Skip to Main Content
Forums

Portuguese

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Agenda

Deiby GomezJun 15 2015 — edited Aug 16 2015

Cover_Deiby (2).jpg

Screen Shot 2015-08-15 at 10.57.49 PM.png

Screen Shot 2015-07-29 at 11.37.57 AM.png

Comments

807578
This error suggests a problem with your kerberos config file, specifically a mismatch between supported encryption tpyes. Have you specified the default_tkt_enctypes and/or default_tgs_enctypes keywords in your krb5.conf file? AFAIK, the only common encryptions between MIT krb5 and AD is "des-cbc-crc" and "des-cbc-md5"; if you have something different, this will fail.

Also, I don't know if this applies, but I found this:

Cause 2: This exception is thrown when using native ticket cache on some Windows platforms. Microsoft has added a new feature in which they no longer export the session keys for Ticket-Granting Tickets (TGTs). As a result, the native TGT obtained on Windows has an "empty" session key and null EType. The effected platforms include: Windows Server 2003, Windows 2000 Server Service Pack 4 (SP4) and Windows XP SP2.

Solution 2: You need to update the Windows registry to disable this new feature. The registry key allowtgtsessionkey should be added--and set correctly--to allow session keys to be sent in the Kerberos Ticket-Granting Ticket.

On the Windows Server 2003 and Windows 2000 SP4, here is the required registry setting:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Value Name: allowtgtsessionkey
Value Type: REG_DWORD
Value: 0x01 ( default is 0 )

By default, the value is 0; setting it to "0x01" allows a session key to be included in the TGT.

Here is the location of the registry setting on Windows XP SP2:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\
Value Name: allowtgtsessionkey
Value Type: REG_DWORD
Value: 0x01

from this page: http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/Troubleshooting.html

Some other possibly useful urls:
http://docs.sun.com/source/819-4309-10/en-us/base/standard/activedir_auth_enabling.html
http://docs.sun.com/app/docs/doc/816-5174/6mbb98ugh?a=view
http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/Troubleshooting.html

Hope this helps.
807578
I think it might be the scond cause. I had already tried various combinations of "des-cbc-crc" and "des-cbc-md5".

I will ask our IT services guys who look after the AD to see if the can apply this registry fix.

Cheers

Anthony Worrall
1 - 2

Post Details

Added on Jun 15 2015
#guatemala, #legacy-documents, #otn-américa-latina-tour-2015
4 comments
1,560 views