Disabling support for LOW encryption ciphers

Similar Messages

• JDBC Thin Driver Support for Data Encryption and Integrity

  Hello JDev Team,
  I am trying to implement JDBC Thin Driver Support for Data Encryption and Integrity.
  It works fine with java.sql.Connection and java.util.Properties like in the following code:
  DriverManager.registerDriver(new oracle.jdbc.driver.OracleDriver());
  Properties props = new Properties();
  int level = AnoServices.REQUIRED;
  props.put("oracle.net.encryption_client", Service.getLevelString(level));
  props.put("oracle.net.encryption_types_client", "( RC4_40 )");
  props.put("oracle.net.crypto_checksum_client",Service.getLevelString(level));
  props.put("oracle.net.crypto_checksum_types_client", "( MD5 )");
  Connection conn = DriverManager.getConnection ("jdbc:oracle:thin:@localhost:1521:main", props);
  etc...
  But I am developing an application with InfoSwing components and it has a different way to connect to Oracle database using oracle.dacf.dataset.connections.Connection, like this:
  sessionInfo1.setAppModuleInfo(new ModuleInfo("bc", "BcModule"));
  sessionInfo1.setConnectionInfo(new LocalConnection("JDBCThin"));
  sessionInfo1.publishSession();
  My question is:
  Is there any way to implement DataEncryption and Integrity into this type of connection?
  Thanks a lot in advance.
  Victor Bykov
  null

  Victor,
  No, you can't do this from DAC, but I've been discussing it with the developer, and we both think this capability would be useful to have, so I've logged it as an enhancement request.
  I do have a question for you. Once you've made the JDBC connection, do you need access to the Connection object afterwards? We're thinking of how the change could be implemented, and one way would be to allow you to pass in a Properties object when creating your own NamedConnection.
  Thanks
  Blaise

• Is it possible to disable support for VLV indexes?

  Is it possible to disable the support for VLV indexes?
  We have an application which tries to do VLV searches. We dont' have and don't want to set up any VLV index. Would it be possible to just disable support for them? Make ODSEE not advertise the control and just return "unsupported control" to the client?
  thanks - mo

  I think there are a couple of ways to go about this.
  IIRC the VLV control ought to exist under your config suffix as a "feature". If you look at the documentation for setting up a VLV index, you should see where the VLV configuration objects exist. One common problem users run into with the VLV objects is that they are governed by access control. That is, the bound user has to have permissions to the VLV config object in order to use the control. So - assuming you are using a version of the server that still uses this design - you should be able to disallow VLV control use by any user other than the rootdn (Directory Manager).
  If your application is querying the root dse and checking whether the VLV control is supported (and then obeying what it sees there) you might be able to change the list of supported controls being returned on the root dse. I'm not sure exactly how to do this since I don't recall seeing the supported control attributes in dse.ldif, but my memory is spotty on that. In any case this solution would rely on the good behavior of your clients.
  Actually, if the bound user does not have permission to use the control, there might be an argument to make that the server shouldn't return the control as supported when the root dse is queried by that user.
  The best solution is probably a combination of the two complemented (ideally) with modification to the client that prevents it from sending the VLV control. Since presumably the client is sending the VLV in order to accomplish a client side task, simply causing the VLV to fail may not produce the best results from the end user's perspective.

• SUPPORT FOR MAPI ENCRYPTED

  Hello,
  ¿Does Cisco support acceleration of MAPI Encrypted traffic with WAAS solution?
  ¿Are there any plans to support this funcionality?
  Thanks

  The encrypted MAPI feature is in extended beta trials. You must contact [email protected]
  with your Cisco account team on the CC for approvals, before enabling  this feature. Only approved customers will be supported for beta  evaluations. The encrypted MAPI feature will be made generally available  in a following release.
  source:
  http://www.cisco.com/en/US/docs/app_ntwk_services/waas/waas/v501/release/notes/ws501xrn.html
  BR,

• Cannot open a single project after disabling support for project professional 2007

  We use SharePoint/Project Server 2010.  I have a single project on the Project Server (PS) that fails to open in Project Professional (PP). The project is editable in PWA, but PP closes it as soon as it opens it (ie that's what the status window is
  displaying, I basically get a blank screen in PP after "opening" the project, and when closing it does not have anything to save/check in). The only recent change I made was disable PP 2007 support.  I reviewed several posts so here are
  some thoughts: I am currently not using backups, so cannot restore, the server name is already in the trusted list.  Any way to retrieve this project from the server (or directly from DB)?

  Hi Wwodzien,
  It might be because of duplicate RES_OPTINDX values. Please install following KB and check the behaviour.
  http://support.microsoft.com/kb/2687386/en-us
  Note:- I would suggest you to test this in a test environment first.
  Happy troubleshooting....
  Vikram Daruru - MSFT

• How to disable user for disk encryption unlock

  When I add an account that user is added to the list of enabled users when first booting a disk protected with Filevault2. I only want the master password to unlock disk encryption. I don't want to list admin or standard accounts. Is this possible?

  This sounds like two different questions:
  1. I only want the master password to unlock disk encryption.
  This isn't possible to my knowledge.
  2. I don't want the EFI bootloader to list all accounts upon first powering up the machine
  Despite many customers' pleas, Apple has not changed the 'list all usernames' feature on first boot... however, waking from sleep, logging out or fast user switching to honor this request (when set in System Preferences).  There are several discussion forums previously attempting to solve this issue, but no concrete solution yet.

• 10.10.3 breaks support for ATI video cards

  The 10.10.3 update has broken support for a bunch of ATI video cards that worked just fine under 10.10.2. This is for my Mac Pro 5,1. Some folks also reported issues with breaking support for Nvidia cards, but have mentioned that the latest Nvidia beta drivers might work.
  There is a thread that may be found here that has some details:
  OS X 10.10.3 Update
  and here (reverting back to 10.10.2 fixes things):
  http://forums.macrumors.com/showthread.php?t=1864352
  Specifically, my Visiontek Eyefinity 6 7750 stopped working, and another users Radeon 7770 stopped working.  Yet, the 7970 continues to work.  Reverting to the old ATI 5770 that came with the machine renders it usable. This is a problem as the 7750 only took a single slot, and the two 5770s eat up 3 slots so I can't use my USB 3 card, etc.
  I remember this once happened before.  I think it was with the 10.9.2 update which borked a bunch of video cards that worked fine under 10.9.1, and then were again made to work just fine with the 10.9.3 update.
  All the 'standard' fixes have been attempted.  Clean installs.  Fix permissions. Etc.
  Not sure why apple would seemingly disable support for these cards, other than by accident, I assume, much like happened with the 10.9.2 update.
  Also not sure if just copying the correct driver from 10.10.2 might solve the problem until Apple get's around to fixing the issue.  Has anyone tried?  Any suggestions would be appreciated.  Thanks!

  Hi, i am using dual Cinema Display 30 and 23 with a HIS ATI 7750 1 GB on a Mac Pro 3.1. Post upgrade from 10.10.2 to 10.10.3 my display eded unusable blurry. Therefore I have tried to replace the 10.10.3 kext with the previous 10.10.2. But it did not work out as expected. I managed to get some video output but no acceleration at all. Therefore the system is unusable. Therefore i full downgraded to 10.10.2 now.
  Never the less it might be a good starting point for someone to get acceleration running. This is what I did:
  I have to set the nvram variable kext-dev-mode=1, but be warned this will allow any unsigned > .kext to load, including rootlets, malware, etc.
  I did this in order to allow me to modify the kext if necessary and to ensure that if 10.10.2 kext might be locked that they still be loaded and the computer will not be prevented from boot.
  sudo nvram boot-args="kext-dev-mode=1"
  sudo shutdown -r now
  Post this i copied from my other Mac running 10.10.2 the file /System/Library/Extensions/AMDRadeonX4000.kext to my Mac Pro 3.1 running 10.10.3 with no proper video output. Basically i copied all ATI related kext from one mac to the other.
  copied  [MAC10.10.2]/System/Library/Extensions/ATI* ----> [MAC10.10.3]/System/Library/Extensions/ATI*
  copied  [MAC10.10.2]/System/Library/Extensions/AMD* ----> [MAC10.10.3]/System/Library/Extensions/AMD*
  someone needs to do a diff here to identify the file with is necessary the only one i found with a significant change seems to be AMDRadeonX4000.kext
  I forced to rebuild kext cache manually
  sudo touch /System/Library/Extensions
  sudo kextcache -m /System/Library/Caches/com.apple.kext.caches/Startup/Extensions.mkext /System/Library/Extensions
  And reboot!
  sudo shutdown -r now
  After the reboot I had  display output but no acceleration at all. Seeing the video out put made me happy but the system is unusable to to the lack of acceleration of the display. I am really looking forward for Apple to fix the update and to reapply support for the ATI GPUs hence it allows to save environmental resources to keep good products like the Mac Pro 3.1 running...

• Support for TLSv1.1

  Hello,
  Because "TLSv1.1" is listed as a SSLContext Algorithm (https://cis.med.ucalgary.ca/http/java.sun.com/javase/6/docs/technotes/guides/security/StandardNames.html#SSLContext)
  i have been trying to specify it in my code as shown below:
  SSLContext sc = SSLContext.getInstance("TLSv1.1");
  sc.init(kmFact.getKeyManagers(), tmFact.getTrustManagers(), null);
  But i get the following instead:
  java.security.NoSuchAlgorithmException: TLSv1.1 SSLContext not available
       at sun.security.jca.GetInstance.getInstance(Unknown Source)
       at javax.net.ssl.SSLContext.getInstance(Unknown Source)
  I am using JDK1.6.0_4. Does it support TLSv1.1? Or do I find another provider (if there is one)?
  Thanks

  I am sorry.... in fact i was reading the wrong doc.... here is the one from java6 spec
  The JSSE API is capable of supporting SSL versions 2.0 and 3.0 and Transport Layer Security (TLS) 1.0. These security protocols encapsulate a normal bidirectional stream socket and the JSSE API adds transparent support for authentication, encryption, and integrity protection. The JSSE implementation shipped with Sun's JRE supports SSL 3.0 and TLS 1.0. It does not implement SSL 2.0.
  Link
  nevertheless TLS1.1 is not implemented by java1.6 as well....
  thanks ejp... for the correction....

• Help Please: how to set JDBC properties for data encryption in BC4J

  Hello,
  I am trying to implement JDBC Thin Driver Support for Data Encryption and Integrity.
  With java.sql.Connection and java.util.Properties, one would do something like the following code:
  DriverManager.registerDriver(new oracle.jdbc.driver.OracleDriver());
  Properties props = new Properties();
  int level = AnoServices.REQUIRED;
  props.put("oracle.net.encryption_client", Service.getLevelString(level));
  props.put("oracle.net.encryption_types_client", "( RC4_40 )");
  props.put("oracle.net.crypto_checksum_client",Service.getLevelString(level));
  props.put("oracle.net.crypto_checksum_types_client", "( MD5 )");
  Connection conn = DriverManager.getConnection ("jdbc:oracle:thin:@localhost:1521:main", props);
  But, how can we do this with BC4J objects? Can we set this properties via EnvInfoProvider class? Please help. Thank you very much in advance.
  Zhirong

  Hi,
  Try adding the code in the PBO part of your custom program used for the custom screen which you have created and added inside the BADI.
  Regards,
  Harish

• Disable weak ciphers and support for all SSL protocols prior to v3.

  I am very new to Weblogic and I need a little help with the SSL configurations. I received a security audit back and discovered that Weblogic's SSL is running weak ciphers and also supporting unacceptable versions of SSL (we require a minimum of SSLv3 and need to deny connections with anything less). That said, can anyone point me in the right direction for disabling weak ciphers as well as forcing support for SSLv3 and up only for client connections. I am running Weblogic 10.3.
  Edited by: David Pulliam on Jan 26, 2011 8:31 AM

  Hi David,
  -Dweblogic.security.SSL.protocolVersion=SSL3 —> Using this JAVA_OPTION will allow Only SSL V3.0 messages are sent and accepted. So add the mentioned JAVA_OPTION in the server start script along with the below OPTION:
  -Dweblogic.security.disableNullCipher=true
  Also you can do the following in your "config.xml" to make sure that the Weblogic will not accept weak and medium weak passwords:
  <ssl>
         <enabled>true</enabled>
        <ciphersuite>TLS_RSA_WITH_RC4_128_SHA</ciphersuite>
        <ciphersuite>TLS_RSA_WITH_RC4_128_MD5</ciphersuite>
        <hostname-verification-ignored>true</hostname-verification-ignored>
        <listen-port>7002</listen-port>
        <server-private-key-alias>aliasHere</server-private-key-alias>
        <server-private-key-pass-phrase-encrypted>encryptedpassphraseHere</server-private-key-pass-phrase-encrypted>
  </ssl>Thanks
  Jay SenSharma
  http://middlewaremagic.com/weblogic (Middleware magic Is Here)

• Problem: KDC has no support for encryption type (14)

  hi, I have dealing the problem for long time and no response in bea forum.
  I feel very exhausted when checking mit's kerberos mailist and sun forum. Any try every method they provide but not success.
  first I generate the keytab using w2k's ktpass
  ktpass -princ HTTP/[email protected] -mapuser weblogic -pass weblogic -out dlsvr_keytab -crypto des-cbc-crc
  and it turn out to be successful.
  My W2KSP4 KDC Config is:
  c:\winnt\krb5.ini-----------------------------
  [libdefaults]
  default_realm = DLSVR.COM
  default_tkt_enctypes = des-cbc-crc
  default_tgs_enctypes = des-cbc-crc
  ticket_lifetime = 600
  [realms]
  DLSVR.COM = {
  kdc = 192.168.2.231
  admin_server = dlserver
  default_domain = DLSVR.COM
  [domain_realm]
  .dlsvr.com= DLSVR.COM
  [appdefaults]
  autologin = true
  forward = true
  forwardable = true
  encrypt = true
  i also set des type in AD Accout and also reset password after that
  i create my keytab using des-cbc-crc as you can see in the log below :
  <2005-11-8 ����06��09��39�� CST> <Debug> <SecurityDebug> <000000> <Found Negotiate with SPNEGO token>
  KeyTab: load() entry length: 50
  KeyTabInputStream, readName(): DLSVR.COM
  KeyTabInputStream, readName(): host
  KeyTabInputStream, readName(): weblogic
  KeyTab: load() entry length: 44
  KeyTabInputStream, readName(): dlsvr.com
  KeyTabInputStream, readName(): weblogic
  EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
  crc32: e9889c7a
  crc32: 11101001100010001001110001111010
  KrbAsReq calling createMessage
  KrbAsReq in createMessage
  KrbAsReq etypes are: 1
  KrbKdcReq send: kdc=192.168.2.231 UDP:88, timeout=30000, number of retries =3, #bytes=216
  KDCCommunication: kdc=192.168.2.231 UDP:88, timeout=30000,Attempt =1, #bytes=216
  KrbKdcReq send: #bytes read=1217
  KrbKdcReq send: #bytes read=1217
  EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
  crc32: 54c176ae
  crc32: 1010100110000010111011010101110
  KrbAsRep cons in KrbAsReq.getReply host/weblogicFound key for host/[email protected]
  Entered Krb5Context.acceptSecContext with state=STATE_NEW
  <2005-11-8 ����06��09��39�� CST> <Debug> <SecurityDebug> <000000> <GSS exception GSSException: Failure unspecified at GSS-API level (Mechanism level: KDC has no
  support for encryption type (14))
  GSSException: Failure unspecified at GSS-API level (Mechanism level: KDC has no support for encryption type (14))
  at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:734)
  at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:300)
  at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246)
  at weblogic.security.providers.utils.SPNEGONegotiateToken.getUsername(SPNEGONegotiateToken.java:371)
  at weblogic.security.providers.authentication.SinglePassNegotiateIdentityAsserterProviderImpl.assertIdentity(SinglePassNegotiateIdentityAsserterProvider
  Impl.java:201)
  at weblogic.security.service.PrincipalAuthenticator.assertIdentity(PrincipalAuthenticator.java:553)
  at weblogic.servlet.security.internal.CertSecurityModule.checkUserPerm(CertSecurityModule.java:104)
  at weblogic.servlet.security.internal.SecurityModule.beginCheck(SecurityModule.java:199)
  at weblogic.servlet.security.internal.CertSecurityModule.checkA(CertSecurityModule.java:86)
  at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:145)
  at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3685)
  at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2644)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)
  So i don't know why win2k's KDC not support the des-cbc-crc,
  Any Help or Clue woud be highly appreciated!
  david

  Exception was: javax.naming.AuthenticationException: KDC has no support for encryption type (14) [Root exception is KrbException: KDC has no support for encryption type (14)]
  at com.sco.tta.server.security.java14.KerberosAuth.login(KerberosAuth.java:286)
  at com.sco.tta.server.login.ADLoginAuthority.authenticate(ADLoginAuthority.java:39 0)
  Cause 2: This exception is thrown when using native ticket cache on some Windows platforms. Microsoft has added a new feature in which they no longer export the session keys for Ticket-Granting Tickets (TGTs). As a result, the native TGT obtained on Windows has an "empty" session key and null EType. The effected platforms include: Windows Server 2003, Windows 2000 Server Service Pack 4 (SP4) and Windows XP SP2.
  Solution 2: You need to update the Windows registry to disable this new feature. The registry key allowtgtsessionkey should be added--and set correctly--to allow session keys to be sent in the Kerberos Ticket-Granting Ticket.
  On the Windows Server 2003 and Windows 2000 SP4, here is the required registry setting:
  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
  Value Name: allowtgtsessionkey
  Value Type: REG_DWORD
  Value: 0x01 ( default is 0 )
  By default, the value is 0; setting it to "0x01" allows a session key to be included in the TGT.

• Is Weblogic 11g supports for Kerberos AES/RC4 Encryption on Windows 2008 R2

  Is Weblogic 11g supports for Kerberos AES/RC4 Encryption on Windows 2008 R2?
  Thanks,

  DES is disabled by default on 2008, could this DC be a Windows 2003?  If so then this would be the expected encyption.
  The following is the list of the encryption available for each Windows system
  Windows 2000,  XP,Windows Server 2003:     
  DES, RC4          
           Vista
  , Windows Server 2008:      DES, RC4,AES          
           Windows 7 and  Windows Server  2008 R2:     DES(disabled by default), RC4,AES
  From:
  http://blogs.msdn.com/b/openspecification/archive/2010/11/17/encryption-type-selection-in-kerberos-exchanges.aspx
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.

• Command-line support for encrypted images

  Hi,
  Is there any support in asr for performing restores using an encrypted image directly? I can't seem to find anything. It isn't much of a burden I guess to mount the image and then use it (now that I know that, anyway), but it seems like an oversight that asr can't just be given a password directly.
  Similarly for hdiutil, it has some support for encrypted images, but some things seem to be missing. At the very least you can't convert an encrypted image into an unencrypted image because convert doesn't understand that.
  Are these known issues? Are there plans to add this functionality? Or is it considered unnecessary since there's other ways around it?
  tom

  Sorry for my ignorance, when you say you installed every driver in there are you referring to adding them to the driver database or to your bootwim. Also if you cant grab the logs you might be able to get a report based on an unknown system, look in reporting
  under "History of a task sequence deployment on a computer" if there was anything recorded before it bombed out you might be able to get some info. 
  Im still leaning towards a network driver though, can you snap an image of the drivers you have loaded into your preferred bootwim.

• KDC has no support for encryption type (14)

  I have come across a posting on "KDC has no support for encryption type (14)" - " http://www.webservertalk.com/message1277232.html"
  and believe that I am hitting the same problem. However, there is no solution. Can anybody help?
  I have done all the necessary steps suggested, including changing the registry and removing the unwanted SPN, but the error still there. The only different is probably I combined WebLogic and AD in one machine. But, does that make any difference?
  Client
  ====
  Name: ssoclient.ssow2k.com
  OS: Win XP SP2
  Server
  =====
  Name: ssow2kserver.ssow2k.com
  OS: Windows 2000 Advanced Server SP4
  WLS: BEA WebLogic 8.1.4
  <<Registry>>
  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
  Value Name: allowtgtsessionkey
  Value Type: REG_DWORD
  Value: 0x01
  The following is the WebLogic myserver log for your reference:
  ========================================================================================
  ####<Apr 6, 2006 2:55:20 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> <Default Authorization deployPolicy(): Resource: type=<url>, application=console, contextPath=/console, uri=/*>
  ####<Apr 6, 2006 2:55:20 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> <Default Authorization deployPolicy(): Role:>
  ####<Apr 6, 2006 2:55:20 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> < roleName: Admin>
  ####<Apr 6, 2006 2:55:20 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> < roleName: Operator>
  ####<Apr 6, 2006 2:55:20 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> < roleName: Deployer>
  ####<Apr 6, 2006 2:55:20 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> < roleName: Monitor>
  ####<Apr 6, 2006 2:55:20 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> <Default Authorization deployPolicy(): Built role expression of {Rol(Admin,Operator,Deployer,Monitor)}>
  ####<Apr 6, 2006 2:55:20 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> <Default Authorization deployPolicy(): policy {Rol(Admin,Operator,Deployer,Monitor)} successfully deployed for resource type=<url>, application=console, contextPath=/console, uri=/*>
  ####<Apr 6, 2006 2:55:22 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> <Default Authorization deployPolicy(): Resource: type=<url>, application=mySampleWebApp, contextPath=/mysamplewebapp, uri=/*, httpMethod=GET>
  ####<Apr 6, 2006 2:55:22 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> <Default Authorization deployPolicy(): Role:>
  ####<Apr 6, 2006 2:55:22 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> < roleName: DCMS_ROLE>
  ####<Apr 6, 2006 2:55:22 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> <Default Authorization deployPolicy(): Built role expression of {Rol(DCMS_ROLE)}>
  ####<Apr 6, 2006 2:55:22 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> <Default Authorization deployPolicy(): policy {Rol(DCMS_ROLE)} successfully deployed for resource type=<url>, application=mySampleWebApp, contextPath=/mysamplewebapp, uri=/*, httpMethod=GET>
  ####<Apr 6, 2006 2:55:22 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> <Default Authorization deployPolicy(): Resource: type=<url>, application=mySampleWebApp, contextPath=/mysamplewebapp, uri=/*, httpMethod=POST>
  ####<Apr 6, 2006 2:55:22 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> <Default Authorization deployPolicy(): Role:>
  ####<Apr 6, 2006 2:55:22 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> < roleName: DCMS_ROLE>
  ####<Apr 6, 2006 2:55:22 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> <Default Authorization deployPolicy(): Built role expression of {Rol(DCMS_ROLE)}>
  ####<Apr 6, 2006 2:55:22 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> <Default Authorization deployPolicy(): policy {Rol(DCMS_ROLE)} successfully deployed for resource type=<url>, application=mySampleWebApp, contextPath=/mysamplewebapp, uri=/*, httpMethod=POST>
  ####<Apr 6, 2006 3:02:07 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <ExecuteThread: '14' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> < PrincipalAuthenticator.assertIdentity - Token Type: Authorization>
  ####<Apr 6, 2006 3:02:07 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <ExecuteThread: '14' for queue: ' weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <Found Negotiate with SPNEGO token>
  ####<Apr 6, 2006 3:02:08 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <ExecuteThread: '14' for queue: ' weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <GSS exception GSSException: Failure unspecified at GSS-API level (Mechanism level: KDC has no support for encryption type (14))
  GSSException: Failure unspecified at GSS-API level (Mechanism level: KDC has no support for encryption type (14))
  at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:734)
  at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:300)
  at sun.security.jgss.GSSContextImpl.acceptSecContext (GSSContextImpl.java:246)
  at weblogic.security.providers.utils.SPNEGONegotiateToken.getUsername(SPNEGONegotiateToken.java:371)
  at weblogic.security.providers.authentication.SinglePassNegotiateIdentityAsserterProviderImpl.assertIdentity (SinglePassNegotiateIdentityAsserterProviderImpl.java:201)
  at weblogic.security.service.PrincipalAuthenticator.assertIdentity(PrincipalAuthenticator.java:553)
  at weblogic.servlet.security.internal.CertSecurityModule.checkUserPerm (CertSecurityModule.java:104)
  at weblogic.servlet.security.internal.SecurityModule.beginCheck(SecurityModule.java:199)
  at weblogic.servlet.security.internal.CertSecurityModule.checkA(CertSecurityModule.java:86)
  at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:145)
  at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3685)
  at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2644)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)
  >
  ####<Apr 6, 2006 3:02:08 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <ExecuteThread: '14' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <Exception weblogic.security.providers.utils.NegotiateTokenException: GSSException: Failure unspecified at GSS-API level (Mechanism level: KDC has no support for encryption type (14))
  weblogic.security.providers.utils.NegotiateTokenException : GSSException: Failure unspecified at GSS-API level (Mechanism level: KDC has no support for encryption type (14))
  at weblogic.security.providers.utils.SPNEGONegotiateToken.getUsername(SPNEGONegotiateToken.java:419)
  at weblogic.security.providers.authentication.SinglePassNegotiateIdentityAsserterProviderImpl.assertIdentity(SinglePassNegotiateIdentityAsserterProviderImpl.java:201)
  at weblogic.security.service.PrincipalAuthenticator.assertIdentity (PrincipalAuthenticator.java:553)
  at weblogic.servlet.security.internal.CertSecurityModule.checkUserPerm(CertSecurityModule.java:104)
  at weblogic.servlet.security.internal.SecurityModule.beginCheck(SecurityModule.java :199)
  at weblogic.servlet.security.internal.CertSecurityModule.checkA(CertSecurityModule.java:86)
  at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:145)
  at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3685)
  at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2644)
  at weblogic.kernel.ExecuteThread.execute (ExecuteThread.java:219)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)
  >
  ========================================================================================
  The following are some krb5 packets captured. I suspected it is due to the encryption type used - RC4-HMAC:
  ========================================================================================
  KRB5 (AS-REQ)
  ============
  No. Time Source Destination Protocol Info
  125 10.301166 10.122.1.2 10.122.1.200 KRB5 AS-REQ
  Frame 125 (345 bytes on wire, 345 bytes captured)
  Arrival Time: Apr 6, 2006 13:49:54.848903000
  Time delta from previous packet: 0.008330000 seconds
  Time since reference or first frame: 10.301166000 seconds
  Frame Number: 125
  Packet Length: 345 bytes
  Capture Length: 345 bytes
  Protocols in frame: eth:ip:udp:kerberos
  Ethernet II, Src: 10.122.1.2 (00:0c:29:17:9a:be), Dst: Vmware_59:2c:e6 (00:0c:29:59:2c:e6)
  Destination: Vmware_59:2c:e6 (00:0c:29:59:2c:e6)
  Source: 10.122.1.2 (00:0c:29:17:9a:be)
  Type: IP (0x0800)
  Internet Protocol, Src: 10.122.1.2 (10.122.1.2), Dst: 10.122.1.200 (10.122.1.200)
  Version: 4
  Header length: 20 bytes
  Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
  0000 00.. = Differentiated Services Codepoint: Default (0x00)
  .... ..0. = ECN-Capable Transport (ECT): 0
  .... ...0 = ECN-CE: 0
  Total Length: 331
  Identification: 0x0158 (344)
  Flags: 0x00
  0... = Reserved bit: Not set
  .0.. = Don't fragment: Not set
  ..0. = More fragments: Not set
  Fragment offset: 0
  Time to live: 128
  Protocol: UDP (0x11)
  Header checksum: 0x208d [correct]
  Source: 10.122.1.2 (10.122.1.2 )
  Destination: 10.122.1.200 (10.122.1.200)
  User Datagram Protocol, Src Port: 1075 (1075), Dst Port: kerberos (88)
  Source port: 1075 (1075)
  Destination port: kerberos (88)
  Length: 311
  Checksum: 0x1133 [correct]
  Kerberos AS-REQ
  Pvno: 5
  MSG Type: AS-REQ (10)
  padata: PA-ENC-TIMESTAMP PA-PAC-REQUEST
  Type: PA-ENC-TIMESTAMP (2)
  Type: PA-PAC-REQUEST (128)
  KDC_REQ_BODY
  Padding: 0
  KDCOptions: 40810010 (Forwardable, Renewable, Canonicalize, Renewable OK)
  Client Name (Principal): ssouser
  Realm: SSOW2K.COM
  Server Name (Service and Instance): krbtgt/SSOW2K.COM
  till: 2037-09-13 02:48:05 (Z)
  rtime: 2037-09-13 02:48:05 (Z)
  Nonce: 1870983219
  Encryption Types: rc4-hmac rc4-hmac-old rc4-md4 des-cbc-md5 des-cbc-crc rc4-hmac-exp rc4-hmac-old-exp
  Encryption type: rc4-hmac (23)
  Encryption type: rc4-hmac-old (-133)
  Encryption type: rc4-md4 (-128)
  Encryption type: des-cbc-md5 (3)
  Encryption type: des-cbc-crc (1)
  Encryption type: rc4-hmac-exp (24)
  Encryption type: rc4-hmac-old-exp (-135)
  HostAddresses: SSOCLIENT<20>
  KRB5 (AS-REP)
  ============
  No. Time Source Destination Protocol Info
  126 10.303156 10.122.1.200 10.122.1.2 KRB5 AS-REP
  Frame 126 (1324 bytes on wire, 1324 bytes captured)
  Arrival Time: Apr 6, 2006 13:49:54.850893000
  Time delta from previous packet: 0.001990000 seconds
  Time since reference or first frame: 10.303156000 seconds
  Frame Number: 126
  Packet Length: 1324 bytes
  Capture Length: 1324 bytes
  Protocols in frame: eth:ip:udp:kerberos
  Ethernet II, Src: Vmware_59:2c:e6 (00:0c:29:59:2c:e6), Dst: 10.122.1.2 (00:0c:29:17:9a:be)
  Destination: 10.122.1.2 (00:0c:29:17:9a:be)
  Source: Vmware_59:2c:e6 (00:0c:29:59:2c:e6)
  Type: IP (0x0800)
  Internet Protocol, Src: 10.122.1.200 (10.122.1.200), Dst: 10.122.1.2 (10.122.1.2)
  Version: 4
  Header length: 20 bytes
  Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
  0000 00.. = Differentiated Services Codepoint: Default (0x00)
  .... ..0. = ECN-Capable Transport (ECT): 0
  .... ...0 = ECN-CE: 0
  Total Length: 1310
  Identification: 0x0a0f (2575)
  Flags: 0x00
  0... = Reserved bit: Not set
  .0.. = Don't fragment: Not set
  ..0. = More fragments: Not set
  Fragment offset: 0
  Time to live: 128
  Protocol: UDP (0x11)
  Header checksum: 0x1403 [correct]
  Source: 10.122.1.200 (10.122.1.200)
  Destination: 10.122.1.2 (10.122.1.2)
  User Datagram Protocol, Src Port: kerberos (88), Dst Port: 1075 (1075)
  Source port: kerberos (88)
  Destination port: 1075 (1075)
  Length: 1290
  Checksum: 0xb637 [correct]
  Kerberos AS-REP
  Pvno: 5
  MSG Type: AS-REP (11)
  Client Realm: SSOW2K.COM
  Client Name (Principal): ssouser
  Ticket
  enc-part rc4-hmac
  Encryption type: rc4-hmac (23)
  Kvno: 1
  enc-part: E3610239EACDD0E6D4E89AA7D81A355F6C93B95D95B13B56...
  KRB5 (TGS-REQ)
  ============
  No. Time Source Destination Protocol Info
  127 10.309350 10.122.1.2 10.122.1.200 KRB5 TGS-REQ
  Frame 127 (1307 bytes on wire, 1307 bytes captured)
  Arrival Time: Apr 6, 2006 13:49:54.857087000
  Time delta from previous packet: 0.006194000 seconds
  Time since reference or first frame: 10.309350000 seconds
  Frame Number: 127
  Packet Length: 1307 bytes
  Capture Length: 1307 bytes
  Protocols in frame: eth:ip:udp:kerberos
  Ethernet II, Src: 10.122.1.2 (00:0c:29:17:9a:be), Dst: Vmware_59:2c:e6 (00:0c:29:59:2c:e6)
  Destination: Vmware_59:2c:e6 (00:0c:29:59:2c:e6)
  Source: 10.122.1.2 (00:0c:29:17:9a:be)
  Type: IP (0x0800)
  Internet Protocol, Src: 10.122.1.2 (10.122.1.2), Dst: 10.122.1.200 (10.122.1.200)
  Version: 4
  Header length: 20 bytes
  Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
  0000 00.. = Differentiated Services Codepoint: Default (0x00)
  .... ..0. = ECN-Capable Transport (ECT): 0
  .... ...0 = ECN-CE: 0
  Total Length: 1293
  Identification: 0x0159 (345)
  Flags: 0x00
  0... = Reserved bit: Not set
  .0.. = Don't fragment: Not set
  ..0. = More fragments: Not set
  Fragment offset: 0
  Time to live: 128
  Protocol: UDP (0x11)
  Header checksum: 0x1cca [correct]
  Source: 10.122.1.2 (10.122.1.2)
  Destination: 10.122.1.200 ( 10.122.1.200)
  User Datagram Protocol, Src Port: 1076 (1076), Dst Port: kerberos (88)
  Source port: 1076 (1076)
  Destination port: kerberos (88)
  Length: 1273
  Checksum: 0xd085 [correct]
  Kerberos TGS-REQ
  Pvno: 5
  MSG Type: TGS-REQ (12)
  padata: PA-TGS-REQ
  Type: PA-TGS-REQ (1)
  KDC_REQ_BODY
  Padding: 0
  KDCOptions: 40800000 (Forwardable, Renewable)
  Realm: SSOW2K.COM
  Server Name (Service and Instance): HTTP/ssow2kserver.ssow2k.com
  till: 2037-09-13 02:48:05 (Z)
  Nonce: 1871140380
  Encryption Types: rc4-hmac rc4-hmac-old rc4-md4 des-cbc-md5 des-cbc-crc rc4-hmac-exp rc4-hmac-old-exp
  Encryption type: rc4-hmac (23)
  Encryption type: rc4-hmac-old (-133)
  Encryption type: rc4-md4 (-128)
  Encryption type: des-cbc-md5 (3)
  Encryption type: des-cbc-crc (1)
  Encryption type: rc4-hmac-exp (24)
  Encryption type: rc4-hmac-old-exp (-135)
  KRB5 (TGS-REP)
  ============
  No. Time Source Destination Protocol Info
  128 10.310791 10.122.1.200 10.122.1.2 KRB5 TGS-REP
  Frame 128 (1290 bytes on wire, 1290 bytes captured)
  Arrival Time: Apr 6, 2006 13:49:54.858528000
  Time delta from previous packet: 0.001441000 seconds
  Time since reference or first frame: 10.310791000 seconds
  Frame Number: 128
  Packet Length: 1290 bytes
  Capture Length: 1290 bytes
  Protocols in frame: eth:ip:udp:kerberos
  Ethernet II, Src: Vmware_59:2c:e6 (00:0c:29:59:2c:e6), Dst: 10.122.1.2 (00:0c:29:17:9a:be)
  Destination: 10.122.1.2 (00:0c:29:17:9a:be)
  Source: Vmware_59:2c:e6 (00:0c:29:59:2c:e6)
  Type: IP (0x0800)
  Internet Protocol, Src: 10.122.1.200 (10.122.1.200), Dst: 10.122.1.2 (10.122.1.2)
  Version: 4
  Header length: 20 bytes
  Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
  0000 00.. = Differentiated Services Codepoint: Default (0x00)
  .... ..0. = ECN-Capable Transport (ECT): 0
  .... ...0 = ECN-CE: 0
  Total Length: 1276
  Identification: 0x0a10 (2576)
  Flags: 0x00
  0... = Reserved bit: Not set
  .0.. = Don't fragment: Not set
  ..0. = More fragments: Not set
  Fragment offset: 0
  Time to live: 128
  Protocol: UDP (0x11)
  Header checksum: 0x1424 [correct]
  Source: 10.122.1.200 (10.122.1.200)
  Destination: 10.122.1.2 (10.122.1.2)
  User Datagram Protocol, Src Port: kerberos (88), Dst Port: 1076 (1076)
  Source port: kerberos (88)
  Destination port: 1076 (1076)
  Length: 1256
  Checksum: 0x1318 [correct]
  Kerberos TGS-REP
  Pvno: 5
  MSG Type: TGS-REP (13)
  Client Realm: SSOW2K.COM
  Client Name (Principal): ssouser
  Ticket
  enc-part rc4-hmac
  Encryption type: rc4-hmac (23)
  Kvno: 1
  enc-part: 4D2A9E8590CC716EA6571B093B6FAF89537B0B89F832C073...
  ========================================================================================
  Can anybody enlighten me on how you solve this problem? Thanks.

  I ran into this error and caught the error code to remind me to edit the registry.
  if (sError.contains("KDC has no support for encryption type (14)")){
                      JOptionPane.showMessageDialog(null,"Error " + ThisErrorCode.myErrorCode() + '\n' +
                      " http://support.microsoft.com/default.aspx?scid=kb;en-us;308339" + '\n' + '\n' +
                      "There is a known issue involving Windows clients running Windows 2000 SP4, XP SP2." + '\n' +
                      "To avoid the error, administrators need to update the Windows registry." + '\n' +
                      "The registry key, allowtgtsessionkey, should be added, and its value set correctly" + '\n' +
                      "to allow session keys to be sent in the Kerberos Ticket-Granting Ticket." + '\n' + '\n' +
                      "Windows XP SP2, add the registry entry:" + '\n' +
                      "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\Kerberos\\" + '\n' +
                      "Value Name: allowtgtsessionkey" + '\n' +
                      "Value Type: REG_DWORD" + '\n' +
                      "Value: 0x01" ,null, JOptionPane.ERROR_MESSAGE);
                      System.exit(-1);

• WebLogic SSO receiving "KDC has no support for encryption type (14)" error

  Hello,
  I am trying to implement SSO using an Off-the-Shelf app running on WebLogic, but receiving "KDC has no support for encryption type (14)" error. I have set the AD Server to “Use DES encryption types for this account” . I have added 'allowtgtsessionkey' registry entry on the client machine as well as the Windows Server on which WebLogic is running. My klist results on the client machine still seems to indicate AD is sending RC4 encryption format (please confirm looking at the results below). I am also attaching the WebLogic error log. I am slo seeing 2 errors at the very beginning of the WebLogic log when I restart the appserver.
  % KLIST output
  C:\Program Files\Resource Kit>klist tickets
  Cached Tickets: (2)
  Server: krbtgt/[email protected]
  KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
  End Time: 8/27/2008 1:52:56
  Renew Time: 9/2/2008 15:52:56
  Server: HTTP/[email protected]
  KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
  End Time: 8/27/2008 1:52:56
  Renew Time: 9/2/2008 15:52:56
  % WebLogic Error
  <Aug 28, 2008 8:43:02 AM MDT> <Debug> <SecurityDebug> <000000> <java.security.krb5.realm was not defined, this could cause problems using Kerberos for negotiation>
  <Aug 28, 2008 8:43:02 AM MDT> <Debug> <SecurityDebug> <000000> <java.security.krb5.kdc was not defined, this could cause problems using Kerberos for negotiation>
  <Aug 26, 2008 8:26:18 AM MDT> <Debug> <SecurityDebug> <000000> <Default Authorization isAccessAllowed(): returning PERMIT>
  <Aug 26, 2008 8:26:18 AM MDT> <Debug> <SecurityDebug> <000000> <DefaultAdjudicatorImpl.adjudicate results: PERMIT >
  <Aug 26, 2008 8:26:18 AM MDT> <Debug> <SecurityDebug> <000000> <AuthorizationManager.isAccessAllowed returning adjudicated: true>
  <Aug 26, 2008 8:26:27 AM MDT> <Debug> <SecurityDebug> <000000> <PrincipalAuthenticator.assertIdentity - Token Type: Authorization>
  <Aug 26, 2008 8:26:27 AM MDT> <Debug> <SecurityDebug> <000000> <Found Negotiate with SPNEGO token>
  Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null KeyTab is devmax01.http.keytab refreshKrb5Config is false principal is HTTP/[email protected] tryFirstPass is false useFirstPass is false storePass is false clearPass is false
  KeyTab: load() entry length: 60
  KeyTabInputStream, readName(): DEV.DENVERWATER.ORG
  KeyTabInputStream, readName(): HTTP
  KeyTabInputStream, readName(): devmax01principal's key obtained from the keytab
  principal is HTTP/[email protected]
  EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
  KrbAsReq calling createMessage
  KrbAsReq in createMessage
  KrbAsReq etypes are: 3 1 1
  KrbKdcReq send: kdc=10.143.60.1 UDP:88, timeout=30000, number of retries =3, #bytes=252
  KDCCommunication: kdc=10.143.60.1 UDP:88, timeout=30000,Attempt =1, #bytes=252
  KrbKdcReq send: #bytes read=1311
  KrbKdcReq send: #bytes read=1311
  EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
  KrbAsRep cons in KrbAsReq.getReply HTTP/devmax01Added server's keyKerberos Principal HTTP/[email protected] Version 4key EncryptionKey: keyType=3 keyBytes (hex dump)=
  0000: B3 86 A4 E5 83 0E 6D 9E
  [Krb5LoginModule] added Krb5Principal HTTP/[email protected] to Subject
  Commit Succeeded
  Found key for HTTP/[email protected]
  Entered Krb5Context.acceptSecContext with state=STATE_NEW
  <Aug 26, 2008 8:26:27 AM MDT> <Debug> <SecurityDebug> <000000> < GSS exception GSSException: Failure unspecified at GSS-API level (Mechanism level: KDC has no support for encryption type (14))
  GSSException: Failure unspecified at GSS-API level (Mechanism level: KDC has no support for encryption type (14))
  at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:734)
  at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:300)
  at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246)
  at weblogic.security.providers.utils.SPNEGONegotiateToken.getUsername(SPNEGONegotiateToken.java:371)
  at weblogic.security.providers.authentication.SinglePassNegotiateIdentityAsserterProviderImpl.assertIdentity(SinglePassNegotiateIdentityAsserterProviderImpl.java:201)
  at weblogic.security.service.PrincipalAuthenticator.assertIdentity(PrincipalAuthenticator.java:553)
  at weblogic.servlet.security.internal.CertSecurityModule.checkUserPerm(CertSecurityModule.java:104)
  at weblogic.servlet.security.internal.SecurityModule.beginCheck(SecurityModule.java:199)
  at weblogic.servlet.security.internal.CertSecurityModule.checkA(CertSecurityModule.java:86)
  at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:145)
  at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3685)
  at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2644)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)
  >
  <Aug 26, 2008 8:26:27 AM MDT> <Debug> <SecurityDebug> <000000> <PrincipalAuthenticator.assertIdentity - IdentityAssertionException>

  dins wrote:Do you think the klist output in my original posting confirms that AD is not encrypting tickets in DES format ?Yes, the current line prove it :
  KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)The fact is that Microsoft seems to use by default the RC4-HMAC-MD5 encryption type for AD.
  Try to specify only des for encryption type in both your krb5.conf
  [libdefaults]
      default_realm = ...
      default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
      default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
      ...and kdc.conf
  [realms]
     REALM = {
          kadmind_port = ...
          max_life = ...
          max_renewable_life = ...
          master_key_type = ddes-cbc-md5 des-cbc-crc des3-cbc-sha1
          supported_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
          kdc_supported_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
      }If it still does not work, I'm out of ammo ;-).