/build/static/layout/Breadcrumb_cap_w.png

Security Question


while using the Kerberos protocol not able to login into the system without password

12/07/2016 796 views
Hello,

We have configured AD DC on windows 2012 R2 and executed ktpass command as follows:
C:\Users\Administrator>ktpass -princ host/<hostname>@<active directory domain> -mapuser <domain name>\TestU1 -pass * -crypto AES128-SHA1 -ptype KRB5_NT_PRINCIPAL -out C:\KeyTab\TestAES128.keytab

and login into windows client (windows 8.1 machine) with the domain user TestU1.

and setup the Kerberos key on BS2000 machine using /ADD-KEYTAB-ENTRY command and windows ID access authorization are defined for BS2000 user ID for the single sign on by /MODIFY-LOGON-PROTECTION command.

while trying to login in the BS2000 machine it shows error code KRB0008 [which means encryption type is not supported or key version mismatch].

1. list of supported encryption type on the BS2000 machine is as follows:

DES-CBC-CRC                    8  2016-12-07  10:21:40            

DES-CBC-MD5                    8  2016-12-07  10:21:40            

AES128-CTS                     8  2016-12-07  10:21:40            

AES256-CTS                     8  2016-12-07  10:21:40            

RC4-HMAC                       8  2016-12-07  10:21:40            

RC4-HMAC-EXP

and we are using the encryption type AES256-SHA1 and AES128-SHA1 both are supported encryption type but still not able to login.

2. Also regarding the key version mismatch, we are using the same Vno. in the
/ADD-KEYTAB-ENTRY command, which is retrieved from the output of ktpass command.

3. We have executed the ktpass command for
AES256-SHA1 and AES128-SHA1 encryption type but while login into the domain user in windows 8.1 machine and by executing the klist command on windows 2012 R2 machine cached ticket regarding encryption type AES256-SHA1 [KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96] is displayed and ticket regarding encryption type AES128-SHA1 is not displayed.

4. Even after clear the kerberos ticket from the cache [klist -purge] and again login with the domain user into windows 8.1 machine
and
by using the klist command on windows 2012 R2 machine cached ticket regarding encryption type AES256-SHA1
[KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96] is displayed and ticket regarding encryption type AES128-SHA1 is not displayed.

Please help in configuring the Kerberos.

Thank You
0 Comments   [ + ] Show comments

Comments


Be the first to answer this question

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

View more:

Share

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ