Troubleshooting Kerberos KDC Encryption Type Mismatch in Apache/AD SSO Integration


2 views

When integrating Apache with Active Directory using Kerberos authentication, you might encounter the error:

kvno: KDC has no support for encryption type while getting credentials

This typically occurs when there's a mismatch between the encryption types supported by your Windows Server 2012 KDC and what your Debian client expects.

First, verify your keytab was created with correct encryption types. On Windows Server 2012:

ktpass /princ HTTP/web.domain.com@DOMAIN.COM /pass * 
/out http-web.keytab /crypto AES256-SHA1 /ptype KRB5_NT_PRINCIPAL

To check the encryption types in your keytab:

klist -k -e http-web.keytab

Your krb5.conf needs explicit encryption type settings. A robust configuration should include:

[libdefaults]
    default_realm = DOMAIN.COM
    krb4_config = /etc/krb.conf
    krb4_realms = /etc/krb.realms
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true
    default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5
    permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5
    allow_weak_crypto = true

Check your AD Domain Controller's supported encryption types:

Get-ADObject -Identity (Get-ADDomain).DistinguishedName -Property msDS-SupportedEncryptionTypes

To enable AES encryption (recommended):

Set-ADObject -Identity (Get-ADDomain).DistinguishedName -Replace @{
    'msDS-SupportedEncryptionTypes' = '28' # RC4 + AES128 + AES256
}

Enable Kerberos debugging to see the exact negotiation:

export KRB5_TRACE=/dev/stderr
kinit -V -k -t http-web.keytab HTTP/web.domain.com@DOMAIN.COM

For Apache configuration, ensure mod_auth_kerb is properly set:

<Location /secure>
    AuthType Kerberos
    AuthName "Kerberos Login"
    KrbMethodNegotiate On
    KrbMethodK5Passwd Off
    KrbAuthRealms DOMAIN.COM
    Krb5Keytab /path/to/http-web.keytab
    KrbServiceName HTTP/web.domain.com@DOMAIN.COM
    require valid-user
</Location>

When working with Linux-Windows Kerberos integration, pay attention to:

  • Time synchronization (use NTP)
  • DNS resolution (ensure forward and reverse lookups work)
  • Service Principal Name (SPN) registration
  • Keytab file permissions (should be readable by Apache user)

To verify SPN registration:

setspn -L HTTP/web.domain.com

When integrating Apache with Active Directory (Windows Server 2012) using Kerberos SSO, many developers encounter the frustrating error:

kvno: KDC has no support for encryption type while getting credentials for HTTP/web.domain.com@DOMAIN.COM

This typically occurs when there's a mismatch between the encryption types supported by your Linux client (Debian Wheezy in this case) and the Windows Server 2012 KDC.

From your klist -e output, we can see the working case uses arcfour-hmac:

Etype (skey, tkt): arcfour-hmac, arcfour-hmac

However, when trying to use the HTTP principal (HTTP/web.domain.com@DOMAIN.COM), the KDC rejects the encryption type. This suggests Windows Server 2012 might be enforcing stronger encryption for service principals.

When creating keytabs on Windows Server 2012, it's crucial to specify modern encryption types:

ktpass -princ HTTP/web.domain.com@DOMAIN.COM -mapuser DOMAIN\web-svc-account 
-crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass * -out c:\temp\web.keytab

Note the -crypto AES256-SHA1 parameter which ensures modern encryption.

Your current /etc/krb5.conf only specifies older encryption types. Here's a more comprehensive configuration:

[libdefaults]
    default_realm = DOMAIN.COM
    dns_lookup_realm = false
    dns_lookup_kdc = true
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5
    permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5

[realms]
    DOMAIN.COM = {
        kdc = dc1.domain.com
        admin_server = dc1.domain.com
    }

To test if your configuration changes are working:

kinit -V -k -t /path/to/keytab HTTP/web.domain.com@DOMAIN.COM

The -V flag provides verbose output showing the encryption types being negotiated.

Windows Server 2012 has specific Kerberos policies that might affect this:

  1. Check Group Policy: Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options
  2. Look for "Network security: Configure encryption types allowed for Kerberos"
  3. Ensure AES 256/128 are enabled

Examine your keytab's contents to verify encryption types:

ktutil
ktutil: read_kt /path/to/keytab
ktutil: list

This will show all entries in your keytab with their encryption types.

For completeness, here's the relevant Apache configuration:

<Location /secure>
    AuthType Kerberos
    AuthName "Kerberos Login"
    KrbMethodNegotiate On
    KrbMethodK5Passwd Off
    KrbServiceName HTTP/web.domain.com@DOMAIN.COM
    Krb5Keytab /etc/apache2/web.keytab
    Require valid-user
</Location>