If you run either the IBM JRE kinit utility
or the UNIX kinit utility to obtain a Kerberos
ticket, you must edit the client krb5.conf or krb5.ini configuration
file to specify the encryption algorithms that Microsoft Active Directory
requires.
- Locate the krb5.conf or krb5.ini file.
For more information, see ELM client configuration for Kerberos/SPNEGO SSO.
- Open the file and go to the
[libdefaults]
section.
- To include support for Advanced Encryption Standard 128-bit
(AES-128) and Rivest Cipher 4 (RC4) encryption, add the following
lines:
default_tkt_enctypes = aes128-cts-hmac-sha1-96 rc4-hmac
default_tgs_enctypes = aes128-cts-hmac-sha1-96 rc4-hmac
permitted_enctypes = aes128-cts-hmac-sha1-96 rc4-hmac
Note: For
optimal security, it is best to avoid use of Data Encryption Standard
(DES) encryption, which is considered unsecure.
- To include support for Advanced Encryption Standard 256-bit
(AES-256) encryption in addition to AES-128 and RC4 encryption, add
the following lines instead:
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac
- Optional: To verify the encryption types that
are used for the Kerberos session key and ticket for each credential
in the ticket cache file, or for each key in the keytab file,
run the IBM JRE klist -e command. Alternatively,
on UNIX systems, you can run the UNIX klist -e command.