I am trying to create AES-256 encrypted Kerberos token from Linux servers (server is not domain joined). I am using a keytab which I have generated using Kinit command. When I use RC4-HMAC TGT and TGS both tickets are generated properly. But with AES-256, after a struggle, even if I am able to generate TGT ticket, TGS ticket generation is still failing.
I have checked AES-256 and AES-128 both are added to my profile in Active Directory. As this solution had suggested .
Below are my commands -
krb5.conf is setup to support only AES-256
default_tkt_enctypes = aes256-cts-hmac-sha1-96
default_tgs_enctypes = aes256-cts-hmac-sha1-96
Generate Keytab with ktutil
add_entry -password -p <my UPN>@<MY DOMAIN IN CAPS> -k 1 -e aes256-cts-hmac-sha1-96- Print the salt, by
list -ecommand add_entry -key -p <my SAMAccountName>@<MY DOMAIN IN CAPS> -k 1 -e aes256-cts-hmac-sha1-96- Enter the salt
write_kt <keytab name>
Matching the salt is important, since ktutil algorithm is different from Active Directory. Suggested solution is here
Generate TGT ticket
kinit -kt <my keytab> <my SAMAccountName>@<MY DOMAIN IN CAPS> -c krb5cache
Generate TGS Ticket
env KRB5_CONFIG=krb5.conf KRB5_TRACE=/dev/stdout KRB5CCNAME=krb5cache kvno HTTP/my.website.com
That's where it fails with "KDC has no support for encryption type" error.
kvno: KDC has no support for encryption type while getting credentials for HTTP/my.website.com@[MY DOMAIN IN CAPS]
