Thread: BES 5.0 and LDAP and WEBDESKTOP
View Single Post
Old 09-07-2009, 06:08 AM   #48
nobody7290
BlackBerry Extraordinaire
 
Join Date: Mar 2006
Model: 9700
Carrier: t-mobile Germany
Posts: 1,381
Default
Dont know, but google "knows" many things.
Did you read this ?

Quote google search for "KDC has no support for encryption type (14)":

Code:
javax.security.auth.login.LoginException: KrbException: KDC has no support for encryption type (14) - KDC has no support for encryption type
Cause 1: Your KDC does not support the encryption type requested.

Solution 1: Sun's implementation of Kerberos supports the following encryption types: des-cbc-md5, des-cbc-crc and des3-cbc-sha1.

Applications can select the desired encryption type by specifying following tags in the Kerberos Configuration file krb5.conf:

[libdefaults]
default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
  
If not specified, the default value is:
des-cbc-md5 des-cbc-crc des3-cbc-sha1
  
Cause 2: This exception is thrown when using native ticket cache on some Windows platforms. Microsoft has added a new feature in which they no longer export the session keys for Ticket-Granting Tickets (TGTs). As a result, the native TGT obtained on Windows has an "empty" session key and null EType. The effected platforms include: Windows Server 2003, Windows 2000 Server Service Pack 4 (SP4) and Windows XP SP2.

Solution 2: You need to update the Windows registry to disable this new feature. The registry key allowtgtsessionkey should be added--and set correctly--to allow session keys to be sent in the Kerberos Ticket-Granting Ticket.

On the Windows Server 2003 and Windows 2000 SP4, here is the required registry setting:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Value Name: allowtgtsessionkey
Value Type: REG_DWORD
Value: 0x01  ( default is 0 )
By default, the value is 0; setting it to "0x01" allows a session key to be included in the TGT.
Here is the location of the registry setting on Windows XP SP2:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\
Value Name: allowtgtsessionkey
Value Type: REG_DWORD
Value: 0x01
Did you try that change in the registry ?
Last edited by nobody7290; 09-07-2009 at 06:10 AM..
Offline   Reply With Quote