[jcifs] Re: SPNEGO NTLM/Kerberos
Jeffrey Winter
jeffreywinter at gmail.com
Thu May 10 13:58:28 GMT 2007
I had this problem and found the solution:
You're getting the wrong encryption type on your tickets. You can confirm this
using the kerbtray tool. You'll see the encryption type on the ticket to the
server you're trying to hit is RC4-HMAC.
Notice the stack trace:
....
sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt
The problem is, even if you set the account to use on the DES encryption (as per
the instructions) you *still* might get an RC4-HMAC encrypted ticket.
The issue is that the server itself needs to be forced to use DES keys, not just
the user account. I honestly don't know why this is a problem, but the solution
I found was in here:
http://lists.samba.org/archive/samba-technical/2004-October/037640.html
The relevant bit from that posting is this:
"If I use adsiedit.msc and add the value 2097152 dec to the existing
value of userAccountControl (69632 dec) what I end up with for the
computer account shows up in ldp.exe as
before:
userAccountControl: 0x11000 = ( UF_WORKSTATION_TRUST_ACCOUNT |
UF_DONT_EXPIRE_PASSWD );
after:
userAccountControl: 0x211000 = ( UF_WORKSTATION_TRUST_ACCOUNT |
UF_DONT_EXPIRE_PASSWD | UF_USE_DES_KEY_ONLY );"
Basically this is saying that you need to get Microsoft's ADAM ADSI Edit tool:
http://technet2.microsoft.com/windowsserver/en/library/7962fde0-7c78-46ed-8fe1-dbebc9ad773f1033.mspx?mfr=true
Find the directory entry for the *computer itself* and hand edit the
userAccountControl property to include the UF_USE_DES_KEY_ONLY flag.
Once you set this clear the tickets and get a new one. Now you should at least
see that you have the correct encryption type (DES-CBC-MD5). This problem at
least should go away.
More information about the jcifs
mailing list