AW: Crypto with the Kerberos Login Handler

Ristow Rodrigo rodrigo.ristow at
Tue Jan 3 15:36:47 GMT 2012

Hi Frederic,

We have the kerberos Idp working in our organization with:
- Win Server 2003 - AD and win7 - clients

- The "use DES encryption type" is not enabled for the user.
- java version "1.6.0_20"  OpenJDK Runtime Environment (IcedTea6 1.9.10) (rhel-

The principal/keytab were created with:

ktpass -princ HTTP/ at DOMAIN.DS.FHNW.CH<mailto:HTTP/ at DOMAIN.DS.FHNW.CH>

          -mapuser DOMAIN\serviceadmin.aaidevsso

          -crypto rc4-hmac-nt

          -ptype KRB5_NT_SRV_HST

          -pass HIDDEN

          -out c:\

I suggest you the following steps to verify the problem:

1 - Check once more the ticket in the client-side:  you can use the klist  from MSDK (
The "HTTP/idp at DOMAIN" ticket must to be present (try to login again if not). Check again the encryption type, in my case:

C:\Program Files\Microsoft SDKs\Windows\v7.0>klist
Aktuelle Anmelde-ID ist 0:0xxxx
Zwischengespeicherte Tickets: (xx)
#x>     Client: myname @ DOMAIN.DS.FHNW.CH
        Server: HTTP/ @ ADM.DS.FHNW.CH
        KerbTicket (Verschlüsselungstyp): RSADSI RC4-HMAC(NT)
        Ticketkennzeichen 0xxxxxxxx -> forwardable renewable pre_authent
        Sitzungsschlüsseltyp: RSADSI RC4-HMAC(NT)

2 - Check the Ticket in the Idp. Maybe is better do not use the keytab file now. e.g.

[root@]# kinit HTTP/ at ADM.DS.FHNW.CH
Password: xxxx
[root@]# klist -e -5
Ticket cache: FILE:/tmp/xxxx_0
Default principal: HTTP/ at ADM.DS.FHNW.CH
Valid starting     Expires            Service principal
01/03/xxxx:08:04  01/04/xx 01:08:05  krbtgt/ADM.DS.FHNW.CH at ADM.DS.FHNW.CH
        renew until 01/04/xxxx:xx:04, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5

3 - Check the Key Version Number (KVNO). I saw that you are informing "kvno 0" with ktpass, if the ticket has a kvno it must match with the keytab file.

[root at aai-logon shibboleth-idp]# kvno HTTP/ at ADM.DS.FHNW.CH
HTTP/ at ADM.DS.FHNW.CH: kvno = x

4 - Try to configure the Kerberos Idp with the options: kerberosCfg  and password  (without keytab). e.g.

    <ph:LoginHandler xsi:type="krb:KERBEROS"
        <krb:Realm domain=" DOMAIN.FHNW.CH">
            <krb:principal>HTTP/ at ADM.DS.FHNW.CH</krb:principal>

5 - Inform the allowed  enctypes ( in the krb.ini, e.g.

default_tgt_enctypes = rc4-hmac

 default_tgs_enctypes= rc4-hmac

permitted_enctypes = rc4-hmac


I hope that helps,


Von: users-bounces at [mailto:users-bounces at] Im Auftrag von MOTTE Frederic
Gesendet: Dienstag, 20. Dezember 2011 08:09
An: users at
Betreff: Crypto with the Kerberos Login Handler


I have a AD on a windows 2008R2 and the idp is on a debian (jdk 1.6.0_29-b11)

I have some problem using the kerberos login handler.
My first test was to create a keytab using the RC4-HMAC crypto.
C:\Users\Administrateur>ktpass -princ HTTP/ at CERSSO.COM<mailto:HTTP/ at CERSSO.COM> -pass Master2008 -mapuser idp -out c:\temp\idp.http.keytab  -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT  kvno 0

When I use it on the debian platform to realise the kinit, it's OK but when I use is into the loginHandler configuration, I have a checksum exception. In the wiki, the possible solutions are to activate the DES into the user profil or update the JKD version (if under

consequently, I try to realise a keytab with the DES-CBC-MD5 crypto option, and  when I realise the kinit in order to validate the keytab, I have the following error :

kinit (v5), KDC has no support for encrytpion type while getting initial credentials.

Can you help me in order to solve the crypto problem?

Thanks for any help.



-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list