Authenticating UNIX/Linux to Windows 2008R2. Part 5 : Kerberos Encryption Types
Background
There is a particular difficulty in Kerberos with Windows: What encryption type to use.
Encryption is used for both the ticket-granting-ticket and session tickets.
NB. I strongly suggest to use the a strong same encryption type for both, and to hard code that type at both ends.
In Windows, this is done through Group Policy:
To confirm whether an encyption type is supported, edit krb5.conf, and insert into the libdefaults section:
[libdefaults] default_tkt_enctypes = rc4-hmac default_tgs_enctypes = rc4-hmac permitted_enctypes = rc4-hmac
There exists a handy too from http://www.css-security.com/downloads/ called GetTicket , which can be used to test whether a Ticket-Granting-Ticket and Service-Ticket can be obtained.
default_tkt_enctypes controls the ticket granting ticket, and default_tgs_enctypes controls the service ticket.
Typical Errors
Poor Granting Ticket (default_tkt_enctypes):
# /opt/cssi/gettkt_2.3.2/bin/css_gettkt -v -p host/sol10host1.example.com@EXAMPLE.COM gettgt v2.3.2 - February 2007 keytab: credentials cache: client principal: host/sol10host1.example.com@EXAMPLE.COM service principal: css_gettkt: Key table entry not found while getting initial credentials # echo $? 181
Poor Service Ticket (default_tgs_enctypes):
# /opt/cssi/gettkt_2.3.2/bin/css_gettkt -v -s host/sol10host1.example.com getsrvtkt v2.3.2 - February 2007 keytab: credentials cache: client principal: service principal: host/sol10host1.example.com css_gettkt: No credentials found with supported encryption types while getting credentials # echo $? 200 or # /opt/cssi/gettkt_2.3.2/bin/css_gettkt -v -s host/sol10host1.example.com getsrvtkt v2.3.2 - February 2007 keytab: credentials cache: client principal: service principal: host/sol10host1.example.com css_gettkt: KDC has no support for encryption type while getting credentials # echo $? 14
Finding an acceptable encryption type
There are a couple of Windows Knowledge Base articles which seem to suggest that whilst AES is a preferred encryption
http://support.microsoft.com/kb/833708
and
http://support.microsoft.com/kb/961302
Specifically, it says:
AES encryption cannot be used for Kerberos negotiation with cluster names; only up to RC4-HMAC is supported.
DES is frowned upon, due to lack of security (56 bits only). So, when generating host keytabs, I want to use RC4 (the only remaining option):
C:\>;ktpass /princ host/rhel5host1.example.com@EXAMPLE.COM \ /ptype KRB5_NT_PRINCIPAL /out C:\temp\rhel5host1.keytab /pass mypass \ /crypto RC4-HMAC-NT /mapuser EXAMPLE\rhel5host1 Targeting domain controller: adserver.example.com Successfully mapped host/rhel5host1.example.com to RHEL5HOST1$. WARNING: Account RHEL5HOST1$ is not a user account (uacflags=0x1021). WARNING: Resetting RHEL5HOST1$'s password may cause authentication problems if RHEL5HOST1$ is being used as a server. Reset RHEL5HOST1$'s password [y/n]? y Password succesfully set! WARNING: pType and account type do not match. This might cause problems. Key created. Output keytab to C:\temp\rhel5host1.keytab: Keytab version: 0x502 keysize 72 host/rhel5host1.example.com@EXAMPLE.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x17 (RC4-HMAC) keylength 16 (0xe0c32cda6f6ecc163f442d002bba3daf) # kinit -k # klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 3 host/rhel5host1.example.com@EXAMPLE.COM (ArcFour with HMAC/md5)