Topic
  • 7 replies
  • Latest Post - ‏2019-08-22T12:53:21Z by DeepikaV
ipt_clu
ipt_clu
15 Posts

Pinned topic Kerberos: DataPower does not send etype in AS_REQ

‏2015-05-04T12:23:18Z | as_req etype kerberos

All,

we have setup DataPower as described in http://www.ibm.com/developerworks/websphere/library/techarticles/1207_mcmahon/1207_mcmahon.html, i.e. user authenticates with HTTP Basic Auth, and DataPower acts as a Kerberos client.

The KDC's answer to the AS_REQ leads to the DataPower error message:

get-apreq: Kerberos KDC did not support any of our ticket encryption types.

Looking into the AS_REQ message sent from DataPower, I don't see any etype (Encryption Type) (see attached file AS_REQ_no_etype.png)

I am no expert in the Kerberos protocol.

  1. Is the etype required in the AS_REQ, or could the KDC assume a default encryption type if none is specified in the request?
  2. Can / Does DataPower usually send the etype within AS_REQ?
  3. If so, where do the etype values come from? The keytab file?

 Best regards

  Christian

 

  • ipt_clu
    ipt_clu
    15 Posts

    Re: Kerberos: DataPower does not send etype in AS_REQ

    ‏2015-05-06T09:16:59Z  

    Usually, kinit  can be configured to use default encryption types. This is done by specifiying these values in a kerberos config file (http://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html):

    [libdefaults]
    default_realm = ***********
    default_tkt_enctypes = rc4-hmac 
    default_tgt_enctypes = rc4-hmac 
    permitted_enctypes = rc4-hmac

    Is there a way to specify a kerberos config file or the default encryption types on an XI52?

  • HermannSW
    HermannSW
    8694 Posts

    Re: Kerberos: DataPower does not send etype in AS_REQ

    ‏2015-05-06T10:32:20Z  
    • ipt_clu
    • ‏2015-05-06T09:16:59Z

    Usually, kinit  can be configured to use default encryption types. This is done by specifiying these values in a kerberos config file (http://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html):

    [libdefaults]
    default_realm = ***********
    default_tkt_enctypes = rc4-hmac 
    default_tgt_enctypes = rc4-hmac 
    permitted_enctypes = rc4-hmac

    Is there a way to specify a kerberos config file or the default encryption types on an XI52?

    I cannot answer and developers I notified seem to be very busy with next major release work, please create PMR to get an answer.

  • KrithikaPrakash
    KrithikaPrakash
    8 Posts

    Re: Kerberos: DataPower does not send etype in AS_REQ

    ‏2015-05-08T23:09:00Z  

    > get-apreq: Kerberos KDC did not support any of our ticket encryption types."

    You typically get this message in two cases:

    1) When the SPN and the keytab do not match.  Make sure that the keytab file has the correct version and matching principal name that corresponds to the SPN

    2)While creating the keytab, if you have used an encryption type that is not supported. How did you create the keytab file ? (you can control the algorithm using the -crypto parameter to the ktpass command)

     

  • ipt_clu
    ipt_clu
    15 Posts

    Re: Kerberos: DataPower does not send etype in AS_REQ

    ‏2015-06-10T08:34:21Z  

    > get-apreq: Kerberos KDC did not support any of our ticket encryption types."

    You typically get this message in two cases:

    1) When the SPN and the keytab do not match.  Make sure that the keytab file has the correct version and matching principal name that corresponds to the SPN

    2)While creating the keytab, if you have used an encryption type that is not supported. How did you create the keytab file ? (you can control the algorithm using the -crypto parameter to the ktpass command)

     

    Which encryption types are supported by DataPower? We got it working with RC4-HMAC-NT but not with AES256.

    Updated on 2015-06-10T08:35:01Z at 2015-06-10T08:35:01Z by ipt_clu
  • peripatetic
    peripatetic
    20 Posts

    Re: Kerberos: DataPower does not send etype in AS_REQ

    ‏2017-03-08T10:21:16Z  

    Hi

    Did anyone every got resolution on this.

    I have the exact same problem with the etype being empty on the request to the KDC.

  • vincec
    vincec
    32 Posts

    Re: Kerberos: DataPower does not send etype in AS_REQ

    ‏2018-10-11T19:58:15Z  
    • ipt_clu
    • ‏2015-06-10T08:34:21Z

    Which encryption types are supported by DataPower? We got it working with RC4-HMAC-NT but not with AES256.

    Had the same issues.

     

    To enable AES256 encryption you have to enable it on the AD side.  in command prompt on any machine connected to the AD you need to work with, type "setspn -q http/<the address>"

     

    YOu will see what domain user is registered for that address.  In AD, there's a checkbox to enable AES 128 and AES 256 support.  In the negotiation process it will choose the greater encryption AES over RC4.

  • DeepikaV
    DeepikaV
    52 Posts

    Re: Kerberos: DataPower does not send etype in AS_REQ

    ‏2019-08-22T12:53:21Z  
    • vincec
    • ‏2018-10-11T19:58:15Z

    Had the same issues.

     

    To enable AES256 encryption you have to enable it on the AD side.  in command prompt on any machine connected to the AD you need to work with, type "setspn -q http/<the address>"

     

    YOu will see what domain user is registered for that address.  In AD, there's a checkbox to enable AES 128 and AES 256 support.  In the negotiation process it will choose the greater encryption AES over RC4.

    Hi,

     

    I also had similar problem.

     

    My keytab has all options enabled.

     

    when I tried to get spnego token using get-kerberos-apreq(), it able to give apreq-base64 token for some serverspn and for some not able to provide.

     

    shows below error for some servers whic are not able to give token

    <kerberos-error>get-apreq: Kerberos KDC did not support any of our ticket encryption types</kerberos-error>

     

    May I know why its behaving like that. I used same keytab for all calls shown in below but serverspn is varying dynamically based on FSH port.

    <xsl:variable name="vRouting" select="document('mapping.xml')"/>
            <xsl:variable name="port" select="substring-after(dp:variable('var://service/local-service-address'),':')"/>
            <xsl:variable name="vBackendHost" select="$vRouting/Routing/Route[Port=$port]/Destination"/>
            <xsl:variable name="kerb_server_spn" select="concat('HTTP/',$vBackendHost,$dpconfig:realm)" />

        <xsl:variable name="kerb_client_spn" select="dp:http-request-header('SPN')" />
            <xsl:variable name="vKeytab" select="dp:http-request-header('Keytab')" />

    <xsl:variable name="kerb_apreq" select="dp:kerberos-get-apreq($kerb_client_spn,concat('keytabname:',$vKeytab), $kerb_server_spn, $options)"/>

     

    Could you please guide me on this.how to resolve this and where can we check for this, DataPower or AD side?

    How to download keytab file from DataPower?

    where can see  data in krb5.conf in DataPower. How?

     

    Thanks in advance.

    Updated on 2019-08-22T13:27:32Z at 2019-08-22T13:27:32Z by DeepikaV