hah, I know what happens, the IE version. I passed SSO test on XP sp1 , W2K professional with IE5(with sp4) but not on IE6 with SP4
----- Original Message ----- From: "david.turing" <[EMAIL PROTECTED]> To: "Douglas E. Engert" <[EMAIL PROTECTED]> Cc: <kerberos@mit.edu> Sent: Thursday, November 10, 2005 12:05 PM Subject: KDC has no support for encryption type (14) After Set DES Accout > hi, I have dealing the problem for long time and no response in bea forum. > I feel very exhausted when checking mit's kerberos mailist and sun > security forum. > The problem is "KDC has no support for encryption type (14)" when i > doing the SSO between MS domain and Weblogic. > > I had set Account to use DES Encryption type for the host but have > nothing change . > > My Steps are as below : > 1) > first Generate the DES Encryption Type User Account for the weblogic > server, namely "weblogic" on Windows AD. > > > 2) > then, I generate the keytab using w2k's ktpass on the AD SERVER: > c:\>ktpass -princ HTTP/[EMAIL PROTECTED] -mapuser weblogic > -pass weblogic -out dlsvr_keytab -crypto des-cbc-crc > > and it turn out to be successful. > > c:\>ktab -k dlsvr_keytab -a HTTP/[EMAIL PROTECTED] > > and I place the dlsvr_keytab to the weblogic server[weblogic] > I use the kinit to check the keytab > kinit -k -t dlsvr_keytab HTTP/[EMAIL PROTECTED] > > output is :New ticket is store in cache file C:\Documents and Setting ........ > > 3) I modify the KDC Config file in c:\winnt > > My W2KSP4 KDC Config is: > c:\winnt\krb5.ini----------------------------- > > [libdefaults] > > default_realm = DLSVR.COM > default_tkt_enctypes = des-cbc-crc > default_tgs_enctypes = des-cbc-crc > ticket_lifetime = 600 > > [realms] > > DLSVR.COM = { > kdc = 192.168.2.231 > admin_server = dlserver > default_domain = DLSVR.COM > } > > [domain_realm] > .dlsvr.com= DLSVR.COM > > [appdefaults] > autologin = true > forward = true > forwardable = true > encrypt = true > > > The Log is shown in Weblogic, it told me that KDC has no support for > encryption type (14) > I try to modify the regstry entry as SUN mention in JGSS, changing the > allowtgtsessionkey > which locate in > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters > set allowtgtsessionkey=1, but nothing help to prevent the KDC has no > support for encryption type (14) > > The Log in weblogic is as below: > ------------------------------------ > > <2005-11-8 ....... CST> <Debug> <SecurityDebug> <000000> <Found > Negotiate with SPNEGO token> > >>> KeyTab: load() entry length: 50 > >>> KeyTabInputStream, readName(): DLSVR.COM > >>> KeyTabInputStream, readName(): host > >>> KeyTabInputStream, readName(): weblogic > >>> KeyTab: load() entry length: 44 > >>> KeyTabInputStream, readName(): dlsvr.com > >>> KeyTabInputStream, readName(): weblogic > >>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType > >>>crc32: e9889c7a > >>>crc32: 11101001100010001001110001111010 > >>> KrbAsReq calling createMessage > >>> KrbAsReq in createMessage > >>> KrbAsReq etypes are: 1 > >>> KrbKdcReq send: kdc=192.168.2.231 UDP:88, timeout=30000, number of > retries =3, #bytes=216 > >>> KDCCommunication: kdc=192.168.2.231 UDP:88, timeout=30000,Attempt > =1, #bytes=216 > >>> KrbKdcReq send: #bytes read=1217 > >>> KrbKdcReq send: #bytes read=1217 > >>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType > >>>crc32: 54c176ae > >>>crc32: 1010100110000010111011010101110 > >>> KrbAsRep cons in KrbAsReq.getReply host/weblogic > Found key for host/[EMAIL PROTECTED] > Entered Krb5Context.acceptSecContext with state=STATE_NEW > <2005-11-8 ........ CST> <Debug> <SecurityDebug> <000000> <GSS > exception GSSException: Failure unspecified at GSS-API level > (Mechanism level: KDC has no support for encryption type (14)) > GSSException: Failure unspecified at GSS-API level (Mechanism level: > KDC has no support for encryption type (14)) > at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:734) > at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:300) > at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246) > at > weblogic.security.providers.utils.SPNEGONegotiateToken.getUsername(SPNEGONegotiateToken.java:371) > at > weblogic.security.providers.authentication.SinglePassNegotiateIdentityAsserterProviderImpl.assertIdentity(SinglePassNegotiateIdentityAsserterProvider > Impl.java:201) > at weblogic.security.service.PrincipalAuthenticator > .assertIdentity(PrincipalAuthenticator.java:553) > at > weblogic.servlet.security.internal.CertSecurityModule.checkUserPerm(CertSecurityModule.java:104) > at > weblogic.servlet.security.internal.SecurityModule.beginCheck(SecurityModule.java:199) > at > weblogic.servlet.security.internal.CertSecurityModule.checkA(CertSecurityModule.java:86) > at > weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:145) > at > weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3685) > at > weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2644) > at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219) > at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178) > > > Any Help or Advice woud be highly appreciated! > > david.turing > > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos