cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
161
Views
0
Helpful
0
Replies

KDC has no support for encryption type on ASA 9.18(4)22

sdazBenjamin
Level 1
Level 1

I'm trying to authenticate SSH/HTTP with kerberos on ASA 9.18(4)22
Not sure if it's a license issue, i don't think so, but i also do not have security plus for this license.
Not sure where to configure which protocols to use for kerberos

I do have strong encryption enabled:

 

vpn1(config)# show run license 
license smart
 feature tier standard
 feature strong-encryption
show version:
...
Encryption-DES                    : Enabled        
Encryption-3DES-AES               : Enabled        
...

 

with debug kerb 255 on, the interesting lines are:

 

 

 

...
Kerberos: Encryption type rc4-hmac-md5
Kerberos: Encryption type des3-cbc-sha1
...
Kerberos library reports: "KDC has no support for encryption type"

 

 

 

full output, slightly modified

 

 

 

vpn1(config)# kerberos mkreq: 0xbb9
kip_lookup_by_sessID: kip with id 3001 not found
alloc_kip 0x00007fe2efc47768
    new request 0xbb9 --> 132 (0x00007fe2efc47768)
add_req 0x00007fe2efc47768 session 0xbb9 id 132
In kerberos_build_request
In kerberos_open_connection
In kerberos_close_connection
In kerberos_send_request

********** START: KERBEROS PACKET DECODE ************
Kerberos: Message type KRB_AS_REQ
Kerberos: Option forwardable
Kerberos: Option renewable
Kerberos: Option renewable accepted
Kerberos: Client Name myUser
Kerberos: Client Realm MYREALM.COM
Kerberos: Server Name krbtgt
Kerberos: Start time 0
Kerberos: End time -16587664
Kerberos: Renew until time -241766656
Kerberos: Nonce 0x661d7db6
Kerberos: Encryption type rc4-hmac-md5
Kerberos: Encryption type des3-cbc-sha1
Kerberos: Address "ip address"
********** END: KERBEROS PACKET DECODE ************
In kerberos_recv_msg
In kerberos_process_response

********** START: KERBEROS PACKET DECODE ************
Kerberos: Message type KRB_ERROR
Kerberos: Error type: Additional pre-authentication required, -1765328359 (0x96c73a19)
Kerberos: Encrypt Type: 23 (rc4-hmac-md5)
          Salt: ""   Salttype: 0
Kerberos: Preauthentication type unknown
Kerberos: Preauthentication type encrypt timestamp
Kerberos: Preauthentication type unknown
Kerberos: Preauthentication type unknown
Kerberos: Server time 1713208758
Kerberos: Realm MYREALM.COM
Kerberos: Server Name krbtgt
********** END: KERBEROS PACKET DECODE ************
Attempting to parse error response from kerberos server.
Kerberos library reports: "Additional pre-authentication required"
In kerberos_send_request

********** START: KERBEROS PACKET DECODE ************
Kerberos: Message type KRB_AS_REQ
Kerberos: Preauthentication type encrypt timestamp
Kerberos: Option forwardable
Kerberos: Option renewable
Kerberos: Option renewable accepted
Kerberos: Client Name myUsername
Kerberos: Client Realm MYREALM.COM
Kerberos: Server Name krbtgt
Kerberos: Start time 0
Kerberos: End time -92281104
Kerberos: Renew until time -399656480
Kerberos: Nonce 0x661d7db6
Kerberos: Encryption type rc4-hmac-md5
Kerberos: Encryption type des3-cbc-sha1
Kerberos: Address OMMITTED
********** END: KERBEROS PACKET DECODE ************
In kerberos_recv_msg
In kerberos_process_response

********** START: KERBEROS PACKET DECODE ************
Kerberos: Message type KRB_ERROR
Kerberos: Error type: KDC has no support for encryption type, -1765328370 (0x96c73a0e)
Kerberos: Server time 1713208758
Kerberos: Realm MYREALM.COM
Kerberos: Server Name krbtgt
********** END: KERBEROS PACKET DECODE ************
Attempting to parse error response from kerberos server.
Kerberos library reports: "KDC has no support for encryption type"
In kerberos_close_connection
remove_req 0x00007fe2efc47768 session 0xbb9 id 132
free_kip 0x00007fe2efc47768
kerberos: work queue empty

 

 

 

0 Replies 0
Review Cisco Networking for a $25 gift card