Date Posted:
Product: TIBCO Spotfire®
Product: TIBCO Spotfire®
Problem:
When configuring Kerberos authentication on the TIBCO Spotfire Server, the "kinit" KrbException: KDC has no support for encryption type (14)
Solution:
While setting up Kerberos authentication on the TIBCO Spotfire Server, running the "kinit" command might show the following exception.
KrbException: KDC has no support for encryption type (14) at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76) at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316) at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361) at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219) at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113) Caused by: KrbException: Identifier doesn't match expected value (906) at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140) at sun.security.krb5.internal.ASRep.init(ASRep.java:64) at sun.security.krb5.internal.ASRep.<init>(ASRep.java:59) at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60) ... 4 moreSome of the most common reasons causing this error is mentioned in the resolution section.
- Check that the encryption method used in the "ktpass" is supported on the Domain Controller and the TIBCO Spotfire Server. See the resolution of KB 000033761 for more details
- Check that kinit command syntax is correct and pointing to correct keytab path.
- Check the Domain Functional Level of the Domain Controller. If the Domain Controller is at Domain Functional Level 2003, it will not support "AES" encryption. Hence "AES" encryption must not be used in ktpass/kinit command/krb5.conf file in this case. Follow below steps to know the domain functional level:
- On Domain controller machine(s) , from the “Administrative Tools” menu, select “Active Directory Domains and Trusts“.
- Right-click the root domain, then select “Properties“.
- Under the “General” tab, the “Domain functional level” and “Forest functional level” is displayed on the screen.
- If "AES" encryption is used, make sure that "AES" encryption is enabled for the service account. This can be done from the service account properties.
Comments
0 comments
Article is closed for comments.