Error: "AD authentication fails - KDC has no support for encryption type"

book

Article ID: 160250

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

Symantec Data Loss Prevention (DLP) is setup with Active Directory (AD) authentication and is trying to login using the DLP created AD account and getting the standard error: “Invalid Username/Password or Disabled Account”.

 

"Invalid Username/Password or Disabled Account"

In the log file we can see the following:
Thread: 13 INFO [com.vontu.enforce.authentication.kerberos.KerberosAuthenticationService] System property java.security.krb5.conf=/opt/Vontu/Protect/config/krb5.conf
06 Jan 2010 11:14:58,976- Thread: 13 INFO [com.vontu.enforce.authentication.kerberos.KerberosAuthenticationService] System property java.security.krb5.realm=/opt/Vontu/Protect/config/krb5.conf
06 Jan 2010 11:14:59,508- Thread: 13 INFO [com.vontu.manager.security.IpCatcherValve] Unsuccessful login attempt for user (XXX) at IP address: ..

Additionally, AD reports Event ID 4768

Environment

Symantec Data Loss Prevention (DLP) v11

Customized AD environment with non-standard Kerberos settings

Resolution

The default and common encryption settings that both Windows Kerberos and MIT Kerberos (Java implementation) supports are RC4-HMAC, DES-CBC-CRC and DES-CBC-MD5.
If the Windows Kerberos client (Enforce side) is needed to handle other than the default encryption type DES3-CBC-SHA1.

  1. Ensure the AD admin provides the valid encryption settings that allow proper communication
  2. Set the option "default_txx_enctype" in krb5.ini using a text editor
    • If modifying the KRB5.ini or KRB5.conf does not address the issue try checking the option "Do not require Kerberos preauthentication" on your Active Directory server
    • This file is case sensitive. The realms must all be in CAPS whereas kdc must be in lower case. If kdc is in upper case, kinit will fail
      • Example:

[libdefaults]
default_realm = MY.REALM.COM
default_tkt_enctypes = RC4-HMAC, DES-CBC-CRC, DES3-CBC-SHA1,DES-CBC-MD5
default_tgs_enctypes = RC4-HMAC, DES-CBC-CRC, DES3-CBC-SHA1, DES-CBC-MD5
[realms]
MY.REALM.COM = {

kdc = KDC1.MY.REALM.COM
kdc = KDC2.MY.REALM.COM
}