with encryption type AES-256-CTS-HMAC-SHA1-96 is displayed, Please suggest how we can use AES128-SHA1 encryption instead of AES-256-CTS-HMAC-SHA1-96.

    3. Can we remove the encryption type AES-256-CTS-HMAC-SHA1-96 from keytab files from the Active directory therefore other encryption type can be verified.

    4. As we have configured various encryption types using the ktpass command for the same domain user and created the keytab files on AD DC server and by using the key version number from the output of the ktpass command key tab entries are added in the BS2000 machine for single sign on,

    As various encryption type is added for single domain user and corresponding key versions are added in the key table of BS2000 machine, please suggest while trying to perform single sign-on which encryption type will be used and why.

    Thank You

    Thursday, December 8, 2016 4:33 PM

All replies

  • Hi,
    Since the questions involves windows and non-windows environment, I am afraid that it is hard to be fully supported in the forum due to lack of test environment, and in this case, I would suggest you open up a case with Microsoft Technical Support to see if they could offer some ideas: https://support.microsoft.com/en-us/contactus/?ws=support
    Thank you for the understanding.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, December 12, 2016 7:02 AM
    Moderator