Still having issues getting SSO to work. I’ve had one of our network engineers sniff the traffic and they came back with the attached PDF.
The main thing I see is:
Kerberos: Error-Code = 14 (KDC has no support for encryption type)
I found the error on Sun’s site via google:
javax.security.auth.login.LoginException: KrbException: KDC has no support for encryption type (14) - KDC has no support for encryption type
Cause 1: Your KDC does not support the encryption type requested.
Solution 1: Sun’s implementation of Kerberos supports the following encryption types:<code>des-cbc-md5</code>, <code>des-cbc-crc</code> and <code>des3-cbc-sha1</code>.
Applications can select the desired encryption type by specifying following tags in the Kerberos Configuration file<code>krb5.conf</code>:bq. [libdefaults] \ default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 \ default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 \ permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 \
If not specified, the default value is:
des-cbc-md5 des-cbc-crc des3-cbc-sha1 \
Cause 2: This exception is thrown when using native ticket cache on some Windows platforms. Microsoft has added a new feature in which they no longer export the session keys for Ticket-Granting Tickets (TGTs). As a result, the native TGT obtained on Windows has an “empty” session key and null EType. The effected platforms include: Windows Server 2003, Windows 2000 Server Service Pack 4 (SP4) and Windows XP SP2.
Solution 2: You need to update the Windows registry to disable this new feature. The registry key <code>allowtgtsessionkey</code> should be addedand set correctlyto allow session keys to be sent in the Kerberos Ticket-Granting Ticket.
On the Windows Server 2003 and Windows 2000 SP4, here is the required registry setting:
HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsaKerberosParameters \ Value Name: allowtgtsessionkey \ Value Type: REG_DWORD \ Value: 0x01 ( default is 0 ) \
By default, the value is 0; setting it to “0x01” allows a session key to be included in the TGT.
Here is the location of the registry setting on Windows XP SP2:
HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsaKerberos \ Value Name: allowtgtsessionkey \ Value Type: REG_DWORD \ Value: 0x01 \
Now obviously I’ve already made the appropriate registry changes, any other thoughts?
Thanks,
-Stuart