WebLogic SSO receiving "KDC has no support for encryption type (14)" error

Similar Messages

• KDC has no support for encryption type (14)

  I have come across a posting on "KDC has no support for encryption type (14)" - " http://www.webservertalk.com/message1277232.html"
  and believe that I am hitting the same problem. However, there is no solution. Can anybody help?
  I have done all the necessary steps suggested, including changing the registry and removing the unwanted SPN, but the error still there. The only different is probably I combined WebLogic and AD in one machine. But, does that make any difference?
  Client
  ====
  Name: ssoclient.ssow2k.com
  OS: Win XP SP2
  Server
  =====
  Name: ssow2kserver.ssow2k.com
  OS: Windows 2000 Advanced Server SP4
  WLS: BEA WebLogic 8.1.4
  <<Registry>>
  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
  Value Name: allowtgtsessionkey
  Value Type: REG_DWORD
  Value: 0x01
  The following is the WebLogic myserver log for your reference:
  ========================================================================================
  ####<Apr 6, 2006 2:55:20 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> <Default Authorization deployPolicy(): Resource: type=<url>, application=console, contextPath=/console, uri=/*>
  ####<Apr 6, 2006 2:55:20 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> <Default Authorization deployPolicy(): Role:>
  ####<Apr 6, 2006 2:55:20 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> < roleName: Admin>
  ####<Apr 6, 2006 2:55:20 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> < roleName: Operator>
  ####<Apr 6, 2006 2:55:20 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> < roleName: Deployer>
  ####<Apr 6, 2006 2:55:20 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> < roleName: Monitor>
  ####<Apr 6, 2006 2:55:20 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> <Default Authorization deployPolicy(): Built role expression of {Rol(Admin,Operator,Deployer,Monitor)}>
  ####<Apr 6, 2006 2:55:20 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> <Default Authorization deployPolicy(): policy {Rol(Admin,Operator,Deployer,Monitor)} successfully deployed for resource type=<url>, application=console, contextPath=/console, uri=/*>
  ####<Apr 6, 2006 2:55:22 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> <Default Authorization deployPolicy(): Resource: type=<url>, application=mySampleWebApp, contextPath=/mysamplewebapp, uri=/*, httpMethod=GET>
  ####<Apr 6, 2006 2:55:22 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> <Default Authorization deployPolicy(): Role:>
  ####<Apr 6, 2006 2:55:22 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> < roleName: DCMS_ROLE>
  ####<Apr 6, 2006 2:55:22 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> <Default Authorization deployPolicy(): Built role expression of {Rol(DCMS_ROLE)}>
  ####<Apr 6, 2006 2:55:22 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> <Default Authorization deployPolicy(): policy {Rol(DCMS_ROLE)} successfully deployed for resource type=<url>, application=mySampleWebApp, contextPath=/mysamplewebapp, uri=/*, httpMethod=GET>
  ####<Apr 6, 2006 2:55:22 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> <Default Authorization deployPolicy(): Resource: type=<url>, application=mySampleWebApp, contextPath=/mysamplewebapp, uri=/*, httpMethod=POST>
  ####<Apr 6, 2006 2:55:22 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> <Default Authorization deployPolicy(): Role:>
  ####<Apr 6, 2006 2:55:22 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> < roleName: DCMS_ROLE>
  ####<Apr 6, 2006 2:55:22 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> <Default Authorization deployPolicy(): Built role expression of {Rol(DCMS_ROLE)}>
  ####<Apr 6, 2006 2:55:22 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <main> <<WLS Kernel>> <> <000000> <Default Authorization deployPolicy(): policy {Rol(DCMS_ROLE)} successfully deployed for resource type=<url>, application=mySampleWebApp, contextPath=/mysamplewebapp, uri=/*, httpMethod=POST>
  ####<Apr 6, 2006 3:02:07 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <ExecuteThread: '14' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> < PrincipalAuthenticator.assertIdentity - Token Type: Authorization>
  ####<Apr 6, 2006 3:02:07 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <ExecuteThread: '14' for queue: ' weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <Found Negotiate with SPNEGO token>
  ####<Apr 6, 2006 3:02:08 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <ExecuteThread: '14' for queue: ' weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <GSS exception GSSException: Failure unspecified at GSS-API level (Mechanism level: KDC has no support for encryption type (14))
  GSSException: Failure unspecified at GSS-API level (Mechanism level: KDC has no support for encryption type (14))
  at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:734)
  at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:300)
  at sun.security.jgss.GSSContextImpl.acceptSecContext (GSSContextImpl.java:246)
  at weblogic.security.providers.utils.SPNEGONegotiateToken.getUsername(SPNEGONegotiateToken.java:371)
  at weblogic.security.providers.authentication.SinglePassNegotiateIdentityAsserterProviderImpl.assertIdentity (SinglePassNegotiateIdentityAsserterProviderImpl.java:201)
  at weblogic.security.service.PrincipalAuthenticator.assertIdentity(PrincipalAuthenticator.java:553)
  at weblogic.servlet.security.internal.CertSecurityModule.checkUserPerm (CertSecurityModule.java:104)
  at weblogic.servlet.security.internal.SecurityModule.beginCheck(SecurityModule.java:199)
  at weblogic.servlet.security.internal.CertSecurityModule.checkA(CertSecurityModule.java:86)
  at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:145)
  at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3685)
  at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2644)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)
  >
  ####<Apr 6, 2006 3:02:08 PM GMT+08:00> <Debug> <SecurityDebug> <ssow2kserver> <myserver> <ExecuteThread: '14' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <Exception weblogic.security.providers.utils.NegotiateTokenException: GSSException: Failure unspecified at GSS-API level (Mechanism level: KDC has no support for encryption type (14))
  weblogic.security.providers.utils.NegotiateTokenException : GSSException: Failure unspecified at GSS-API level (Mechanism level: KDC has no support for encryption type (14))
  at weblogic.security.providers.utils.SPNEGONegotiateToken.getUsername(SPNEGONegotiateToken.java:419)
  at weblogic.security.providers.authentication.SinglePassNegotiateIdentityAsserterProviderImpl.assertIdentity(SinglePassNegotiateIdentityAsserterProviderImpl.java:201)
  at weblogic.security.service.PrincipalAuthenticator.assertIdentity (PrincipalAuthenticator.java:553)
  at weblogic.servlet.security.internal.CertSecurityModule.checkUserPerm(CertSecurityModule.java:104)
  at weblogic.servlet.security.internal.SecurityModule.beginCheck(SecurityModule.java :199)
  at weblogic.servlet.security.internal.CertSecurityModule.checkA(CertSecurityModule.java:86)
  at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:145)
  at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3685)
  at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2644)
  at weblogic.kernel.ExecuteThread.execute (ExecuteThread.java:219)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)
  >
  ========================================================================================
  The following are some krb5 packets captured. I suspected it is due to the encryption type used - RC4-HMAC:
  ========================================================================================
  KRB5 (AS-REQ)
  ============
  No. Time Source Destination Protocol Info
  125 10.301166 10.122.1.2 10.122.1.200 KRB5 AS-REQ
  Frame 125 (345 bytes on wire, 345 bytes captured)
  Arrival Time: Apr 6, 2006 13:49:54.848903000
  Time delta from previous packet: 0.008330000 seconds
  Time since reference or first frame: 10.301166000 seconds
  Frame Number: 125
  Packet Length: 345 bytes
  Capture Length: 345 bytes
  Protocols in frame: eth:ip:udp:kerberos
  Ethernet II, Src: 10.122.1.2 (00:0c:29:17:9a:be), Dst: Vmware_59:2c:e6 (00:0c:29:59:2c:e6)
  Destination: Vmware_59:2c:e6 (00:0c:29:59:2c:e6)
  Source: 10.122.1.2 (00:0c:29:17:9a:be)
  Type: IP (0x0800)
  Internet Protocol, Src: 10.122.1.2 (10.122.1.2), Dst: 10.122.1.200 (10.122.1.200)
  Version: 4
  Header length: 20 bytes
  Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
  0000 00.. = Differentiated Services Codepoint: Default (0x00)
  .... ..0. = ECN-Capable Transport (ECT): 0
  .... ...0 = ECN-CE: 0
  Total Length: 331
  Identification: 0x0158 (344)
  Flags: 0x00
  0... = Reserved bit: Not set
  .0.. = Don't fragment: Not set
  ..0. = More fragments: Not set
  Fragment offset: 0
  Time to live: 128
  Protocol: UDP (0x11)
  Header checksum: 0x208d [correct]
  Source: 10.122.1.2 (10.122.1.2 )
  Destination: 10.122.1.200 (10.122.1.200)
  User Datagram Protocol, Src Port: 1075 (1075), Dst Port: kerberos (88)
  Source port: 1075 (1075)
  Destination port: kerberos (88)
  Length: 311
  Checksum: 0x1133 [correct]
  Kerberos AS-REQ
  Pvno: 5
  MSG Type: AS-REQ (10)
  padata: PA-ENC-TIMESTAMP PA-PAC-REQUEST
  Type: PA-ENC-TIMESTAMP (2)
  Type: PA-PAC-REQUEST (128)
  KDC_REQ_BODY
  Padding: 0
  KDCOptions: 40810010 (Forwardable, Renewable, Canonicalize, Renewable OK)
  Client Name (Principal): ssouser
  Realm: SSOW2K.COM
  Server Name (Service and Instance): krbtgt/SSOW2K.COM
  till: 2037-09-13 02:48:05 (Z)
  rtime: 2037-09-13 02:48:05 (Z)
  Nonce: 1870983219
  Encryption Types: rc4-hmac rc4-hmac-old rc4-md4 des-cbc-md5 des-cbc-crc rc4-hmac-exp rc4-hmac-old-exp
  Encryption type: rc4-hmac (23)
  Encryption type: rc4-hmac-old (-133)
  Encryption type: rc4-md4 (-128)
  Encryption type: des-cbc-md5 (3)
  Encryption type: des-cbc-crc (1)
  Encryption type: rc4-hmac-exp (24)
  Encryption type: rc4-hmac-old-exp (-135)
  HostAddresses: SSOCLIENT<20>
  KRB5 (AS-REP)
  ============
  No. Time Source Destination Protocol Info
  126 10.303156 10.122.1.200 10.122.1.2 KRB5 AS-REP
  Frame 126 (1324 bytes on wire, 1324 bytes captured)
  Arrival Time: Apr 6, 2006 13:49:54.850893000
  Time delta from previous packet: 0.001990000 seconds
  Time since reference or first frame: 10.303156000 seconds
  Frame Number: 126
  Packet Length: 1324 bytes
  Capture Length: 1324 bytes
  Protocols in frame: eth:ip:udp:kerberos
  Ethernet II, Src: Vmware_59:2c:e6 (00:0c:29:59:2c:e6), Dst: 10.122.1.2 (00:0c:29:17:9a:be)
  Destination: 10.122.1.2 (00:0c:29:17:9a:be)
  Source: Vmware_59:2c:e6 (00:0c:29:59:2c:e6)
  Type: IP (0x0800)
  Internet Protocol, Src: 10.122.1.200 (10.122.1.200), Dst: 10.122.1.2 (10.122.1.2)
  Version: 4
  Header length: 20 bytes
  Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
  0000 00.. = Differentiated Services Codepoint: Default (0x00)
  .... ..0. = ECN-Capable Transport (ECT): 0
  .... ...0 = ECN-CE: 0
  Total Length: 1310
  Identification: 0x0a0f (2575)
  Flags: 0x00
  0... = Reserved bit: Not set
  .0.. = Don't fragment: Not set
  ..0. = More fragments: Not set
  Fragment offset: 0
  Time to live: 128
  Protocol: UDP (0x11)
  Header checksum: 0x1403 [correct]
  Source: 10.122.1.200 (10.122.1.200)
  Destination: 10.122.1.2 (10.122.1.2)
  User Datagram Protocol, Src Port: kerberos (88), Dst Port: 1075 (1075)
  Source port: kerberos (88)
  Destination port: 1075 (1075)
  Length: 1290
  Checksum: 0xb637 [correct]
  Kerberos AS-REP
  Pvno: 5
  MSG Type: AS-REP (11)
  Client Realm: SSOW2K.COM
  Client Name (Principal): ssouser
  Ticket
  enc-part rc4-hmac
  Encryption type: rc4-hmac (23)
  Kvno: 1
  enc-part: E3610239EACDD0E6D4E89AA7D81A355F6C93B95D95B13B56...
  KRB5 (TGS-REQ)
  ============
  No. Time Source Destination Protocol Info
  127 10.309350 10.122.1.2 10.122.1.200 KRB5 TGS-REQ
  Frame 127 (1307 bytes on wire, 1307 bytes captured)
  Arrival Time: Apr 6, 2006 13:49:54.857087000
  Time delta from previous packet: 0.006194000 seconds
  Time since reference or first frame: 10.309350000 seconds
  Frame Number: 127
  Packet Length: 1307 bytes
  Capture Length: 1307 bytes
  Protocols in frame: eth:ip:udp:kerberos
  Ethernet II, Src: 10.122.1.2 (00:0c:29:17:9a:be), Dst: Vmware_59:2c:e6 (00:0c:29:59:2c:e6)
  Destination: Vmware_59:2c:e6 (00:0c:29:59:2c:e6)
  Source: 10.122.1.2 (00:0c:29:17:9a:be)
  Type: IP (0x0800)
  Internet Protocol, Src: 10.122.1.2 (10.122.1.2), Dst: 10.122.1.200 (10.122.1.200)
  Version: 4
  Header length: 20 bytes
  Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
  0000 00.. = Differentiated Services Codepoint: Default (0x00)
  .... ..0. = ECN-Capable Transport (ECT): 0
  .... ...0 = ECN-CE: 0
  Total Length: 1293
  Identification: 0x0159 (345)
  Flags: 0x00
  0... = Reserved bit: Not set
  .0.. = Don't fragment: Not set
  ..0. = More fragments: Not set
  Fragment offset: 0
  Time to live: 128
  Protocol: UDP (0x11)
  Header checksum: 0x1cca [correct]
  Source: 10.122.1.2 (10.122.1.2)
  Destination: 10.122.1.200 ( 10.122.1.200)
  User Datagram Protocol, Src Port: 1076 (1076), Dst Port: kerberos (88)
  Source port: 1076 (1076)
  Destination port: kerberos (88)
  Length: 1273
  Checksum: 0xd085 [correct]
  Kerberos TGS-REQ
  Pvno: 5
  MSG Type: TGS-REQ (12)
  padata: PA-TGS-REQ
  Type: PA-TGS-REQ (1)
  KDC_REQ_BODY
  Padding: 0
  KDCOptions: 40800000 (Forwardable, Renewable)
  Realm: SSOW2K.COM
  Server Name (Service and Instance): HTTP/ssow2kserver.ssow2k.com
  till: 2037-09-13 02:48:05 (Z)
  Nonce: 1871140380
  Encryption Types: rc4-hmac rc4-hmac-old rc4-md4 des-cbc-md5 des-cbc-crc rc4-hmac-exp rc4-hmac-old-exp
  Encryption type: rc4-hmac (23)
  Encryption type: rc4-hmac-old (-133)
  Encryption type: rc4-md4 (-128)
  Encryption type: des-cbc-md5 (3)
  Encryption type: des-cbc-crc (1)
  Encryption type: rc4-hmac-exp (24)
  Encryption type: rc4-hmac-old-exp (-135)
  KRB5 (TGS-REP)
  ============
  No. Time Source Destination Protocol Info
  128 10.310791 10.122.1.200 10.122.1.2 KRB5 TGS-REP
  Frame 128 (1290 bytes on wire, 1290 bytes captured)
  Arrival Time: Apr 6, 2006 13:49:54.858528000
  Time delta from previous packet: 0.001441000 seconds
  Time since reference or first frame: 10.310791000 seconds
  Frame Number: 128
  Packet Length: 1290 bytes
  Capture Length: 1290 bytes
  Protocols in frame: eth:ip:udp:kerberos
  Ethernet II, Src: Vmware_59:2c:e6 (00:0c:29:59:2c:e6), Dst: 10.122.1.2 (00:0c:29:17:9a:be)
  Destination: 10.122.1.2 (00:0c:29:17:9a:be)
  Source: Vmware_59:2c:e6 (00:0c:29:59:2c:e6)
  Type: IP (0x0800)
  Internet Protocol, Src: 10.122.1.200 (10.122.1.200), Dst: 10.122.1.2 (10.122.1.2)
  Version: 4
  Header length: 20 bytes
  Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
  0000 00.. = Differentiated Services Codepoint: Default (0x00)
  .... ..0. = ECN-Capable Transport (ECT): 0
  .... ...0 = ECN-CE: 0
  Total Length: 1276
  Identification: 0x0a10 (2576)
  Flags: 0x00
  0... = Reserved bit: Not set
  .0.. = Don't fragment: Not set
  ..0. = More fragments: Not set
  Fragment offset: 0
  Time to live: 128
  Protocol: UDP (0x11)
  Header checksum: 0x1424 [correct]
  Source: 10.122.1.200 (10.122.1.200)
  Destination: 10.122.1.2 (10.122.1.2)
  User Datagram Protocol, Src Port: kerberos (88), Dst Port: 1076 (1076)
  Source port: kerberos (88)
  Destination port: 1076 (1076)
  Length: 1256
  Checksum: 0x1318 [correct]
  Kerberos TGS-REP
  Pvno: 5
  MSG Type: TGS-REP (13)
  Client Realm: SSOW2K.COM
  Client Name (Principal): ssouser
  Ticket
  enc-part rc4-hmac
  Encryption type: rc4-hmac (23)
  Kvno: 1
  enc-part: 4D2A9E8590CC716EA6571B093B6FAF89537B0B89F832C073...
  ========================================================================================
  Can anybody enlighten me on how you solve this problem? Thanks.

  I ran into this error and caught the error code to remind me to edit the registry.
  if (sError.contains("KDC has no support for encryption type (14)")){
                      JOptionPane.showMessageDialog(null,"Error " + ThisErrorCode.myErrorCode() + '\n' +
                      " http://support.microsoft.com/default.aspx?scid=kb;en-us;308339" + '\n' + '\n' +
                      "There is a known issue involving Windows clients running Windows 2000 SP4, XP SP2." + '\n' +
                      "To avoid the error, administrators need to update the Windows registry." + '\n' +
                      "The registry key, allowtgtsessionkey, should be added, and its value set correctly" + '\n' +
                      "to allow session keys to be sent in the Kerberos Ticket-Granting Ticket." + '\n' + '\n' +
                      "Windows XP SP2, add the registry entry:" + '\n' +
                      "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\Kerberos\\" + '\n' +
                      "Value Name: allowtgtsessionkey" + '\n' +
                      "Value Type: REG_DWORD" + '\n' +
                      "Value: 0x01" ,null, JOptionPane.ERROR_MESSAGE);
                      System.exit(-1);

• Problem: KDC has no support for encryption type (14)

  hi, I have dealing the problem for long time and no response in bea forum.
  I feel very exhausted when checking mit's kerberos mailist and sun forum. Any try every method they provide but not success.
  first I generate the keytab using w2k's ktpass
  ktpass -princ HTTP/[email protected] -mapuser weblogic -pass weblogic -out dlsvr_keytab -crypto des-cbc-crc
  and it turn out to be successful.
  My W2KSP4 KDC Config is:
  c:\winnt\krb5.ini-----------------------------
  [libdefaults]
  default_realm = DLSVR.COM
  default_tkt_enctypes = des-cbc-crc
  default_tgs_enctypes = des-cbc-crc
  ticket_lifetime = 600
  [realms]
  DLSVR.COM = {
  kdc = 192.168.2.231
  admin_server = dlserver
  default_domain = DLSVR.COM
  [domain_realm]
  .dlsvr.com= DLSVR.COM
  [appdefaults]
  autologin = true
  forward = true
  forwardable = true
  encrypt = true
  i also set des type in AD Accout and also reset password after that
  i create my keytab using des-cbc-crc as you can see in the log below :
  <2005-11-8 ����06��09��39�� CST> <Debug> <SecurityDebug> <000000> <Found Negotiate with SPNEGO token>
  KeyTab: load() entry length: 50
  KeyTabInputStream, readName(): DLSVR.COM
  KeyTabInputStream, readName(): host
  KeyTabInputStream, readName(): weblogic
  KeyTab: load() entry length: 44
  KeyTabInputStream, readName(): dlsvr.com
  KeyTabInputStream, readName(): weblogic
  EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
  crc32: e9889c7a
  crc32: 11101001100010001001110001111010
  KrbAsReq calling createMessage
  KrbAsReq in createMessage
  KrbAsReq etypes are: 1
  KrbKdcReq send: kdc=192.168.2.231 UDP:88, timeout=30000, number of retries =3, #bytes=216
  KDCCommunication: kdc=192.168.2.231 UDP:88, timeout=30000,Attempt =1, #bytes=216
  KrbKdcReq send: #bytes read=1217
  KrbKdcReq send: #bytes read=1217
  EType: sun.security.krb5.internal.crypto.DesCbcCrcEType
  crc32: 54c176ae
  crc32: 1010100110000010111011010101110
  KrbAsRep cons in KrbAsReq.getReply host/weblogicFound key for host/[email protected]
  Entered Krb5Context.acceptSecContext with state=STATE_NEW
  <2005-11-8 ����06��09��39�� CST> <Debug> <SecurityDebug> <000000> <GSS exception GSSException: Failure unspecified at GSS-API level (Mechanism level: KDC has no
  support for encryption type (14))
  GSSException: Failure unspecified at GSS-API level (Mechanism level: KDC has no support for encryption type (14))
  at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:734)
  at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:300)
  at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246)
  at weblogic.security.providers.utils.SPNEGONegotiateToken.getUsername(SPNEGONegotiateToken.java:371)
  at weblogic.security.providers.authentication.SinglePassNegotiateIdentityAsserterProviderImpl.assertIdentity(SinglePassNegotiateIdentityAsserterProvider
  Impl.java:201)
  at weblogic.security.service.PrincipalAuthenticator.assertIdentity(PrincipalAuthenticator.java:553)
  at weblogic.servlet.security.internal.CertSecurityModule.checkUserPerm(CertSecurityModule.java:104)
  at weblogic.servlet.security.internal.SecurityModule.beginCheck(SecurityModule.java:199)
  at weblogic.servlet.security.internal.CertSecurityModule.checkA(CertSecurityModule.java:86)
  at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:145)
  at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3685)
  at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2644)
  at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
  at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)
  So i don't know why win2k's KDC not support the des-cbc-crc,
  Any Help or Clue woud be highly appreciated!
  david

  Exception was: javax.naming.AuthenticationException: KDC has no support for encryption type (14) [Root exception is KrbException: KDC has no support for encryption type (14)]
  at com.sco.tta.server.security.java14.KerberosAuth.login(KerberosAuth.java:286)
  at com.sco.tta.server.login.ADLoginAuthority.authenticate(ADLoginAuthority.java:39 0)
  Cause 2: This exception is thrown when using native ticket cache on some Windows platforms. Microsoft has added a new feature in which they no longer export the session keys for Ticket-Granting Tickets (TGTs). As a result, the native TGT obtained on Windows has an "empty" session key and null EType. The effected platforms include: Windows Server 2003, Windows 2000 Server Service Pack 4 (SP4) and Windows XP SP2.
  Solution 2: You need to update the Windows registry to disable this new feature. The registry key allowtgtsessionkey should be added--and set correctly--to allow session keys to be sent in the Kerberos Ticket-Granting Ticket.
  On the Windows Server 2003 and Windows 2000 SP4, here is the required registry setting:
  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
  Value Name: allowtgtsessionkey
  Value Type: REG_DWORD
  Value: 0x01 ( default is 0 )
  By default, the value is 0; setting it to "0x01" allows a session key to be included in the TGT.

• GSSException"KDC has no support for encryption type (14)" on token exchange

  I'm stumped. Just started working with an MIT KDC v5 1.3.1 running on Linux and trying to get the IBM sample apps (GSSClient and GSSServer) working. The apps are here: http://www-106.ibm.com/developerworks/java/library/j-gss-sso/
  I have two principals set up using defaults: one for the client and one for the server. The GSSClient, GSSServer and KDC are all running on the same machine in the same Realm.
  I start the server just fine and it waits with:
  GSSServer starts... Waiting for incoming connectionWhen I run the client the client authentictes and the context is successsfully created. However, the GSSServer throws an Exception:
  GSSException: Failure unspecified at GSS-API level (Mechanism level: KDC has no support for encryption type (14))
  at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
  at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
  at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
  at com.ourcorp.caa.security.GSSServer.run(GSSServer.java:138)
  at java.security.AccessController.doPrivileged(Native Method)
  at javax.security.auth.Subject.doAs(Unknown Source)
  at com.ourcorp.caa.security.GSSServer.startServer(GSSServer.java:98)
  at com.ourcorp.caa.security.GSSServer.main(GSSServer.java:71)
  The client also throws an Exception:
  GSSClient... Getting client credentials
  GSSClient... GSSManager creating security context
  GSSClient...Sending token to server over secure context
  GSSClient...Secure context initialized
  GSSClient...Written 511 bytes
  GSSClient...Exception nulljava.io.EOFException
  at java.io.DataInputStream.readInt(DataInputStream.java:448)
  at com.ourcorp.caa.security.GSSClient.run(GSSClient.java:184)
  at java.security.AccessController.doPrivileged(Native Method)
  at javax.security.auth.Subject.doAs(Subject.java:320)
  at com.ourcorp.caa.security.GSSClient.login(GSSClient.java:117)
  at com.ourcorp.caa.security.GSSClient.main(GSSClient.java:63)
  Client authentication denied...
  This happens consistently and I cannot get passed this point! The weird thing is, is that the same thing happens using the Windows 2003 Server KDC! Same Exception.
  Can anyone help me understand what is causing this? The Exception mentions "KDC has no support for encryption type (14)" but we're not specifying any encryption type other than the defaults. The principals are the same as far as I know.
  Thanks.

  Interesting I managed to get this example to work but I had to create two principals (one for the client one for the server) with encryption types of "des-cbc-crc:normal" only . It seems that a with principal with "des-cbc-crc:normal" and "des3-hmac-sha1:normal" encryption types causes the Exception. So, the question I have is: does the GSS API support TripleDES or what? The KDC is obviosuly trying to use it for the user-user exchange but fails.
  Anyone got any ideas? Thanks.

• KDC has no support for encryption type

  Hi,
  I hope not too much people are not reading this post because of the very common error message. But I'm really somewhat confused:
  For testing Kerberos 5 SSO I set up a little domain controller running Windows 2003 Server and a client in the domain running Windows XP. In the active directory I created a service account with the logon test-service and a user account test-user. The switch "Use DES encryption types for this account" is set for both accounts and I reseted the passwords after setting the switch. Additionally I added a service principal name test/test.krbtest.local to the service account.
  On the client machine I execute a very simple JAVA client program that tries to obtain a service ticket for the service test/test.krbtest.local. If I configure the client to prompt for a password, the service ticket is obtained without a problem using etype 3 (sun.security.krb5.internal.crypto.DesCbcMd5EType). But when trying to read the existing TGT from the native windows cache the client exits with:
  KDC has no support for encryption type (14)The debug output tells the following:
  >>> Obtained TGT from LSA: Credentials:
  [email protected]
  server=krbtgt/[email protected]
  authTime=20070413112833Z
  startTime=20070413112833Z
  endTime=20070413212833Z
  renewTill=20070420112833Z
  flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT
  EType (int): 0
  Principal is [email protected]
  Commit Succeeded
  Found ticket for [email protected] to go to krbtgt/[email protected] expiring on Fri Apr 13 23:28:33 CEST 2007
  Entered Krb5Context.initSecContext with state=STATE_NEW
  Found ticket for [email protected] to go to krbtgt/[email protected] expiring on Fri Apr 13 23:28:33 CEST 2007
  Service ticket not found in the subject
  Credentials acquireServiceCreds: same realmUsing builtin default etypes for default_tgs_enctypes
  default etypes for default_tgs_enctypes: 3 1 23 16 17.
  CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
  EType: sun.security.krb5.internal.crypto.NullEType...Note that it says "Etype (int): 0" which I think is no valid encryption type at all. klist (from the windows resource kit) tells me that my tickets look like:
  Server: krbtgt/[email protected]
      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
      End Time: 4/13/2007 23:28:33
      Renew Time: 4/20/2007 13:28:33
  ...But as mentioned above I set the option "Use DES encryption types for this account" for both the user and service account. Am I doing something wrong here??
  Additionally I thought JAVA 1.5.11 would support RC4-HMAC, is that wrong?
  Even more confusing:
  If I remove the "Use DES encryption types for this account" switch for the two accounts and configure my JAVA client program to prompt for a password, a ticket is obtained using the RC4-HMAC encryption type 23 (sun.security.krb5.internal.crypto.ArcFourHmacEType). But using the ticket from the cache again does not work.
  I'd appreciate any comments on that since I'm totally confused by now and have no idea on how to get this SSO thing working correctly in JAVA.
  Cheers
  P.S.:
  I just wanted to mention that adding
  default_tkt_enctypes = rc4-hmac
  default_tgs_enctypes = rc4-hmacto my krb5.ini has no effect on the desribed behaviour
  Message was edited by:
  sherazade

  Ok,
  perhaps I should have looked around the forum a little bit more in-depth...
  Setting the AllowTGTSessionKey registry key to 1 solves this issue...
  thanks

• KDC has no support for encryption type (14) in windows 2008

  The active directory is a windows 2008 box. I am not mentioning any encryption types in krb5.ini. I know that we should add some registry entries in Windows 2003 and XP. But I was not able to find something similar to those, corresponding to windows 2008. I also tried adding the registry that was meant for windows 2003. But it din't work.
  Any help appreciated.
  Thanks in advance

  Sorry for a very late response and for not providing adequate information in my question.
  I have Active Directory is in windows 2008 box and my application runs in a windows 2003 box. Its a very simple configuration and there is just one domain configured in the AD(no forest, no parent-child domains).
  my login.config file looks like this
  KerbAuth4Portal{
  com.sun.security.auth.module.Krb5LoginModule required debug=true refreshKrb5Config=true;
  and the krb5.conf looks like this
  [libdefaults]
  default_realm = KERB.WHIGFIELD.COM
  [domain_realm]
  .kerb.whigfield.com = KERB.WHIGFIELD.COM
  [realms]
  KERB.WHIGFIELD.COM = {
  kdc = Ferrari-w2k8Vm1.kerb.whigfield.com
  This is my method
       public void authenticateForPortal(String userName, String password)
                 throws AuthenticationException {
            LoginContext lc = null;
            Subject subject = null;
            try {
                 // String pwd= EncryptData.decryptString(password);
                 // userName = "[email protected]";
                 // userName = helper.convertDN2KerberosPrincipal(userName);
                 // password = "control";
                 lc = new LoginContext("KerbAuth4Portal", new LdapCallbackHandler(
                           userName, password));
                 lc.login();
                 logTicketAttributes(lc);
                 subject = lc.getSubject();
                 log.debug("Authenticated subject" + subject);
            } catch (LoginException le) {
                 log.error("Login failed-", le);
                 throw new AuthenticationException("Failed to login -"
                           + le.getMessage());
  and this is the exception I am getting
  javax.naming.AuthenticationException: Failed to login -KDC has no support for encryption type (14)
  But if I set the useTicketCache to true, then I am not getting this issue, but it the authentication happens with the user present in ticket cache and not with the user passed in my method
  Any help appreciated.
  Thanks in advance

• Command-line support for encrypted images

  Hi,
  Is there any support in asr for performing restores using an encrypted image directly? I can't seem to find anything. It isn't much of a burden I guess to mount the image and then use it (now that I know that, anyway), but it seems like an oversight that asr can't just be given a password directly.
  Similarly for hdiutil, it has some support for encrypted images, but some things seem to be missing. At the very least you can't convert an encrypted image into an unencrypted image because convert doesn't understand that.
  Are these known issues? Are there plans to add this functionality? Or is it considered unnecessary since there's other ways around it?
  tom

  Sorry for my ignorance, when you say you installed every driver in there are you referring to adding them to the driver database or to your bootwim. Also if you cant grab the logs you might be able to get a report based on an unknown system, look in reporting
  under "History of a task sequence deployment on a computer" if there was anything recorded before it bombed out you might be able to get some info. 
  Im still leaning towards a network driver though, can you snap an image of the drivers you have loaded into your preferred bootwim.

• How to fix "More than one receiving system has been specified for the BAPI"

  Due to patching the HR system I am testing the functionalities in our test environment before patching the production system. When doing a hiring action (in our test environment) I get this error message at infotype 0000 when I try to save:
  "More than one receiving system has been specified for the BAPI (AcctngServices, CheckAccountAssignment)"
  It is message no. B1811
  My first suggestion weas that it could be the presence of dual connections in SALE, but disabling one of them didn't help.
  Since the Basis team is currently patching the HR system I wonder if that has any affect that might end out in the above error.
  Anyone who can help me out here? Please?

  Usually, when you have HR and FI on separate boxes, certain FI information (e.g. cost center) do not physically locate on HR box. Instead of replicating these data into HR for integrity check, you have an option (for a few countries) of remotely connecting from HR box to FI to do these checking though BAPI. I think this is the scenario you have (i.e. when doing the hiring, a new ee will be assigned to a personnel area which in turn default a cost center which SAP would need to check for integrity).
  Please go into distribution model, and check if for some reason, this is set up to go to to more than 1 destination for HR accounting integrity check.
  Rgds.
  Edited by: Ted Dinh on Jun 12, 2009 8:55 AM

• HT201210 Why iphone 3g has no support for ios 5 + ..please allow us to download..

  Why iphone 3g has no support for ios 5 + ..please allow us to download..
  Please do anyhow. .anything ...you are the creater of apple.. I know you can do it. .please do anything that iphone 3g will support ios 5 ro greater than that..

  The 3G was discontinued over 2yrs ago.
  The 3GS was only discontinued about a month ago.
  Apple made the decision that the 3G would not get anything newer than 4.2.1 because of reasons only they know.
  Griping about it is pointless.
  Speculating about why is against the terms of use of these forums.
  The device is ancient... either accept that it will never get an update and live with it or buy something newer.

• Netflix says"Video Playback Error  Your device has a hardware issue, which is preventing Premium Video Playback. Contact Apple Support for more information. Error Code: S7363-1261-FFFFD000" What is wrong?

  My mac is working fine. No noticeable problems. Then went onto netflix everything was working apart from the watching of the film and it popped up
  "Video Playback Error  Your device has a hardware issue, which is preventing Premium Video Playback. Contact Apple Support for more information. Error Code: S7363-1261-FFFFD000".
  Not sure what is wrong but would appreciate any help

  Netflix not working with yosemite
  Re: I think there is a hardware issue with my computer and i am not sure what to do it won't let me play netflix
  Netflix streaming gives Error Code: S7363-1261-FFFFD000

• Siebel Support for Encryption

  My customer needs documentation detailing Siebel's support for encryption protocols across all layers
  i.e
  1) User Interface,
  2) Web Session / Transport
  3) Database Layer
  4) Logs. Cookies
  Is there any documentation that someone has prepared from field experience? or does product management maintain any such document?
  Any pointer would indeed help! Look fwd. to your inputs.
  Regards,
  Rakesh

  Rakesh,
  I would start with the Bookshelf section on Encryption in the Security Guide. Beyond that I am not aware of any single document that addresses all types of encryption. Basic observations follow:
  1. User Interface -- Since this is a web application, not sure how this differs from "Web Session". The communications between the end user's browser and the Siebel Web Server can be secured with standard SSL. Higher key lengths require that the Siebel Strong Encryption Pack be installed on both the Siebel Web Server(s) and the Siebel Application Server(s).
  2. Web Session / Transport -- The SISNAPI communications between the various Siebel servers can by encrypted using RSA, MSCrypto, or SSL.
  3. Database Layer -- This is dependent on the database being used and would be set at the client level for transport. As long as it is transparent to the Siebel application object manager, it should be fine. In terms of actual data storage, Siebel can do field level encryption for specific fields. Alternatively, database encryption utilities such as Oracle's Transparent Data Encryption (TDE) can be used as long as it is transparent to the Siebel application. Encryption of local databases are more restrictive and involve either encrypting the whole local database or not encrypting the local database.
  4. Logs and Cookies -- Logs are not encrypted. Cookies can be encrypted in transit when using SSL. Also the session identifier can be encrypted.
  Hope this information is at least somewhat helpful.
  Stevan

• BUG! Not system locale Filenames support for 32-bit applications error in Windows 8.1 x64 and other microssoft x64 OS-s.

  BUG! Not system locale Filenames support for 32-bit applications error in Windows 8.1 x64.        
  All Windows x64 (XP,2003,2007,Vista,7,8) have no support for not system locale filenames|foldernames for all 32-bit applications. I think it is BUG!
  For example,  it is possible to read files|folders with French or Chinese in English locale windows installed, rename it, but it is not possible open it, edit or delete. (ERRORS: File not found OR Unknown format)
  With using 64-bit programs no such problems. How does it works and how can I fix this? Is it problem with encoding in translating kernel instructions for 32-bit apps in x64 Windows OS's? Whether there are
  solutions to this problem OR some hacks|fixes? 

  Hi,
  Have you installed the language package for French or Chinese?
  If no, please download the language package and install them.
  To download language package, please click the link below,
  http://windows.microsoft.com/en-US/windows/language-packs#lptabs=win7
  Best Regards.
  Steven Lee
  TechNet Community Support

• No quality notification type has been defined for inspection type 89

  Hi
  When I am creating a manual inspection lot and want to create a quality notification it gives me this error "No quality notification type has been defined for inspection type 89" where do I assign the notifications to the inspection lot.???
  I want to know where do I configure it??
  Regards
  Suresh

  Hi
  Path for assigning the Qualtiy notification type to Qualtiy  inspection type:
  SPRO--> Qualtiy Mangement --> Qualtiy inspection --> Inspection lot creation -->
  Maintain Inspection types.
  Select the inspection type and goto details screen
  You can find notification type field in the details.Give the value and Save.
  Regards
  Ramakrishna

• How is ENET-232/4 Supported Now that NI-Serial 14.0 has Removed Support for ENET?

  Dear smarter people than me, I have been pulling my hair out trying to get my brand new ENET-232/4 units running under the lastest and greatest LabVIEW envirenment (2014). 
  After finding that none of the instruction matched what I was seeing in MAX etc, I discovered the following line in the NI-Serial 14.0 driver release notes;
  Release Notes
  Removed ENET support
  NI-Serial 14.0 removes support for all NI Serial ENET Interfaces (ENET-232/2, ENET-232/4, ENET-485/2, and ENET-485/4).
  So my question is if NI-Serial no longer supports or configures the ENET-232/4, then what does?  At the moment I just have 5 rather exspensive boxes sitting on the shelf unable to be configured.   
  Smart brains please help
  Dave

  Hi Dave,
  As per the NI-Serial 14.0 Readme, as you have already discovered, support for all NI Serial ENET devices has been removed. This is a result of the NI Serial ENET devices being discontinued. As mentioned by Michel_Gauvin, the NI Serial ENET devices can be used without the presence of the NI-Serial driver on the system. Instructions for using NI Serial ENET devices via the NI-VISA driver can be found in this KnowledgeBase. As a note, the ENET device will still need to be configured on a system that has NI-Serial with ENET support. My recommendation would be to stick with NI-Serial 4.1 for ease of use and configuration if you plan on continuing to use the ENET devices.
  Michel,
  Changes to your LabVIEW code could be required when moving to a 64-bit Windows operating system. One change that may be required is the "VISA resource name" input because MAX will not discover/show the NI Serial ENET device on the 64-bit OS, so if an alias was being used during development it would not be recognized when moved over.
  Best,
  Jake B.

• JMF has no support for H263 'b' or 'c-mode'?

  Hello!
  From what I've heard JMF should have full support for H263 codec (video). I tested a simple JMF based graphics application and streamed H263 'a-mode' RTP to the package and presented the result on a panel. It looked OK. Then I tested the other two H263 versions 'b' and 'c-mode'.
  It looked absolutely horrible...absolutely unusable.
  Doesnt JMF have full support for H263? In that case, how do I activate the full support?
  If JMF itself doesnt have full support for H263, are there any available plugins that can be used to solve this?
  Greatful for any help/hints and/or suggestions!
  SIncerely
  Mikael

  Hi Mikael,
  I've read at the following place that JMF with Windows Performace Pack has support for mode B and C:
  http://java.sun.com/products/java-media/jmf/2.1.1/solutions/AVReceive.html.
  But I've actually made the same conclusion as you: it seems like JMF doesn't support mode B and C. One solution might be to create a pre-processing effect plug-in, which simply removes all mode B and mode C packets before they arrive to the codec!? RFC2190 (the H.263 RTP payload spec.) strongly recommends using mode A whenever possible. So, hopefully there aren't too much of the B and C packets, and hopefully such effect plug-in won't damage the video quality too much?
  Regards,
  Andreas Piirimets
  System developer, Omnitor AB