07-30-2009 4:23 PM
Hi,
we're having problems with Wndows Vista (SP1 and SP2) and Windows 7 clients accessing the portal/ume configured with SPNego. All other clients work fine. KDC is WIN2003
The error is the "KDC does not support encryption type (14)" error.
The clients have the registry entiries in HKLM\System\CCS\Control\Lsa\Parameters allowtgtsessionkey and maxpacketsize set to 0x1.
I've read in a couple of forums that there were problems with this for when UAC in Vista was enabled and when the user in question is a member of the Local Administrators group. Well this is the case but it should have been solved in SP1.
Any idea's?
Marcel
07-30-2009 4:55 PM
Marcel,
I am familiar with the bug in Vista which was fixed in SP1. However, I think your problem is a different problem. Have you tried turning off UAC and trying SPNEGO logon to see if it works ? If it does, then you know that SAP SPNEGO is fine and the issue is with Windows/Browser/Kerberos.
Thanks,
Tim
07-30-2009 4:46 PM
07-30-2009 4:55 PM
Marcel,
I am familiar with the bug in Vista which was fixed in SP1. However, I think your problem is a different problem. Have you tried turning off UAC and trying SPNEGO logon to see if it works ? If it does, then you know that SAP SPNEGO is fine and the issue is with Windows/Browser/Kerberos.
Thanks,
Tim
08-03-2009 8:42 AM
Hi Tim,
Thnx, unfortunatly it doesn't work with or without UAC. Strange that I cannot find anyone else with the same issue. Either no-one is using Vista (makes sense) or SPNego is not rolled out that much....Or of course it's something I'm doing wrong
rgds
Marcel
08-03-2009 9:00 AM
Hi,
I use Vista x64 with SPNEGO to logon to SAP portal, almost every day, and I have also tested Windows 7 with SPNEGO. The difference is that I am not using the SAP supplied SPNEGO login module - I am using our own developed SPNEGO login module instead which works with any user store and does not use Java Kerberos libraries. From the error you are getting I doubt it is due to the login module though, but I can confirm it works well for us on the platforms mentioned.
Thanks,
Tim
08-03-2009 9:04 AM
Hi TIm,
great, I appreciate the feedback. What about your browser? Are you using IE7, IE8, Firefox 2 or 3? It's getting kind or ridiculous since some of the workstations with Vista that didn't work last week, are working now, but not all. And they are all the same (image installations). And still no success with Windows 7. Did you completely turn of UAC on Windows 7?
Marcel
08-03-2009 9:07 AM
I have been using IE7, but also tested with IE6 and Firefox 2 and 3.
I didn't turn off UAC - no need. SSO works without turning off UAC.
The error you mentioned relates to encryption type - perhaps you have software installed which is not supporting RC4 encryption that is used by default in Win2k3 AD ?
Thanks,
Tim
08-03-2009 9:12 AM
Ah, ok. I think the Java implementation of Kerberos is causing this - it only supports DES (etype 3) encryption and AD expects RC4 (etype 23). So, looks like the Java library is being used to communicate with AD using etype 3 and the principal in AD is only configured to use etype 23.
As I mentioned earlier, I am not using the SAP SPNEGO login module - the login module I am using supports AES, RC4 and DES and does not require server to communciate with AD during SPNEGO logon. The only Kerberos protocol usage requried is between browser and AD, not between server and AD.
Thanks,
Tim
08-03-2009 9:19 AM
Correct. But you can configure AD to use DES by setting up a user account to with support for DES encryption. The KDC error 14 is a very misleading one, it appears for various reasons and it hardly ever has anything to do with encryption.
Turns out that some of the image installations were upgraded to IE8 and they all seem to have the problem, so my quest continues. Thanks for the assistance. 8 points awarded.
Marcel
08-03-2009 10:07 AM
Marcel,
I suspect that IE8 is sending the spnego token to server and including etype 23 or 18 (AES) and your account in AD is only setup to use DES (etype 3). This works for me because we are not using the SAP SPNEGO login module or using the Java Kerberos library which has the DES-ONLY restriction.
Perhaps if you use wireshark to capture network traffic between workstation and AD you will see which etypes are used when the HTTP/<host.domain> ticket is requested. If you need help analysing the wireshark trace, please feel free to send to me.
Thanks,
Tim
08-03-2009 9:01 AM
>
> The error is the "KDC does not support encryption type (14)" error.
Where do you see this error ? Is it on workstation or in wireshark trace ?
> Marcel
08-03-2009 9:07 AM
The KDC error appears in the security log when you use the Diagtool. The tool temporarily scews up the log level.
rgds
Marcel
08-26-2009 3:05 PM
Hello,
Did anyone manage to connect to a java sap server via SPNEGO (SSO) on windows 7 ?
Quentin
09-02-2009 12:13 PM
Found a solution here :
[http://technet.microsoft.com/en-us/library/dd560670(WS.10).aspx|http://technet.microsoft.com/en-us/library/dd560670(WS.10).aspx]
we changed it to : DES-CBC-MD5
Quentin
09-02-2009 12:53 PM
Ah, this makes sense. The SAP supplied SPNEGO login module is using the Kerberos protocol implementation included in Java which is outdated, so it only supports DES etype's. I didn't get this problem when I tested with Windows 7 becuase our SPNEGO / IWA login module supports the same etypes that are supported by MS AD, including RC4 and AES.
I think you will find that the decision by Microsoft to disable DES encryption by default, will also be followed in many other products that use Kerberos. If you plan to use SAP SPNEGO login module you need to take this into consideration and suffer the use of a weaker encryption type (e.g. 56-bit DES), compared to the stronger RC4 and AES etypes.
Thanks,
Tim
09-03-2009 8:30 AM
Quentin,
thanks for your feedback. I suppose this did the trick for you?
It sounded very promising so I implemented this on two Windows 7 workstations and rebooted (of course). Unfortunatly after wake up still no luck. In the event viewer of the workstations I can see that there's still a problem reading/using the Kerberos ticket for SSO, but it looks much better than before.
Because prior to this change I could see using KerbTray that the wrong Kerberos ticket was created: HTTP/realhost.domain.com. After your suggested change it now correcly creates an entry for HTTP/alias.domain.com
Still investigating......
09-09-2009 6:08 PM
Thanks Quentin
By default WIN7 doesn't have enabled the DES* encryption:
DES-CBC-MD5
DES-CBC-CRC
You have to go to enable these in your local PC:
Computer ConfigurationSecurity SettingsLocal PoliciesSecurity Options
this entry: Configure encryption types allowed for Kerberos
http://technet.microsoft.com/en-us/library/dd560670(WS.10).aspx
I hope you can solve your problem.
Best Regards
Oscar Leó
09-10-2009 1:09 PM
Thanks, that helped me a lot, but it should also be mentioned, if your DC is a Windows 2003 Server, you wont find it in the policy editor, on a local PC just call "gpedit" from the run menu/cmd shell
06-16-2010 5:56 PM
Hi People,
To complete the information, there's a SAP Note related to this issue. Maybe it would help on many cases. Solved mine.
Note 1396724 - SPNEGO fails with Vista SP3,Windows 7,Windows Server 2008 R2