0 Replies Latest reply: Jun 10, 2011 10:15 AM by 868126 RSS

    etype=3 in debug output for TGT AES-265 on Windows 7

    868126
      Hi,

      i have noticed a strange behavior when trying to implement Kerberos/Spnego SSO on Windows 7. I use Windows 7 Professional x64 and jdk_1.6.0_25 x64 on the client. Windows 2008 r2 x64 as KDC.

      When logged in to my windows account "klist tgt" shows a TGT with a session key encrypted with AES-256-CTS-HMAC-SHA1-96. This seems to be the default encryption for Windows 7.

      But when i try to get the TGT the debug output shows the session key is encrypted with etype=3, and this is DES as far as i know. And Java also uses DES MD5 to encrypt the key as it seems.
      Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
      Acquire TGT from Cache
      KinitOptions cache name is C:\Users\user.TEST\krb5cc_user
      Acquire default native Credentials
      Obtained TGT from LSA: Credentials:
      client=user@TEST.MYDOMAIN.AT
      server=krbtgt/TEST.MYDOMAIN.AT@TEST.MYDOMAIN.AT
      authTime=20110610141616Z
      startTime=20110610141616Z
      endTime=20110611001452Z
      renewTill=20110617141452Z
      flags: FORWARDABLE;RENEWABLE;PRE-AUTHENT
      EType (int): 3
      Principal is user@TEST.MYDOMAIN.AT
      Commit Succeeded
      Found ticket for user@TEST.MYDOMAIN.AT to go to krbtgt/TEST.MYDOMAIN.AT@TEST.MYDOMAIN.AT expiring on Sat Jun 11 02:14:52 CEST 2011
      Entered Krb5Context.initSecContext with state=STATE_NEW
      Service ticket not found in the subject
      Credentials acquireServiceCreds: same realm
      default etypes for default_tgs_enctypes: 17 23 16 3 1.
      CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
      EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
      KrbKdcReq send: kdc=xxxtest10.test.mydomain.at UDP:88, timeout=30000, number of retries =3, #bytes=1311
      KDCCommunication: kdc=xxxtest10.test.mydomain.at UDP:88, timeout=30000,Attempt =1, #bytes=1311
      KrbKdcReq send: #bytes read=1270
      KrbKdcReq send: #bytes read=1270
      KdcAccessibility: remove test10.test.mydomain.at
      EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
      Subject is readOnly;Kerberos Service ticket not stored
      default etypes for default_tgs_enctypes: 17 23 16 3 1.
      CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
      EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
      KrbKdcReq send: kdc=test10.test.mydomain.at UDP:88, timeout=30000, number of retries =3, #bytes=1303
      KDCCommunication: kdc=test10.test.mydomain.at UDP:88, timeout=30000,Attempt =1, #bytes=1303
      KrbKdcReq send: #bytes read=1250
      KrbKdcReq send: #bytes read=1250
      KdcAccessibility: remove test10.test.mydomain.at
      EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
      EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
      KrbApReq: APOptions are 00100000 00000000 00000000 00000000
      EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
      I know that i can manually change the encryption of the TGT in the Group Policy to something else like RC4-HMAC. So I changed it to RC4-HMAC and the debug output as well as "klist tgt" show the right RC4-HMAC encryption.

      It seems that there is sth. strange happening with AES-256 encryption specified. Does anybody know whats happening here?

      On another test environment with Windows 7 x64 Enterprise and same Java this seems to be not case. There "klist tgt" shows an AES-256 encrpyted session key and also Java Output shows the right etype=18 and i have to install the JCE unlimited strenght there in order to make it work. So in fact im really confused.

      By the way I found another post for the same issue, but there is now answer to this problem:
      "Integrity check on decrypted field failed"; Windows 7 & WinServer 2008