Error: "AD authentication fails - KDC has no support for encryption type"


Article ID: 160250


Updated On:


Data Loss Prevention Enforce


Symantec Data Loss Prevention (DLP) is setup with Active Directory (AD) authentication and is trying to login using the DLP created AD account and getting the standard error: “Invalid Username/Password or Disabled Account”.


"Invalid Username/Password or Disabled Account"

In the log file we can see the following:
Thread: 13 INFO [com.vontu.enforce.authentication.kerberos.KerberosAuthenticationService] System property
06 Jan 2010 11:14:58,976- Thread: 13 INFO [com.vontu.enforce.authentication.kerberos.KerberosAuthenticationService] System property
06 Jan 2010 11:14:59,508- Thread: 13 INFO [] Unsuccessful login attempt for user (XXX) at IP address: ..

Additionally, AD reports Event ID 4768


Symantec Data Loss Prevention (DLP) v11

Customized AD environment with non-standard Kerberos settings


The default and common encryption settings that both Windows Kerberos and MIT Kerberos (Java implementation) supports are RC4-HMAC, DES-CBC-CRC and DES-CBC-MD5.
If the Windows Kerberos client (Enforce side) is needed to handle other than the default encryption type DES3-CBC-SHA1.

  1. Ensure the AD admin provides the valid encryption settings that allow proper communication
  2. Set the option "default_txx_enctype" in krb5.ini using a text editor
    • If modifying the KRB5.ini or KRB5.conf does not address the issue try checking the option "Do not require Kerberos preauthentication" on your Active Directory server
    • This file is case sensitive. The realms must all be in CAPS whereas kdc must be in lower case. If kdc is in upper case, kinit will fail
      • Example:

default_realm = MY.REALM.COM
default_tkt_enctypes = RC4-HMAC, DES-CBC-CRC, DES3-CBC-SHA1,DES-CBC-MD5
default_tgs_enctypes = RC4-HMAC, DES-CBC-CRC, DES3-CBC-SHA1, DES-CBC-MD5