The encryption type requested is not supported by the KDC
search cancel

The encryption type requested is not supported by the KDC

book

Article ID: 175079

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Unable to apply content filtering policy for domain groups when using the Cloud SWG Auth Connector.

Failed S4U s4uLogin for user: 'domain\user'; status=-xxxxxxx:xxxxxxxx:The encryption type requested is not supported by the KDC.

Environment

  • Cloud Secure Web Gateway (SWG)
  • Auth Connector

Cause

The Auth Connector is unable to authenticate with the Domain Controller (KDC) due to a Windows group policy that restricts the client machine (running BCCA) to only use certain Kerberos encryption types such as AES-128 and AES-256 to talk to the domain controller(s).

Resolution

Review your local security or group policy on the client (BCCA) and server (DC). Adjust the settings accordingly to your requirements.

If your environment has a group policy that restricts the client machine (running BCCA) to only use certain Kerberos encryption types such as AES-128 and AES-256 to talk to the domain controller(s), then AES must also be enabled on the service account that the Auth Connector is using to authenticate against the domain controller(s).

By default, the value is not set on a service account which means the service account only supports RC4, however, domain controllers have a default value for the MSDS-SupportedEncryptionTypes attribute of 0x1c which means that it can support RC4, AES128 and AES256.

See Microsoft blog for more information: Windows Configurations for Kerberos Supported Encryption Type