11:23 p.m.
I have a Windows 10 server joined to a RedHat IDM (RHEL 8.9) realm using Kerberos. When a
user tries to authenticate on a Windows 10 server, the following error is shown
"We cannot sign you in with this credential because your domain isn't
available"
On the IDM, looking at the `/var/log/krb5kdc.log`, I see the following...
Nov 30 23:08:17 idm.server.local krb5kdc[11775](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23),
DEPRECATED:arcfour-hmac-exp(24), UNSUPPORTED:(-135), UNSUPPORTED:des-cbc-md5(3)})
192.168.124.55: NEEDED_PREAUTH: win.user(a)server.local for
krbtgt/server.local(a)server.local, Additional pre-authentication required
Nov 30 23:08:17 idm.server.local krb5kdc[11774](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23),
DEPRECATED:arcfour-hmac-exp(24), UNSUPPORTED:(-135), UNSUPPORTED:des-cbc-md5(3)})
192.168.124.55: ISSUE: authtime 1701385697, etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha384-192(20), ses=aes256-cts-hmac-sha1-96(18)},
win.user(a)server.local for krbtgt/server.local(a)server.local
Nov 30 23:08:17 idm.server.local krb5kdc[11775](info): TGS_REQ (5 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23),
DEPRECATED:arcfour-hmac-exp(24), UNSUPPORTED:(-135)}) 192.168.124.55: ISSUE: authtime
1701385697, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18),
ses=aes256-cts-hmac-sha1-96(18)}, win.user(a)server.local for
host/win-server.server.local(a)server.local
In the `/etc/crypto-policies/back-ends/krb5.config`, `libdefaults` has been set to
[libdefaults]
permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128
aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac
Interestingly, if all encryption types are removed except aes256-cts-hmac-sha1-96 from the
permitted_enctypes, the authentication on Windows 10 is successful.
Any idea why only setting to aes256-cts-hmac-sha1-96 works while a list of supported
methods including aes256-cts-hmac-sha1-96 does not?
10:46 a.m.
New subject: Kerberos authentication only works with aes256-cts-hmac-sha1-96 for Windows 10 joined to RHEL IDM
I don't understand why that full list of permitted_enctypes is a problem,
while your abbreviated list is not.
I do know that windows AD controllers seem to favor aes256-cts-hmac-sha1-96
and aes128-cts-hmac-sha1-96. For most AD domains, DES was deprecated long
ago and as of last year, I think most customers are trying to deprecate RC4
as well.
Our AD DCs are W2016, 2020 and (formerly) W2012. I have no experience with
RedHat IDM and no experience with Win10 servers (I thought Win 10 were all
desktops and integrated natively with AD).
But I do know that the krb5-libs will attempt to negotiate the encryption
types in the order they are listed in your permitted_enctypes line. So
change your line to do aes256-cts-hmac-sha1-96 first. something like:
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 camellia256-cts-cmac
camellia128-cts-cmac
This will at least give you another data point. to my mind, it should
proceed like this:
Attempt aes256-cts-hmac-sha384-192, fail,
Attempt aes128-cts-hmac-sha256-128, fail.
Attempt aes256-cts-hmac-sha1-96, succeed.
Spike
On Thu, Nov 30, 2023 at 11:23 PM Deepak Ramanath <deepak.narayan(a)gmail.com>
wrote:
I have a Windows 10 server joined to a RedHat IDM (RHEL 8.9) realm
using
Kerberos. When a user tries to authenticate on a Windows 10 server, the
following error is shown
"We cannot sign you in with this credential because your domain isn't
available"
On the IDM, looking at the `/var/log/krb5kdc.log`, I see the following...
Nov 30 23:08:17 idm.server.local krb5kdc[11775](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24),
UNSUPPORTED:(-135), UNSUPPORTED:des-cbc-md5(3)}) 192.168.124.55:
NEEDED_PREAUTH: win.user(a)server.local for krbtgt/server.local(a)server.local,
Additional pre-authentication required
Nov 30 23:08:17 idm.server.local krb5kdc[11774](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24),
UNSUPPORTED:(-135), UNSUPPORTED:des-cbc-md5(3)}) 192.168.124.55: ISSUE:
authtime 1701385697, etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha384-192(20), ses=aes256-cts-hmac-sha1-96(18)},
win.user(a)server.local for krbtgt/server.local(a)server.local
Nov 30 23:08:17 idm.server.local krb5kdc[11775](info): TGS_REQ (5 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24),
UNSUPPORTED:(-135)}) 192.168.124.55: ISSUE: authtime 1701385697, etypes
{rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18),
ses=aes256-cts-hmac-sha1-96(18)}, win.user(a)server.local for
host/win-server.server.local(a)server.local
In the `/etc/crypto-policies/back-ends/krb5.config`, `libdefaults` has
been set to
[libdefaults]
permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128
aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac
camellia128-cts-cmac
Interestingly, if all encryption types are removed except
aes256-cts-hmac-sha1-96 from the permitted_enctypes, the authentication on
Windows 10 is successful.
Any idea why only setting to aes256-cts-hmac-sha1-96 works while a list of
supported methods including aes256-cts-hmac-sha1-96 does not?
--
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
159
days inactive
159
days old
sssd-users@lists.fedorahosted.org
1 comments
2 participants
participants (2)
-
Deepak Ramanath -
Spike White