Discussion:
krb5 1.15 interop with Windows 2000
Weijun Wang
2017-09-18 12:49:14 UTC
Permalink
I am running kinit against a Windows 2000 server and see

kinit: KDC has no support for encryption type while getting initial credentials

After I remove the aes-sha2 etypes from default_tkt_enctypes from krb5.conf, kinit succeeds.

Looks like although Windows 2000 uses RC4-HMAC, it is aware of aes-sha1 etypes and allows them in etypes in AS-REQ. However, when aes-sha2 etypes appear there, it fails.

Is this an known issue?

Thanks
Max


_______________________________________________
krbdev mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
Greg Hudson
2017-09-18 14:42:48 UTC
Permalink
Post by Weijun Wang
I am running kinit against a Windows 2000 server and see
kinit: KDC has no support for encryption type while getting initial credentials
After I remove the aes-sha2 etypes from default_tkt_enctypes from krb5.conf, kinit succeeds.
Looks like although Windows 2000 uses RC4-HMAC, it is aware of aes-sha1 etypes and allows them in etypes in AS-REQ. However, when aes-sha2 etypes appear there, it fails.
Is this an known issue?
It's not a familiar issue to me. We also have Camellia enctypes in the
default list, so if the Windows 2000 KDC is simply erroring out on
unknown enctypes, one would think this issue would have manifested long ago.

If you put the aes-sha2 enctypes back but put them at the end rather
than third and fourth, does kinit still fail? It's conceivable that
rc4-hmac needs to appear early enough in the list, or has to appear
before unknown enctypes, or something.
_______________________________________________
krbdev mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
Weijun Wang
2017-09-18 15:06:20 UTC
Permalink
Post by Greg Hudson
Post by Weijun Wang
I am running kinit against a Windows 2000 server and see
kinit: KDC has no support for encryption type while getting initial credentials
After I remove the aes-sha2 etypes from default_tkt_enctypes from krb5.conf, kinit succeeds.
Looks like although Windows 2000 uses RC4-HMAC, it is aware of aes-sha1 etypes and allows them in etypes in AS-REQ. However, when aes-sha2 etypes appear there, it fails.
Is this an known issue?
It's not a familiar issue to me. We also have Camellia enctypes in the
default list, so if the Windows 2000 KDC is simply erroring out on
unknown enctypes, one would think this issue would have manifested long ago.
If you put the aes-sha2 enctypes back but put them at the end rather
than third and fourth, does kinit still fail? It's conceivable that
rc4-hmac needs to appear early enough in the list, or has to appear
before unknown enctypes, or something.
Just tried some different combinations of default_tkt_enctypes. This error only happens when aes256-sha2 is placed before rc4-hmac. All other etypes are safe.

BTW, the server does not complain with its 1st PREAUTH_REQUIRED response, and in my 2nd AS-REQ, if I provide a wrong password, the error is PASSWORD_INCORRECT. Only if I provide the correct password it returns this error. Seems like it decides to choose etype of 20 but only realize it's not supported after a while.

--Max


_______________________________________________
krbdev mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
Benjamin Kaduk
2017-09-18 21:52:12 UTC
Permalink
Post by Weijun Wang
Just tried some different combinations of default_tkt_enctypes. This error only happens when aes256-sha2 is placed before rc4-hmac. All other etypes are safe.
BTW, the server does not complain with its 1st PREAUTH_REQUIRED response, and in my 2nd AS-REQ, if I provide a wrong password, the error is PASSWORD_INCORRECT. Only if I provide the correct password it returns this error. Seems like it decides to choose etype of 20 but only realize it's not supported after a while.
Just noting that this thread would be on-topic for the ***@ietf.org list
if you wanted to mention it there.

-Ben
_______________________________________________
krbdev mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev

Loading...