Hi!
I am facing interesting issue. After Access Manager upgrade we have noticed that kerberos SSO has stopped working.
Reason is that kerberos tickets issued by DSfW are using encryption type 23 (encryption types are defined here: https://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml#kerberos-parameters-1) which is deprecated and also now unsupported by Access Manager.
Looking at /var/opt/novell/log/oes/dsfw/kdc.log I can see following line:
May 22 10:48:30 dsfw krb5kdc[2388](info): TGS_REQ (5 etypes {18 17 23 24 -135}) <client IP>: ISSUE: authtime 1716366332, etypes {rep=23 tkt=23 ses=23}, sebastijan@EXAMPLE.COM for am@EXAMPLE.COM
As we can see, requested etypes were 18 17 23 24 but issued etype was 23.
Resulting output of klist command on client is (see KerbTicket Encryption Type):
#1> Client: sebastijan @ EXAMPLE.COM
Server: HTTP/am.example.com @ EXAMPLE.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a90000 -> forwardable renewable pre_authent name_canonicalize 0x80000
Start Time: 5/22/2024 10:48:30 (local)
End Time: 5/22/2024 20:25:32 (local)
Renew Time: 5/29/2024 10:25:32 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0
Kdc Called: dsfw.example.com
Interestingly, kerberos tickets for DSfW services have issued etype 18
Line in /var/opt/novell/log/oes/dsfw/kdc.log:
May 22 10:29:31 dsfw krb5kdc[2388](info): TGS_REQ (5 etypes {18 17 23 24 -135}) <IP>: ISSUE: authtime 1716366332, etypes {rep=23 tkt=18 ses=18}, sebastijan@EXAMPLE.COM for DSFW$@EXAMPLE.COM
Looking at that Kerberos ticket on client we see AES-256-CTS-HMAC-SHA1-96 as encryption type:
#3> Client: sebastijan @ EXAMPLE.COM
Server: ldap/dsfw.example.com @ EXAMPLE.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40ad0000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize 0x80000
Start Time: 5/22/2024 10:29:31 (local)
End Time: 5/22/2024 20:25:32 (local)
Renew Time: 5/29/2024 10:25:32 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: dsfw.example.com
Has anybody else seen something like that?
Or to rephrase, how to persuade DSfW kdc to issue kerberos tickets for AM with proper etype (18 - AES-256-CTS-HMAC-SHA1-96)?
Kind regards,
Sebastijan
Kind regards,
Sebastijan
If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button