"LW_ERROR_KRB5KDC_ERR_ETYPE_NOSUPP" when trying to login to ESXi host.
search cancel

"LW_ERROR_KRB5KDC_ERR_ETYPE_NOSUPP" when trying to login to ESXi host.

book

Article ID: 377819

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Symptoms:

[root@esxi:~] /usr/lib/vmware/likewise/bin/domainjoin-cli join example.com Administrator Password
Joining to AD Domain:   example.com
With Computer DNS Name: esxi.example.com


Error: LW_ERROR_KRB5KDC_ERR_ETYPE_NOSUPP [code 0x0000a310]

KDC has no support for encryption type

 

syslog.log

<YYYY-MM-DD>T<time> In(30) lwsmd[2106413]: [lsass] Joining domain example.com
<YYYY-MM-DD>T<time> In(30) lwsmd[2106413]: [lsass] Affinitized to DC 'example-dc.example.com' for join request to domain 'example.com'
<YYYY-MM-DD>T<time>Wa(28) lwsmd[2106413]: [LwKrb5GetTgtImpl ../lwadvapi/threaded/krbtgt.c:262] KRB5 Error code: -1765328370 (Message: KDC has no support for encryption type)
<YYYY-MM-DD>T<time> lwsmd[2106413]: [lsass] Failed to run provider specific request (request code = 8, provider = 'lsa-activedirectory-provider') -> error = 41744, symbol = LW_ERROR_KRB5KDC_ERR_ETYPE_NOSUPP, client pid = 7349472

 

Additionally, AD reports Event ID 4768

 

ESXi

/etc/likewise/likewise-krb5-ad.conf
[libdefaults]
    default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC
    default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC
    preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC
    dns_lookup_kdc = true

Cause

RC4 is disabled on the domain controllers.

Resolution

RC4 is required for ESXi to join domain

Enable RC4 on the domain controllers

Additional Information

https://www.netmeister.org/blog/krb5-error-codes-table.html
KRB5KDC_ERR_ETYPE_NOSUPP    -1765328370L    14    KDC has no support for encryption type

Powered by Wolken Software