This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.
Remedy Single Sign On
Remedy Single Sign On
When troubleshooting Kerberos issues, it may be necessary to enable Kerberos Event logging (see Microsoft Article http://support.microsoft.com/kb/262177 ) or to use tcpdump, Network Monitor or Wireshark to collect and analyze a packet capture. In any of these methods, you may come across the error KDC_ERR_ETYPE_NOTSUPP. The example below is from the Windows Event Viewer:
Log Name: System
Date: 6/27/2019 11:27:24 AM
Event ID: 3
Task Category: None
A Kerberos error message was received: on logon session
Server Time: 16:27:24.0000 6/27/2019 Z
Error Code: 0xe KDC_ERR_ETYPE_NOTSUPP
This and other errors are documented on the Microsoft Technet article https://blogs.technet.microsoft.com/askds/2012/07/27/kerberos-errors-in-network-captures/
The KDC_ERR_ETYPE_NOTSUPP error specifically means that the client device has requested a ticket from the KDC and the algorithms that the client supports for this ticket do not match the algorithms that the KDC can offer.
1) One common cause of this is older devices that are requesting DES encrypted tickets.
2) Another common cause of this is when a device requests an AES encrypted tickets before you raise the functional level of the domain to 2008 or higher.
3) When generating a keytab file to use in your RSSO Kerberos setup, the -crypto option can be used to specify which algorithms should be supported. It is possible that the keytab file might require use of an algorithm that the client does not support. For more details, see https://communities.bmc.com/people/jechrist/blog/2018/02/28/rsso-kerberos-configuration-troubleshooting
4) On the client side, it is possible to enable or restrict certain algorithms for use by kerberos using the registry DWORD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Paramaters\SupportedEncryptionTypes
The value in this registry entry contains a hexidecimal value whose bits correspond to enabling or disabling different encryption algorithms. To allow any algorithm, this can be set to 7fffffff (all bits set to 1). Only the first 5 bits are currently assigned to algorithms, so setting the remaining bits to true ensures support for future algorithms. The algorithms and their corresponding values are below:
So, if you wanted to disable the two DES algorithms for example, you could set the value to 0x7ffffffc.
5) It is possible that the Kerberos Service Account in use by RSSO has restrictions on which algorithms it can use. This would be set at the active directory level. To check this, go to the service account properties in AD and check the Account Options on the Account tab. There are 3 options, "Use only Kerberos DES encryption types for this account", "This account supports Kerberos AES 128 bit encryption", and "This account supports Kerberos AES 256 bit encryption". To allow AES encryption, uncheck the first option and check the other two.