Crypto with the Kerberos Login Handler
Douglas E. Engert
deengert at anl.gov
Tue Dec 20 15:50:17 GMT 2011
On 12/20/2011 1:08 AM, MOTTE Frederic wrote:
> Hi,
>
> I have a AD on a windows 2008R2 and the idp is on a debian (jdk 1.6.0_29-b11)
>
> I have some problem using the kerberos login handler.
> My first test was to create a keytab using the RC4-HMAC crypto.
> C:\Users\Administrateur>ktpass -princ HTTP/idp.cersso.com at CERSSO.COM -pass Master2008 -mapuser idp -out c:\temp\idp.http.keytab -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT kvno 0
>
> When I use it on the debian platform to realise the kinit, it's OK but when I use is into the loginHandler configuration, I have a checksum exception. In the wiki, the possible solutions are to
> activate the DES into the user profil or update the JKD version (if under 1.5.xxx)
>
> consequently, I try to realise a keytab with the DES-CBC-MD5 crypto option, and when I realise the kinit in order to validate the keytab, I have the following error :
>
Don't use DES. Most of not all Kerberos implementations have it off be default,
and it will cause you problems in the future.
The problem may be in the Java code processing the checksum of the PAC.
I have seen this problem in other Kerberos implementations. (The PAC
contains the UUIDs, and GUIDs for the user account, and is used by Windows
clients.) The IDP does not need the PAC in the ticket, and so the DC can be told
not to add it to the service ticket by setting the
NO_AUTH_DATA_REQUIRED 0x2000000 in the userAccountControl attribute
for the idp account in AD. See:
http://support.microsoft.com/kb/832572/
We also force the use of RC4-HMAC on the IDP account by setting the
msDS-supportedEncryptionTypes attribute for the idp account
to 28, (i.e. RC4 only) See:
http://msdn.microsoft.com/en-us/library/cc223853(v=prot.10).aspx
(We also use msktutil rather then ktpass to create these types of service
principals and set these bits, but your ktpass should work.)
> kinit (v5), KDC has no support for encrytpion type while getting initial credentials.
>
> Can you help me in order to solve the crypto problem?
>
> Thanks for any help.
>
> Frederic
>
> [@@THALES GROUP RESTRICTED@@]
>
>
>
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the users
mailing list