我连续几天都被KrbException“KDC不支持加密类型(14)”困扰着。我去了很多地方,包括一些深入的MSDN博客文章(来自Hongwei Sun和Sebastian Canevari),但由于声誉不足,我无法引用它们。
感谢你提到的kvno 0和禁用DES,现在我的问题也得到了解决。
最终问题出在我的用户帐户设置上:
userAccountControl:0d66048或0x10200,与0b10000001000000000或ADS_UF_DONT_EXPIRE_PASSWD(0x00010000)和ADS_UF_NORMAL_ACCOUNT(0x00000200)匹配,但没有设置UF_USE_DES_KEY_ONLY(0x200000)
See Also
Automated Kerberizaton - Apache AmbariSupport | Pentest Tips & TricksThe Job Network hiring Maintenance Technician in Leavenworth, Kansas, United States | LinkedInAutentica o protocolo Linux-LDAP-AD (diretório ativo): falha ao efetuar logon com senha以及
msDS-SupportedEncryptionTypes:0d16或0x10,与0b10000或AES256-CTS-HMAC-SHA1-96(0x10)匹配,但没有设置RC4-HMAC(0x04)。
ldapsearch -h masterdc.localnet.org -D 'spn_hostname' -w '*password*' -b 'ou=Accounts,dc=localnet,dc=org' -s sub 'userPrincipalName=HTTP/hostname.localnet.org@LOCALNET.ORG' distinguishedName servicePrincipalName userPrincipalName msDS-SupportedEncryptionTypes userAccountControl# extended LDIF## LDAPv3# base <ou=Accounts,dc=localnet,dc=org> with scope subtree# filter: userPrincipalName=HTTP/hostname.localnet.org@LOCALNET.ORG# requesting: distinguishedName servicePrincipalName userPrincipalName msDS-SupportedEncryptionTypes userAccountControl## spn_hostname, DokSvc, Services, Accounts, localnet.orgdn: CN=spn_hostname,OU=DokSvc,OU=Services,OU=Accounts,DC=localnet,DC=orgdistinguishedName: CN=spn_hostname,OU=DokSvc,OU=Services,OU=Accounts,DC=localnet,DC=orguserAccountControl: 66048userPrincipalName: HTTP/hostname.localnet.org@LOCALNET.ORGservicePrincipalName: HTTP/hostname.localnet.orgservicePrincipalName: HTTP/hostname.localnet.org@LOCALNET.ORGmsDS-SupportedEncryptionTypes: 16# search resultsearch: 2result: 0 Success# numResponses: 2# numEntries: 1有了这个和下面的内容,在我的/etc/krb5.conf文件中,当我从default_tkt_enctypes中删除rc4-hmac时,我可以可靠地引发“KrbException KDC has no support for enryption type (14)”。
/etc/krb5.conf:
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log[libdefaults] default_realm = LOCALNET.DE default_tkt_enctypes = aes256-cts default_tgs_enctypes = aes256-cts permitted_enctypes = aes256-cts[realms]LOCALNET.ORG = { kdc = masterdc.localnet.org:88 admin_server = masterdc.localnet.org default_domain = LOCALNET.ORG}[domain_realm] .localnet.org = LOCALNET.ORG localnet.org = LOCALNET.ORG[appdefaults] autologin = true forward = true forwardable = true encrypt = true然而,如果你将它更改为default_tkt_enctypes = aes256-cts rc4-hmac,则会成功。
请注意,您也可以在/etc/krb5.conf中省略指定default_tkt_enctypes指令,以使其正常工作。
Using builtin default etypes for default_tkt_enctypesdefault etypes for default_tkt_enctypes: 18 17 16 23.因此,看起来Windows Server 2008 SP2 Active Directory在预身份验证阶段明确要求使用RC4-HMAC:
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null我已经在我的JDK的jre/lib/security文件夹中更新了JCE 1.8.0策略文件,以便支持AES256。祝好!
加密类型在Kerberos参数下指定。
Kerberos参数http://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml
etype encryption type Reference1 des-cbc-crc [RFC3961]3 des-cbc-md5 [RFC3961]17 aes128-cts-hmac-sha1-96 [RFC3962]18 aes256-cts-hmac-sha1-96 [RFC3962]23 rc4-hmac [RFC4757]失败:
java -cp /somepath/krb5.jar -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Kinit -k -t /somepath/spn_hostname.keytab HTTP/hostname.localnet.org@LOCALNET.ORG>>>KinitOptions cache name is /tmp/krb5cc_723Principal is HTTP/hostname.localnet.org@LOCALNET.ORG>>> Kinit using keytab>>> Kinit keytab file name: /somepath/spn_hostname.keytabJava config name: nullLSA: Found TicketLSA: Made NewWeakGlobalRefLSA: Found PrincipalNameLSA: Made NewWeakGlobalRefLSA: Found DerValueLSA: Made NewWeakGlobalRefLSA: Found EncryptionKeyLSA: Made NewWeakGlobalRefLSA: Found TicketFlagsLSA: Made NewWeakGlobalRefLSA: Found KerberosTimeLSA: Made NewWeakGlobalRefLSA: Found StringLSA: Made NewWeakGlobalRefLSA: Found DerValue constructorLSA: Found Ticket constructorLSA: Found PrincipalName constructorLSA: Found EncryptionKey constructorLSA: Found TicketFlags constructorLSA: Found KerberosTime constructorLSA: Finished OnLoad processingNative config name: C:\Windows\krb5.iniLoaded from native config>>> Kinit realm name is LOCALNET.ORG>>> Creating KrbAsReq>>> KrbKdcReq local addresses for hostname.localnet.org are: hostname.localnet.org/192.168.1.2IPv4 address>>> KdcAccessibility: reset>>> KeyTabInputStream, readName(): LOCALNET.ORG>>> KeyTabInputStream, readName(): HTTP>>> KeyTabInputStream, readName(): hostname.localnet.org>>> KeyTab: load() entry length: 64; type: 1>>> KeyTabInputStream, readName(): LOCALNET.ORG>>> KeyTabInputStream, readName(): HTTP>>> KeyTabInputStream, readName(): hostname.localnet.org>>> KeyTab: load() entry length: 64; type: 3>>> KeyTabInputStream, readName(): LOCALNET.ORG>>> KeyTabInputStream, readName(): HTTP>>> KeyTabInputStream, readName(): hostname.localnet.org>>> KeyTab: load() entry length: 72; type: 23>>> KeyTabInputStream, readName(): LOCALNET.ORG>>> KeyTabInputStream, readName(): HTTP>>> KeyTabInputStream, readName(): hostname.localnet.org>>> KeyTab: load() entry length: 88; type: 18>>> KeyTabInputStream, readName(): LOCALNET.ORG>>> KeyTabInputStream, readName(): HTTP>>> KeyTabInputStream, readName(): hostname.localnet.org>>> KeyTab: load() entry length: 72; type: 17Looking for keys for: HTTP/hostname.localnet.org@LOCALNET.ORGAdded key: 17version: 0Added key: 18version: 0Added key: 23version: 0Found unsupported keytype (3) for HTTP/hostname.localnet.org@LOCALNET.ORGFound unsupported keytype (1) for HTTP/hostname.localnet.org@LOCALNET.ORGdefault etypes for default_tkt_enctypes: 18.>>> KrbAsReq creating message>>> KrbKdcReq send: kdc=masterdc.localnet.org UDP:88, timeout=30000, number of retries =3, #bytes=216>>> KDCCommunication: kdc=masterdc.localnet.org UDP:88, timeout=30000,Attempt =1, #bytes=216>>> KrbKdcReq send: #bytes read=194>>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 18, salt = LOCALNET.ORGHTTPhostname.localnet.org, s2kparams = null>>>Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP>>>Pre-Authentication Data: PA-DATA type = 16>>>Pre-Authentication Data: PA-DATA type = 15>>> KdcAccessibility: remove masterdc.localnet.org:88>>> KDCRep: init() encoding tag is 126 req type is 11>>>KRBError: sTime is Tue Jan 17 18:49:14 CET 2017 1484675354000 suSec is 822386 error code is 25 error Message is Additional pre-authentication required sname is krbtgt/LOCALNET.ORG@LOCALNET.ORG eData provided. msgType is 30>>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 18, salt = LOCALNET.ORGHTTPhostname.localnet.org, s2kparams = null>>>Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP>>>Pre-Authentication Data: PA-DATA type = 16>>>Pre-Authentication Data: PA-DATA type = 15KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQdefault etypes for default_tkt_enctypes: 18.Looking for keys for: HTTP/hostname.localnet.org@LOCALNET.ORGAdded key: 17version: 0Added key: 18version: 0Added key: 23version: 0Found unsupported keytype (3) for HTTP/hostname.localnet.org@LOCALNET.ORGFound unsupported keytype (1) for HTTP/hostname.localnet.org@LOCALNET.ORGLooking for keys for: HTTP/hostname.localnet.org@LOCALNET.ORGAdded key: 17version: 0Added key: 18version: 0Added key: 23version: 0Found unsupported keytype (3) for HTTP/hostname.localnet.org@LOCALNET.ORGFound unsupported keytype (1) for HTTP/hostname.localnet.org@LOCALNET.ORGdefault etypes for default_tkt_enctypes: 18.>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType>>> KrbAsReq creating message>>> KrbKdcReq send: kdc=masterdc.localnet.org UDP:88, timeout=30000, number of retries =3, #bytes=305>>> KDCCommunication: kdc=masterdc.localnet.org UDP:88, timeout=30000,Attempt =1, #bytes=305>>> KrbKdcReq send: #bytes read=93>>> KdcAccessibility: remove masterdc.localnet.org:88>>> KDCRep: init() encoding tag is 126 req type is 11>>>KRBError: sTime is Tue Jan 17 18:49:14 CET 2017 1484675354000 suSec is 25186 error code is 14 error Message is KDC has no support for encryption type sname is krbtgt/LOCALNET.ORG@LOCALNET.ORG msgType is 30Exception: krb_error 14 KDC has no support for encryption type (14) KDC has no support for encryption typeKrbException: KDC has no support for encryption type (14) at sun.security.krb5.KrbAsRep.<init>(Unknown Source) at sun.security.krb5.KrbAsReqBuilder.send(Unknown Source) at sun.security.krb5.KrbAsReqBuilder.action(Unknown Source) at sun.security.krb5.internal.tools.Kinit.<init>(Unknown Source) at sun.security.krb5.internal.tools.Kinit.main(Unknown Source)Caused by: KrbException: Identifier doesn't match expected value (906) at sun.security.krb5.internal.KDCRep.init(Unknown Source) at sun.security.krb5.internal.ASRep.init(Unknown Source) at sun.security.krb5.internal.ASRep.<init>(Unknown Source) ... 5 more成功:
java -cp /home/wls0/webdav/krb5.jar -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Kinit -k -t /somepath/spn_hostname.keytab HTTP/hostname.localnet.org@LOCALNET.ORG>>>KinitOptions cache name is /tmp/krb5cc_723Principal is HTTP/hostname.localnet.org@LOCALNET.ORG>>> Kinit using keytab>>> Kinit keytab file name: /somepath/spn_hostname.keytabJava config name: nullNative config name: /etc/krb5.confLoaded from native config>>> Kinit realm name is LOCALNET.ORG>>> Creating KrbAsReq>>> KrbKdcReq local addresses for hostname.localnet.org are: hostname.localnet.org/192.168.1.2IPv4 address>>> KdcAccessibility: reset>>> KeyTabInputStream, readName(): LOCALNET.ORG>>> KeyTabInputStream, readName(): HTTP>>> KeyTabInputStream, readName(): hostname.localnet.org>>> KeyTab: load() entry length: 64; type: 1>>> KeyTabInputStream, readName(): LOCALNET.ORG>>> KeyTabInputStream, readName(): HTTP>>> KeyTabInputStream, readName(): hostname.localnet.org>>> KeyTab: load() entry length: 64; type: 3>>> KeyTabInputStream, readName(): LOCALNET.ORG>>> KeyTabInputStream, readName(): HTTP>>> KeyTabInputStream, readName(): hostname.localnet.org>>> KeyTab: load() entry length: 72; type: 23>>> KeyTabInputStream, readName(): LOCALNET.ORG>>> KeyTabInputStream, readName(): HTTP>>> KeyTabInputStream, readName(): hostname.localnet.org>>> KeyTab: load() entry length: 88; type: 18>>> KeyTabInputStream, readName(): LOCALNET.ORG>>> KeyTabInputStream, readName(): HTTP>>> KeyTabInputStream, readName(): hostname.localnet.org>>> KeyTab: load() entry length: 72; type: 17Looking for keys for: HTTP/hostname.localnet.org@LOCALNET.ORGAdded key: 17version: 0Added key: 18version: 0Added key: 23version: 0Found unsupported keytype (3) for HTTP/hostname.localnet.org@LOCALNET.ORGFound unsupported keytype (1) for HTTP/hostname.localnet.org@LOCALNET.ORGdefault etypes for default_tkt_enctypes: 23 18.>>> KrbAsReq creating message>>> KrbKdcReq send: kdc=masterdc.localnet.org UDP:88, timeout=30000, number of retries =3, #bytes=180>>> KDCCommunication: kdc=masterdc.localnet.org UDP:88, timeout=30000,Attempt =1, #bytes=180>>> KrbKdcReq send: #bytes read=201>>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 18, salt = LOCALNET.ORGHTTPhostname.localnet.org, s2kparams = null PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null>>>Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP>>>Pre-Authentication Data: PA-DATA type = 16>>>Pre-Authentication Data: PA-DATA type = 15>>> KdcAccessibility: remove masterdc.localnet.org>>> KDCRep: init() encoding tag is 126 req type is 11>>>KRBError: sTime is Tue Jan 17 19:11:56 CET 2017 1484676716000 suSec is 116308 error code is 25 error Message is Additional pre-authentication required sname is krbtgt/LOCALNET.ORG@LOCALNET.ORG eData provided. msgType is 30>>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 etype = 18, salt = LOCALNET.ORGHTTPhostname.localnet.org, s2kparams = null PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null>>>Pre-Authentication Data: PA-DATA type = 2 PA-ENC-TIMESTAMP>>>Pre-Authentication Data: PA-DATA type = 16>>>Pre-Authentication Data: PA-DATA type = 15KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQdefault etypes for default_tkt_enctypes: 23 18.Looking for keys for: HTTP/hostname.localnet.org@LOCALNET.ORGAdded key: 17version: 0Added key: 18version: 0Added key: 23version: 0Found unsupported keytype (3) for HTTP/hostname.localnet.org@LOCALNET.ORGFound unsupported keytype (1) for HTTP/hostname.localnet.org@LOCALNET.ORGLooking for keys for: HTTP/hostname.localnet.org@LOCALNET.ORGAdded key: 17version: 0Added key: 18version: 0Added key: 23version: 0Found unsupported keytype (3) for HTTP/hostname.localnet.org@LOCALNET.ORGFound unsupported keytype (1) for HTTP/hostname.localnet.org@LOCALNET.ORGdefault etypes for default_tkt_enctypes: 23 18.>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType>>> KrbAsReq creating message>>> KrbKdcReq send: kdc=masterdc.localnet.org UDP:88, timeout=30000, number of retries =3, #bytes=269>>> KDCCommunication: kdc=masterdc.localnet.org UDP:88, timeout=30000,Attempt =1, #bytes=269>>> KrbKdcReq send: #bytes read=94>>> KrbKdcReq send: kdc=masterdc.localnet.org TCP:88, timeout=30000, number of retries =3, #bytes=269>>> KDCCommunication: kdc=masterdc.localnet.org TCP:88, timeout=30000,Attempt =1, #bytes=269>>>DEBUG: TCPClient reading 1615 bytes>>> KrbKdcReq send: #bytes read=1615>>> KdcAccessibility: remove masterdc.localnet.orgLooking for keys for: HTTP/hostname.localnet.org@LOCALNET.ORGAdded key: 17version: 0Added key: 18version: 0Added key: 23version: 0Found unsupported keytype (3) for HTTP/hostname.localnet.org@LOCALNET.ORGFound unsupported keytype (1) for HTTP/hostname.localnet.org@LOCALNET.ORG>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType>>> KrbAsRep cons in KrbAsReq.getReply HTTP/hostname.localnet.orgNew ticket is stored in cache file /tmp/krb5cc_723注意:你可能需要从Windows JDK中提取Kerberos 5工具,因为自JDK 1.6起,Oracle已将其删除。这将在Linux平台上使用参数(-Dsun.security.krb5.debug=true)提供额外的调试输出。
mkdir sun.security.krb5cd sun.security.krb5"C:\Oracle\Java\jdk1.8.0_112\bin\jar.exe" -xf C:\Oracle\Java\jre1.8.0_112\lib\rt.jar sun\security\krb5"C:\Oracle\Java\jdk1.8.0_112\bin\jar.exe" -cf krb5.jar sun\security\krb5dir这是解决JDK-6910497:Kinit类缺失的方法。http://bugs.java.com/bugdatabase/view_bug.do?bug_id=6910497
