Kinit Fails to Generate Keytab - Exception: krb_error 14 - in Windows 2008R2 Domain

1 minute read

I ran into this issue specifically when setting up a kerberos ticket for the Teamworks 6.2.2 (jboss) service account running on windows 2003R2 in a windows 2008R2 domain. The reason I need kerberos here is so that a Web Part on a SharePoint 2010 server can pass through authentication from the user (the infamous doublehop delegation issue).

Windows 2008R2 domain controllers no longer support the older DES encryption used by Teamworks 6.x for Kerberos ticket encryption (DES-CBC-CRC). Bamf. Roadblock.

Here is the error I get when I try to run the kinit command to setup the Kerberos ticket for the Teamworks service account:

C:\Program Files (x86)\Support Tools>C:\Teamworks\java_x64\bin\kinit -k -t C:\t
amworks\sso.keytab HTTP/TWServer@MYDOMAIN.LOCAL
Exception: krb_error 14 KDC has no support for encryption type (14) KDC has no
upport for encryption type
KrbException: KDC has no support for encryption type (14)
at sun.security.krb5.KrbAsRep.(KrbAsRep.java:66)
at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:486)
at sun.security.krb5.internal.tools.Kinit.sendASRequest(Kinit.java:308)
at sun.security.krb5.internal.tools.Kinit.(Kinit.java:239)
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:106)
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
at sun.security.krb5.internal.ASRep.init(ASRep.java:58)
at sun.security.krb5.internal.ASRep.(ASRep.java:53)
at sun.security.krb5.KrbAsRep.(KrbAsRep.java:50)
... 4 more

krb_error 14 points to an issue with the encryption types. Googling led me to the fact that Windows 2008R2 no longer supports DES encryption types used by Teamworks/jboss.

From there I tried enabling a workaround posted by Microsoft but it doesn’t seem to have any effect, even after rebooting all servers in the domain:

http://support.microsoft.com/kb/977321

As a last ditch effort, I ended up adding a windows 2003R2 BDC to my domain and tried pointing kinit to the new BDC. It worked. When I ran the kinit command, it automatically picked up the BDC instead of the PDC and generated the ticket successfully. After that, everything came up fine - Kerberos authentication worked from IIS/SharePoint 2010 to Teamworks, giving me SSO from my teamworks inbox webpart.

Updated: