-
Title
KRB5_PROG_ETYPE_NOSUPP (-1765328234): Program lacks support for encryption type -
Description
When attempting to join to a domain the following error is reported, and the join fails.
++++++++++++++++++++++
ERROR: Could not authenticate as userxxx
VAS_ERR_KRB5: Kerberos error
Failed to obtain credentials. Client: userxxx@EXAMPLE.SUBDOMAIN.EXAMPLE.COM, Service: krbtgt/ EXAMPLE.SUBDOMAIN.EXAMPLE.COM @ EXAMPLE.SUBDOMAIN.EXAMPLE.COM, Server: host.example.subdomain.example.com
Caused by:
KRB5_PROG_ETYPE_NOSUPP (-1765328234): Program lacks support for encryption type
Reason: no valid enctype set++++++++++++++++++++++
Unix servers already joined, are working after setting:
# /opt/quest/bin/vastool configure vas libdefaults default_etypes aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96 -
Cause
The error KRB5KDC_ERR_ETYPE_NOSUPP: Program lacks support for encryption type means the domain controller did not accept the encryption type.CAUSE 1: Wrong encryption type used as ARCFOUR was disallowed in the environment.CAUSE 2: The encryption type used by the account doing the join is incorrect. -
Resolution
Please check with your AD team what encryption types are valid for your environment.
RESOLUTION 1:
It is possible to specify these etypes before a join, just run the following configure command to successfully join the domain.
# /opt/quest/bin/vastool configure vas libdefaults default_etypes aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96
RESOLUTION 2:To check the account in Active Directory right click the user and go to properties scroll down the list of account options. You should seeUse Kerberos DES encryption types for this accountThis account supports Kerberos AES 128bit encryptionThis account supports Kerberos AES 256 encryptionDo not require Kerberos preauthentication.We needed to Uncheck Use Kerberos DES encryption types for this account on the account. -
Additional Information
Here is some information from Microsoft on Windows Configurations for Kerberos Supported Encryption Type: https://docs.microsoft.com/en-ca/archive/blogs/openspecification/windows-configurations-for-kerberos-supported-encryption-type