This discussion is archived
0 Replies Latest reply: Jun 10, 2011 8:15 AM by 868126 RSS

etype=3 in debug output for TGT AES-265 on Windows 7

868126 Newbie
Currently Being Moderated
Hi,

i have noticed a strange behavior when trying to implement Kerberos/Spnego SSO on Windows 7. I use Windows 7 Professional x64 and jdk_1.6.0_25 x64 on the client. Windows 2008 r2 x64 as KDC.

When logged in to my windows account "klist tgt" shows a TGT with a session key encrypted with AES-256-CTS-HMAC-SHA1-96. This seems to be the default encryption for Windows 7.

But when i try to get the TGT the debug output shows the session key is encrypted with etype=3, and this is DES as far as i know. And Java also uses DES MD5 to encrypt the key as it seems.
Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
KinitOptions cache name is C:\Users\user.TEST\krb5cc_user
Acquire default native Credentials
Obtained TGT from LSA: Credentials:
client=user@TEST.MYDOMAIN.AT
server=krbtgt/TEST.MYDOMAIN.AT@TEST.MYDOMAIN.AT
authTime=20110610141616Z
startTime=20110610141616Z
endTime=20110611001452Z
renewTill=20110617141452Z
flags: FORWARDABLE;RENEWABLE;PRE-AUTHENT
EType (int): 3
Principal is user@TEST.MYDOMAIN.AT
Commit Succeeded
Found ticket for user@TEST.MYDOMAIN.AT to go to krbtgt/TEST.MYDOMAIN.AT@TEST.MYDOMAIN.AT expiring on Sat Jun 11 02:14:52 CEST 2011
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
Credentials acquireServiceCreds: same realm
default etypes for default_tgs_enctypes: 17 23 16 3 1.
CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
KrbKdcReq send: kdc=xxxtest10.test.mydomain.at UDP:88, timeout=30000, number of retries =3, #bytes=1311
KDCCommunication: kdc=xxxtest10.test.mydomain.at UDP:88, timeout=30000,Attempt =1, #bytes=1311
KrbKdcReq send: #bytes read=1270
KrbKdcReq send: #bytes read=1270
KdcAccessibility: remove test10.test.mydomain.at
EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
Subject is readOnly;Kerberos Service ticket not stored
default etypes for default_tgs_enctypes: 17 23 16 3 1.
CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
KrbKdcReq send: kdc=test10.test.mydomain.at UDP:88, timeout=30000, number of retries =3, #bytes=1303
KDCCommunication: kdc=test10.test.mydomain.at UDP:88, timeout=30000,Attempt =1, #bytes=1303
KrbKdcReq send: #bytes read=1250
KrbKdcReq send: #bytes read=1250
KdcAccessibility: remove test10.test.mydomain.at
EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbApReq: APOptions are 00100000 00000000 00000000 00000000
EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
I know that i can manually change the encryption of the TGT in the Group Policy to something else like RC4-HMAC. So I changed it to RC4-HMAC and the debug output as well as "klist tgt" show the right RC4-HMAC encryption.

It seems that there is sth. strange happening with AES-256 encryption specified. Does anybody know whats happening here?

On another test environment with Windows 7 x64 Enterprise and same Java this seems to be not case. There "klist tgt" shows an AES-256 encrpyted session key and also Java Output shows the right etype=18 and i have to install the JCE unlimited strenght there in order to make it work. So in fact im really confused.

By the way I found another post for the same issue, but there is now answer to this problem:
"Integrity check on decrypted field failed"; Windows 7 & WinServer 2008

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points