Thanks for reply, I haven't try the "host/[EMAIL PROTECTED]" service prinipal, I still cann't find the difference betwen "host/[EMAIL PROTECTED]" and "HTTP/[EMAIL PROTECTED]" , but the "HTTP/[EMAIL PROTECTED]" is OK and here is my successful stdout:
<2005-11-10 ??04?24?03? CST> <Debug> <SecurityDebug> <000000> <Found Negotiate with SPNEGO token> >>> KeyTab: load() entry length: 46 >>> KeyTabInputStream, readName(): DLSVR >>> KeyTabInputStream, readName(): HTTP >>> KeyTabInputStream, readName(): weblogic HTTP/[EMAIL PROTECTED] ? Kerberos ??: weblogic >>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType >>>crc32: eaaa376b >>>crc32: 11101010101010100011011101101011 >>> KrbAsReq calling createMessage >>> KrbAsReq in createMessage >>> KrbAsReq etypes are: 1 3 1 >>> KrbKdcReq send: kdc=192.168.2.231 UDP:88, timeout=30000, number of retries >>> =3, #bytes=217 >>> KDCCommunication: kdc=192.168.2.231 UDP:88, timeout=30000,Attempt =1, >>> #bytes=217 >>> KrbKdcReq send: #bytes read=1217 >>> KrbKdcReq send: #bytes read=1217 >>> EType: sun.security.krb5.internal.crypto.DesCbcCrcEType >>>crc32: 7d9497b0 >>>crc32: 1111101100101001001011110110000 >>> KrbAsRep cons in KrbAsReq.getReply HTTP/weblogic Found key for HTTP/[EMAIL PROTECTED] Entered Krb5Context.acceptSecContext with state=STATE_NEW >>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType >>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType >>> Config reset default kdc DLSVR.COM object 0: 1131611066395/395706 object 1: 1131610907423/423685 object 0: 1131611066395/395706 object 1: 1131610907423/423685 replay cache found. >>> KrbApReq: authenticate succeed. Krb5Context setting peerSeqNumber to: 674414680 >>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType Krb5Context setting mySeqNumber to: -1357 <2005-11-10 ??04?24?08? CST> <Debug> <SecurityDebug> <000000> <gssContext isEstablished true> <2005-11-10 ??04?24?08? CST> <Debug> <SecurityDebug> <000000> <Out token 0: 6068 0609 2a86 4886 f712 0102 0202 006f `h..*.H........o 16: 5930 57a0 0302 0105 a103 0201 0fa2 4b30 Y0W...........K0 32: 49a0 0302 0103 a242 0440 c2b0 cf10 f078 [EMAIL PROTECTED] 48: d11a 749a 48f9 1b2a 5603 6159 99b7 5439 ..t.H..*V.aY..T9 64: 4f20 a344 cd9a 9a4a bc72 0669 77e1 650f O .D...J.r.iw.e. 80: b596 ffde cca7 f08d daea 8875 e616 a1c9 ...........u.... 96: 4746 ab6c ad29 b748 df17 GF.l.).H.. > <2005-11-10 ??04?24?08? CST> <Debug> <SecurityDebug> <000000> <GSS name is [EMAIL PROTECTED]> <2005-11-10 ??04?24?08? CST> <Debug> <SecurityDebug> <000000> <User name is webserver> <2005-11-10 ??04?24?08? CST> <Debug> <SecurityDebug> <000000> <User name is webserver> <2005-11-10 ??04?24?08? CST> <Debug> <SecurityDebug> <000000> <LDAP ATN LoginModule initialized> <2005-11-10 ??04?24?08? CST> <Debug> <SecurityDebug> <000000> <LDAP Atn Login> <2005-11-10 ??04?24?08? CST> <Debug> <SecurityDebug> <000000> <LDAP Atn Login username: webserver> <2005-11-10 ??04?24?08? CST> <Debug> <SecurityDebug> <000000> <userExists? user:webserver> ----- Original Message ----- From: "Seema Malkani" <[EMAIL PROTECTED]> To: "david.turing" <[EMAIL PROTECTED]> Cc: <kerberos@mit.edu> Sent: Friday, November 11, 2005 8:59 AM Subject: Re: KDC has no support for encryption type (14) After Set DES Accout It appears that your application is looking for "host/[EMAIL PROTECTED]" service principal, but you have setup keytab with keys for "HTTP/[EMAIL PROTECTED]" service principal. Please update your application with the expected service principal "HTTP/[EMAIL PROTECTED]" Seema david.turing wrote On 11/09/05 16:46,: >hi, I have dealing the problem for long time and no response in bea forum. >I feel very exhausted when checking mit's kerberos mailist and sun >security forum. >The problem is "KDC has no support for encryption type (14)" when i >doing the SSO between MS domain and Weblogic. > >I had set Account to use DES Encryption type for the host but have >nothing change . > >My Steps are as below : >1) >first Generate the DES Encryption Type User Account for the weblogic >server, namely "weblogic" on Windows AD. > > >2) >then, I generate the keytab using w2k's ktpass on the AD SERVER: >c:\>ktpass -princ HTTP/[EMAIL PROTECTED] -mapuser weblogic >-pass weblogic -out dlsvr_keytab -crypto des-cbc-crc > >and it turn out to be successful. > >c:\>ktab -k dlsvr_keytab -a HTTP/[EMAIL PROTECTED] > >and I place the dlsvr_keytab to the weblogic server[weblogic] >I use the kinit to check the keytab >kinit -k -t dlsvr_keytab HTTP/[EMAIL PROTECTED] > >output is £ºNew ticket is store in cache file C:\Documents and Setting ........ > >3) I modify the KDC Config file in c:\winnt > >My W2KSP4 KDC Config is: >c:\winnt\krb5.ini----------------------------- > >[libdefaults] > >default_realm = DLSVR.COM >default_tkt_enctypes = des-cbc-crc >default_tgs_enctypes = des-cbc-crc >ticket_lifetime = 600 > >[realms] > >DLSVR.COM = { >kdc = 192.168.2.231 >admin_server = dlserver >default_domain = DLSVR.COM >} > >[domain_realm] >.dlsvr.com= DLSVR.COM > >[appdefaults] >autologin = true >forward = true >forwardable = true >encrypt = true > > >The Log is shown in Weblogic, it told me that KDC has no support for >encryption type (14) >I try to modify the regstry entry as SUN mention in JGSS, changing the >allowtgtsessionkey >which locate in >HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters >set allowtgtsessionkey=1, but nothing help to prevent the KDC has no >support for encryption type (14) > >The Log in weblogic is as below£º >------------------------------------ > ><2005-11-8 ....... CST> <Debug> <SecurityDebug> <000000> <Found >Negotiate with SPNEGO token> > > >>>>KeyTab: load() entry length: 50 >>>>KeyTabInputStream, readName(): DLSVR.COM >>>>KeyTabInputStream, readName(): host >>>>KeyTabInputStream, readName(): weblogic >>>>KeyTab: load() entry length: 44 >>>>KeyTabInputStream, readName(): dlsvr.com >>>>KeyTabInputStream, readName(): weblogic >>>>EType: sun.security.krb5.internal.crypto.DesCbcCrcEType >>>>crc32: e9889c7a >>>>crc32: 11101001100010001001110001111010 >>>>KrbAsReq calling createMessage >>>>KrbAsReq in createMessage >>>>KrbAsReq etypes are: 1 >>>>KrbKdcReq send: kdc=192.168.2.231 UDP:88, timeout=30000, number of >>>> >>>> >retries =3, #bytes=216 > > >>>>KDCCommunication: kdc=192.168.2.231 UDP:88, timeout=30000,Attempt >>>> >>>> >=1, #bytes=216 > > >>>>KrbKdcReq send: #bytes read=1217 >>>>KrbKdcReq send: #bytes read=1217 >>>>EType: sun.security.krb5.internal.crypto.DesCbcCrcEType >>>>crc32: 54c176ae >>>>crc32: 1010100110000010111011010101110 >>>>KrbAsRep cons in KrbAsReq.getReply host/weblogic >>>> >>>> >Found key for host/[EMAIL PROTECTED] >Entered Krb5Context.acceptSecContext with state=STATE_NEW ><2005-11-8 ........ CST> <Debug> <SecurityDebug> <000000> <GSS >exception GSSException: Failure unspecified at GSS-API level >(Mechanism level: KDC has no support for encryption type (14)) >GSSException: Failure unspecified at GSS-API level (Mechanism level: >KDC has no support for encryption type (14)) >at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:734) >at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:300) >at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246) >at >weblogic.security.providers.utils.SPNEGONegotiateToken.getUsername(SPNEGONegotiateToken.java:371) >at >weblogic.security.providers.authentication.SinglePassNegotiateIdentityAsserterProviderImpl.assertIdentity(SinglePassNegotiateIdentityAsserterProvider >Impl.java:201) >at weblogic.security.service.PrincipalAuthenticator >.assertIdentity(PrincipalAuthenticator.java:553) >at >weblogic.servlet.security.internal.CertSecurityModule.checkUserPerm(CertSecurityModule.java:104) >at >weblogic.servlet.security.internal.SecurityModule.beginCheck(SecurityModule.java:199) >at >weblogic.servlet.security.internal.CertSecurityModule.checkA(CertSecurityModule.java:86) >at >weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:145) >at >weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3685) >at >weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2644) >at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219) >at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178) > > >Any Help or Advice woud be highly appreciated! > >david.turing > > >------------------------------------------------------------------------ > >________________________________________________ >Kerberos mailing list Kerberos@mit.edu >https://mailman.mit.edu/mailman/listinfo/kerberos > > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos