hi, I have dealing the problem for long time and no response in bea forum. I feel very exhausted when checking mit's kerberos mailist and sun security forum. The problem is "KDC has no support for encryption type (14)" when i doing the SSO between MS domain and Weblogic.
I had set Account to use DES Encryption type for the host but have nothing change . My Steps are as below : 1) first Generate the DES Encryption Type User Account for the weblogic server, namely "weblogic" on Windows AD. 2) then, I generate the keytab using w2k's ktpass on the AD SERVER: c:\>ktpass -princ HTTP/[EMAIL PROTECTED] -mapuser weblogic -pass weblogic -out dlsvr_keytab -crypto des-cbc-crc and it turn out to be successful. c:\>ktab -k dlsvr_keytab -a HTTP/[EMAIL PROTECTED] and I place the dlsvr_keytab to the weblogic server[weblogic] I use the kinit to check the keytab kinit -k -t dlsvr_keytab HTTP/[EMAIL PROTECTED] output is :New ticket is store in cache file C:\Documents and Setting ........ 3) I modify the KDC Config file in c:\winnt My W2KSP4 KDC Config is: c:\winnt\krb5.ini----------------------------- [libdefaults] default_realm = DLSVR.COM default_tkt_enctypes = des-cbc-crc default_tgs_enctypes = des-cbc-crc ticket_lifetime = 600 [realms] DLSVR.COM = { kdc = 192.168.2.231 admin_server = dlserver default_domain = DLSVR.COM } [domain_realm] .dlsvr.com= DLSVR.COM [appdefaults] autologin = true forward = true forwardable = true encrypt = true The Log is shown in Weblogic, it told me that KDC has no support for encryption type (14) I try to modify the regstry entry as SUN mention in JGSS, changing the allowtgtsessionkey which locate in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters set allowtgtsessionkey=1, but nothing help to prevent the KDC has no support for encryption type (14) The Log in weblogic is as below: ------------------------------------ <2005-11-8 ....... CST> <Debug> <SecurityDebug> <000000> <Found Negotiate with SPNEGO token> >>> KeyTab: load() entry length: 50 >>> KeyTabInputStream, readName(): DLSVR.COM >>> KeyTabInputStream, readName(): host >>> KeyTabInputStream, readName(): weblogic >>> KeyTab: load() entry length: 44 >>> KeyTabInputStream, readName(): dlsvr.com >>> KeyTabInputStream, readName(): weblogic >>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType >>>crc32: e9889c7a >>>crc32: 11101001100010001001110001111010 >>> KrbAsReq calling createMessage >>> KrbAsReq in createMessage >>> KrbAsReq etypes are: 1 >>> KrbKdcReq send: kdc=192.168.2.231 UDP:88, timeout=30000, number of retries =3, #bytes=216 >>> KDCCommunication: kdc=192.168.2.231 UDP:88, timeout=30000,Attempt =1, #bytes=216 >>> KrbKdcReq send: #bytes read=1217 >>> KrbKdcReq send: #bytes read=1217 >>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType >>>crc32: 54c176ae >>>crc32: 1010100110000010111011010101110 >>> KrbAsRep cons in KrbAsReq.getReply host/weblogic Found key for host/[EMAIL PROTECTED] Entered Krb5Context.acceptSecContext with state=STATE_NEW <2005-11-8 ........ CST> <Debug> <SecurityDebug> <000000> <GSS exception GSSException: Failure unspecified at GSS-API level (Mechanism level: KDC has no support for encryption type (14)) GSSException: Failure unspecified at GSS-API level (Mechanism level: KDC has no support for encryption type (14)) at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:734) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:300) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246) at weblogic.security.providers.utils.SPNEGONegotiateToken.getUsername(SPNEGONegotiateToken.java:371) at weblogic.security.providers.authentication.SinglePassNegotiateIdentityAsserterProviderImpl.assertIdentity(SinglePassNegotiateIdentityAsserterProvider Impl.java:201) at weblogic.security.service.PrincipalAuthenticator .assertIdentity(PrincipalAuthenticator.java:553) at weblogic.servlet.security.internal.CertSecurityModule.checkUserPerm(CertSecurityModule.java:104) at weblogic.servlet.security.internal.SecurityModule.beginCheck(SecurityModule.java:199) at weblogic.servlet.security.internal.CertSecurityModule.checkA(CertSecurityModule.java:86) at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:145) at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3685) at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2644) at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219) at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178) Any Help or Advice woud be highly appreciated! david.turing ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos