"LW_ERROR_KRB5KDC_ERR_ETYPE_NOSUPP" when trying to add ESXi host to Active Directory Domain.
search cancel

"LW_ERROR_KRB5KDC_ERR_ETYPE_NOSUPP" when trying to add ESXi host to Active Directory Domain.

book

Article ID: 377819

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

  • Adding ESXi to AD failed with the error "LW_ERROR_KRB5KDC_ERR_ETYPE_NOSUPP"
    [root@esxi:~] /usr/lib/vmware/likewise/bin/domainjoin-cli join <Domain>.com Administrator Password
    Joining to AD Domain:   <Domain>.com
    With Computer DNS Name: <esxi name>.<Domain>.com

    Error: LW_ERROR_KRB5KDC_ERR_ETYPE_NOSUPP [code 0x0000a310]
    KDC has no support for encryption typeo
  • The following error is observed in ESXi /var/run/log/syslog
    <YYYY-MM-DD>T<time> In(30) lwsmd[2106413]: [lsass] Joining domain example.com
    <YYYY-MM-DD>T<time> In(30) lwsmd[2106413]: [lsass] Affinitized to DC 'example-dc.example.com' for join request to domain 'example.com'
    <YYYY-MM-DD>T<time>Wa(28) lwsmd[2106413]: [LwKrb5GetTgtImpl ../lwadvapi/threaded/krbtgt.c:262] KRB5 Error code: -1765328370 (Message: KDC has no support for encryption type)
    <YYYY-MM-DD>T<time> lwsmd[2106413]: [lsass] Failed to run provider specific request (request code = 8, provider = 'lsa-activedirectory-provider') -> error = 41744, symbol = LW_ERROR_KRB5KDC_ERR_ETYPE_NOSUPP, client pid = 7349472
  • Default - /etc/likewise/likewise-krb5-ad.conf
    [libdefaults]
        default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC
        default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC
        preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC
        dns_lookup_kdc = true
  • Additionally, AD reports Event ID 4768

Environment

VMware ESXi

Cause

RC4 is part of the default ESXi configuration, and it is disabled on the domain controllers.

Resolution

 Remove the RC4 encryption protocol from ESXi by following the ESXi using RC4 encryption for Kerberos authentication to Active Directory

Powered by Wolken Software