Error: "AD authentication fails - KDC has no support for encryption type"

search cancel

Error: "AD authentication fails - KDC has no support for encryption type"

book

Article ID: 160250

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

Symantec Data Loss Prevention (DLP) is setup with Active Directory (AD) authentication and is trying to login using the DLP created AD account and getting the standard error: “Invalid Username/Password or Disabled Account”.

"Invalid Username/Password or Disabled Account"

In the log file we can see the following:
Thread: 13 INFO [com.vontu.enforce.authentication.kerberos.KerberosAuthenticationService] System property java.security.krb5.conf=/opt/Vontu/Protect/config/krb5.conf
06 Jan 2010 11:14:58,976- Thread: 13 INFO [com.vontu.enforce.authentication.kerberos.KerberosAuthenticationService] System property java.security.krb5.realm=/opt/Vontu/Protect/config/krb5.conf
06 Jan 2010 11:14:59,508- Thread: 13 INFO [com.vontu.manager.security.IpCatcherValve] Unsuccessful login attempt for user (XXX) at IP address: ..

Additionally, AD reports Event ID 4768

Environment

Symantec Data Loss Prevention

Customized AD environment with non-standard Kerberos settings

Resolution

The default and common encryption settings that both Windows Kerberos and MIT Kerberos (Java implementation) supports are RC4-HMAC, DES-CBC-CRC and DES-CBC-MD5.
If the Windows Kerberos client (Enforce side) is needed to handle other than the default encryption type DES3-CBC-SHA1.

Ensure the AD admin provides the valid encryption settings that allow proper communication
- If an asymmetric setup exists with multiple KDCs and clustered ADs, refer to Active Directory 2008 integration - Is AD 2008 integration supported
Set the option "default_txx_enctype" in krb5.ini using a text editor
- If modifying the KRB5.ini or KRB5.conf does not address the issue try checking the option "Do not require Kerberos preauthentication" on your Active Directory server
- This file is case sensitive. The realms must all be in CAPS whereas kdc must be in lower case. If kdc is in upper case, kinit will fail
  - Example:

[libdefaults] default_realm = MY.REALM.COM default_tkt_enctypes = RC4-HMAC, DES-CBC-CRC, DES3-CBC-SHA1,DES-CBC-MD5 default_tgs_enctypes = RC4-HMAC, DES-CBC-CRC, DES3-CBC-SHA1, DES-CBC-MD5 [realms] MY.REALM.COM = {
kdc = KDC1.MY.REALM.COM
kdc= KDC2.MY.REALM.COM }

Feedback

thumb_up Yes

thumb_down No