Users cannot connect to Universal Type Server using Kerberos single sign-on: “The encryption type requested is not supported by the KDC”
When attempting to connect to Universal Type Server using Kerberos single sign-on, users may find themselves presented with a login dialog instead. The FMCore.log files will have messages like “KDC has no support for encryption type (14)” or “The encryption type requested is not supported by the KDC”.
UTS 3.0.2 and earlier require a keytab file; the keytab file holds the service principal name (SPN) and password in an encrypted form. For customers using Active Directory domain controllers, the SPN must have DES encryption support enabled and the keytab file must be generated with a DES encryption entry.
Newer versions of Windows and Mac OS X now disable DES encryption for Kerberos authentication by default; Windows Server 2008 R2, Windows 7, and Mac OS X 10.7 or later must specifically have DES encryption re-enabled for client machines as well as on the server running UTS. In addition, there are some issues with DES encryption on servers and domain controllers running on Windows Server 2008 R2 that require applying one or more hotfixes or installing Service Pack 1 for Windows Server 2008 R2.
NOTE: Beginning with UTS 3.1, single sign-on using Kerberos can be configured without a keytab file.
Determining if Kerberos single sign-on is working
The best practice for testing Kerberos single sign-on is to end the current client session in UTS, stop the Universal Type Core, remove the client datastore in Universal Type Client, flush the Kerberos ticket cache, and relaunch UTC:
- Open a web browser and start the Server Administration application.
- Click Users in the menu at the left.
- Check the checkbox for the user session then click Force Logout Selected Users.
- To stop the type core in Mac OS X, open Activity Monitor, select the FMCore process, and click Quit Process.
- To stop the type core in Windows, open Task Manager, select the FMCore.exe process, and click End Process.
- To remove the client datastore on Mac OS X, go to /Library/Extensis/UTC and remove the numbered folder named for the numeric UID or UUID of the user account.
- To remove the client datastore on Windows, go to \Users\username\AppData\Local\Extensis\UTC\ (or C:\Documents and Settings\username\Local Settings\Application Data\Extensis\UTC\ in Windows XP) and delete the cache folder.
- Verify that a client configuration file has been set up with the UTS server’s IP address and port number. For more information, see How to set up a Universal Type Client configuration file.
- Flush the Kerberos ticket cache by logging out and logging back in.
If single sign-on is successful then you should not see a login dialog when you launch UTC; the client window should appear and UTC will begin syncing with UTS.
Enabling DES encryption on Windows 7 and Windows Server 2008 R2
When connecting to UTS from a client running on Windows 7, you may get “An unknown error occurred”; the FMCore.log from UTC will have the error message “The encryption type requested is not supported by the KDC.”
In Windows 7 and Windows Server 2008 R2, certain encryption types used by UTS for Kerberos authentication are disabled by default. For more information regarding this configuration change, refer to: http://support.microsoft.com/kb/977321
To enable support for these encryption types in Windows 7 and Windows Server 2008 R2:
- Open Local Security Policy.
- Go to Computer Configuration, then Windows Settings, then Security Settings, then Local Policies, then Security Options.
- Click to select the “Network security: Configure encryption types allowed for Kerberos” option.
- Click to select “Define these policy settings” and check all six check boxes for the encryption types.
- Click OK, then close Local Security Policy.
NOTE: This setting can also be applied as a global policy in Group Policy Management Console.
Enabling DES encryption on Mac OS X 10.7 or later
When connecting to UTS from a client running on Mac OS X 10.7 or later, you may get “KDC has no support for encryption type”; Mac OS X 10.7 and later use a new Kerberos service that disables DES encryption by default.
To enable DES encryption in Mac OS X 10.7 and later:
- Open /Library/Preferences/edu.mit.Kerberos in a text editor.
- At the end of the “[libdefaults]” section, add the line “allow_weak_crypto = TRUE”.
- Save the file.
- Reboot the server.
If you get “KDC has no support for encryption type (14)” in AD domains with at least one Windows Server 2008 R2 domain controller
Domain controllers running on Windows Server 2008 R2 do not correctly replicate all of the information in a user record that comes from a domain controller running on Windows Server 2003. For more information, see http://support.microsoft.com/kb/978055.
An update must be applied to every Windows Server 2008 R2 domain controller in the domain. The hotfix can be downloaded from http://support.microsoft.com/hotfix/KBHotfix.aspx?kbnum=978055&kbln=en-us; Service Pack 1 for Windows Server 2008 R2 contains the update as well.
If the user account for the SPN was created on a non-Windows Server 2008 R2 domain controller, delete the user account and recreate it on the Windows Server 2008 R2 controller, then regenerate the keytab file.
If you get “The encryption type requested is not supported by the KDC” with a Windows 2008 R2 domain controller and UTC on Windows XP
This error occurs because of an error in the Kerberos Key Distribution Center (KDC) service on domain controllers running on Windows Server 2008 R2. By default, the KDC service selects RC4 as the encryption method in the ticket-granting ticket (TGT) delegation if the Kerberized server and the client support the RC4 algorithm; this occurs even if DES encryption is configured as the preferred encryption method. For more information, see http://support.microsoft.com/kb/2274102.
An update must be applied to the Windows Server 2008 R2 running UTS. The hotfix can be downloaded from http://support.microsoft.com/hotfix/KBHotfix.aspx?kbnum=2274102&kbln=en-us; Service Pack 1 for Windows Server 2008 R2 contains the update as well.
If Kerberos single sign-on still does not work
If you continue to have problems with configuring Kerberos single sign-on, contact Extensis Technical Support.
Related KB Articles:
- Troubleshooting Missing Originals in Portfolio NetPublish
- How to set up the Universal Type Server Core Client
- Clients cannot connect to Portfolio Server for Windows until the server is rebooted
- The Account Does Not Have Administrator or Log On As A Service Privileges
- Authentication fails for Directory Service users in Universal Type Server 3 and later
- How to set up a Universal Type Client configuration file
- Font activation issues with Extensis font management products with FileVault full-disk encryption enabled on Mac OS X
- Some fonts are not visible in the Windows Fonts folder in Windows 7