Kinit Fails to Generate Keytab - Exception: krb_error 14 - in Windows 2008R2 Domain
Windows 2008R2 domain controllers no longer support the older DES encryption used by Teamworks 6.x for Kerberos ticket encryption (DES-CBC-CRC). Bamf. Roadblock.
Here is the error I get when I try to run the kinit command to setup the Kerberos ticket for the Teamworks service account:
amworks\sso.keytab HTTP/TWServer@MYDOMAIN.LOCAL
Exception: krb_error 14 KDC has no support for encryption type (14) KDC has no
upport for encryption type
KrbException: KDC has no support for encryption type (14)
at sun.security.krb5.KrbAsRep.
at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:486)
at sun.security.krb5.internal.tools.Kinit.sendASRequest(Kinit.java:308)
at sun.security.krb5.internal.tools.Kinit.
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:106)
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
at sun.security.krb5.internal.ASRep.init(ASRep.java:58)
at sun.security.krb5.internal.ASRep.
at sun.security.krb5.KrbAsRep.
... 4 more
krb_error 14 points to an issue with the encryption types. Googling led me to the fact that Windows 2008R2 no longer supports DES encryption types used by Teamworks/jboss.
From there I tried enabling a workaround posted by Microsoft but it doesn’t seem to have any effect, even after rebooting all servers in the domain:
http://support.microsoft.com/kb/977321
As a last ditch effort, I ended up adding a windows 2003R2 BDC to my domain and tried pointing kinit to the new BDC. It worked. When I ran the kinit command, it automatically picked up the BDC instead of the PDC and generated the ticket successfully. After that, everything came up fine - Kerberos authentication worked from IIS/SharePoint 2010 to Teamworks, giving me SSO from my teamworks inbox webpart.