Kerberos authentication only works with aes256-cts-hmac-sha1-96 for Windows 10 joined to RHEL IDM
I have a Windows 10 server joined to a RedHat IDM (RHEL 8.9) realm using Kerberos. When a user tries to authenticate on a Windows 10 server, the following error is shown
"We cannot sign you in with this credential because your domain isn't available"
On the IDM, looking at the `/var/log/krb5kdc.log`, I see the following...
Nov 30 23:08:17 idm.server.local krb5kdc[11775](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), UNSUPPORTED:(-135), UNSUPPORTED:des-cbc-md5(3)}) 192.168.124.55: NEEDED_PREAUTH: win.user@server.local for krbtgt/server.local@server.local, Additional pre-authentication required Nov 30 23:08:17 idm.server.local krb5kdc[11774](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), UNSUPPORTED:(-135), UNSUPPORTED:des-cbc-md5(3)}) 192.168.124.55: ISSUE: authtime 1701385697, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha384-192(20), ses=aes256-cts-hmac-sha1-96(18)}, win.user@server.local for krbtgt/server.local@server.local Nov 30 23:08:17 idm.server.local krb5kdc[11775](info): TGS_REQ (5 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), UNSUPPORTED:(-135)}) 192.168.124.55: ISSUE: authtime 1701385697, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, win.user@server.local for host/win-server.server.local@server.local
In the `/etc/crypto-policies/back-ends/krb5.config`, `libdefaults` has been set to
[libdefaults] permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac
Interestingly, if all encryption types are removed except aes256-cts-hmac-sha1-96 from the permitted_enctypes, the authentication on Windows 10 is successful.
Any idea why only setting to aes256-cts-hmac-sha1-96 works while a list of supported methods including aes256-cts-hmac-sha1-96 does not?
I don't understand why that full list of permitted_enctypes is a problem, while your abbreviated list is not.
I do know that windows AD controllers seem to favor aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96. For most AD domains, DES was deprecated long ago and as of last year, I think most customers are trying to deprecate RC4 as well.
Our AD DCs are W2016, 2020 and (formerly) W2012. I have no experience with RedHat IDM and no experience with Win10 servers (I thought Win 10 were all desktops and integrated natively with AD).
But I do know that the krb5-libs will attempt to negotiate the encryption types in the order they are listed in your permitted_enctypes line. So change your line to do aes256-cts-hmac-sha1-96 first. something like:
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 camellia256-cts-cmac camellia128-cts-cmac
This will at least give you another data point. to my mind, it should proceed like this:
Attempt aes256-cts-hmac-sha384-192, fail, Attempt aes128-cts-hmac-sha256-128, fail. Attempt aes256-cts-hmac-sha1-96, succeed.
Spike
On Thu, Nov 30, 2023 at 11:23 PM Deepak Ramanath deepak.narayan@gmail.com wrote:
I have a Windows 10 server joined to a RedHat IDM (RHEL 8.9) realm using Kerberos. When a user tries to authenticate on a Windows 10 server, the following error is shown
"We cannot sign you in with this credential because your domain isn't available"
On the IDM, looking at the `/var/log/krb5kdc.log`, I see the following...
Nov 30 23:08:17 idm.server.local krb5kdc[11775](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), UNSUPPORTED:(-135), UNSUPPORTED:des-cbc-md5(3)}) 192.168.124.55: NEEDED_PREAUTH: win.user@server.local for krbtgt/server.local@server.local, Additional pre-authentication required Nov 30 23:08:17 idm.server.local krb5kdc[11774](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), UNSUPPORTED:(-135), UNSUPPORTED:des-cbc-md5(3)}) 192.168.124.55: ISSUE: authtime 1701385697, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha384-192(20), ses=aes256-cts-hmac-sha1-96(18)}, win.user@server.local for krbtgt/server.local@server.local Nov 30 23:08:17 idm.server.local krb5kdc[11775](info): TGS_REQ (5 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), UNSUPPORTED:(-135)}) 192.168.124.55: ISSUE: authtime 1701385697, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, win.user@server.local for host/win-server.server.local@server.local
In the `/etc/crypto-policies/back-ends/krb5.config`, `libdefaults` has been set to
[libdefaults] permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac
Interestingly, if all encryption types are removed except aes256-cts-hmac-sha1-96 from the permitted_enctypes, the authentication on Windows 10 is successful.
Any idea why only setting to aes256-cts-hmac-sha1-96 works while a list of supported methods including aes256-cts-hmac-sha1-96 does not? -- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
sssd-users@lists.fedorahosted.org
-
Deepak Ramanath -
Spike White