RSSO Kerberos error KDC_ERR_ETYPE_NOTSUPP

Version 4
    Share This:

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    Remedy Single Sign On


    COMPONENT:

    Remedy Single Sign On



    PROBLEM:

    When troubleshooting Kerberos issues, it may be necessary to enable Kerberos Event logging (see Microsoft Article http://support.microsoft.com/kb/262177 ) or to use tcpdump, Network Monitor or Wireshark to collect and analyze a packet capture.  In any of these methods, you may come across the error KDC_ERR_ETYPE_NOTSUPP.  The example below is from the Windows Event Viewer:

    Log Name:      System
    Source:        Microsoft-Windows-Security-Kerberos
    Date:          6/27/2019 11:27:24 AM
    Event ID:      3
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      ********
    Description:
    A Kerberos error message was received: on logon session
    Client Time:
    Server Time:   16:27:24.0000 6/27/2019 Z
    Error Code:    0xe KDC_ERR_ETYPE_NOTSUPP


    This and other errors are documented on the Microsoft Technet article https://blogs.technet.microsoft.com/askds/2012/07/27/kerberos-errors-in-network-captures/


    CAUSE:

    The KDC_ERR_ETYPE_NOTSUPP error specifically means that the client device has requested a ticket from the KDC and the algorithms that the client supports for this ticket do not match the algorithms that the KDC can offer.


    SOLUTION:

    1) One common cause of this is older devices that are requesting DES encrypted tickets.

    2) Another common cause of this is when a device requests an AES encrypted tickets before you raise the functional level of the domain to 2008 or higher.

    3) When generating a keytab file to use in your RSSO Kerberos setup, the -crypto option can be used to specify which algorithms should be supported.  It is possible that the keytab file might require use of an algorithm that the client does not support.  For more details, see https://communities.bmc.com/people/jechrist/blog/2018/02/28/rsso-kerberos-configuration-troubleshooting

    4) On the client side, it is possible to enable or restrict certain algorithms for use by kerberos using the registry DWORD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Paramaters\SupportedEncryptionTypes
    The value in this registry entry contains a hexidecimal value whose bits correspond to enabling or disabling different encryption algorithms.  To allow any algorithm, this can be set to 7fffffff (all bits set to 1).  Only the first 5 bits are currently assigned to algorithms, so setting the remaining bits to true ensures support for future algorithms.  The algorithms and their corresponding values are below:
    DES-CBC-CRC               0x01
    DES-CBC-MD5               0x02
    RC4-HMAC                  0x04
    AES128-CTS-HMAC-SHA1-96   0x08 
    AES256-CTS-HMAC-SHA1-96   0x10

    So, if you wanted to disable the two DES algorithms for example, you could set the value to 0x7ffffffc.

    5) It is possible that the Kerberos Service Account in use by RSSO has restrictions on which algorithms it can use.  This would be set at the active directory level.  To check this, go to the service account properties in AD and check the Account Options on the Account tab.  There are 3 options, "Use only Kerberos DES encryption types for this account", "This account supports Kerberos AES 128 bit encryption", and "This account supports Kerberos AES 256 bit encryption".  To allow AES encryption, uncheck the first option and check the other two.


     


    Article Number:

    000171695


    Article Type:

    Solutions to a Product Problem



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles