Return
-
Title
"KDC has no support for encryption type" error in cross domain configuration -
Description
Cross-forest authentication is not working on some systems. There are two domains with a two-way trust between them. The encryption type RC4_HMAC_MD5 is disabled in the domain the system is joined to but users from the other domain can not authenticate. The default_etypes setting in vas.conf has been set to aes256-cts-hmac-sha1-96. The following errors are seen in the log when vasd debug is enabled:
service ticket request failed, err = 2543, VAS_ERR_KRB5: Kerberos error#012 Failed to obtain credentials.Caused by:#012 KRB5KDC_ERR_ETYPE_NOSUPP (-1765328370): KDC has no support for encryption type -
Cause
The problem was with the configuration of their Trust between the two forests. When configuring the trust there is an option to specify that the other side support AES, this had not been enabled. This is why the event log for the KDC kept showing Event ID 16, stating that it AES was attempted and it only supported AES. -
Resolution
RESOLUTION 1:1 - In Active Directory Domains and Trusts, navigate to the trusted domain object.
2 - Right-click the object, select Properties, and then select Trusts.
3 - In the Domains that trust this domain (incoming trusts) box, select the trusting domain
4 - On on the Trust General tab check box next to "The other domain supports AES Encryption is allowed"
RESOLUTION 2:/opt/quest/bin/vastool configure vas libdefaults default_etypes aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 -
Change Request
597049