Chunlai Tao Posted October 13, 2022 Share Posted October 13, 2022 from Microsoft, the crypto {DES-CBC-CRC|DES-CBC-MD5|RC4-HMAC-NT|AES256-SHA1|AES128-SHA1|All} have multiple values, but from Tibco, i dont see the option, does anyone know if the spotfire support multiple protocol here?thanks Link to comment Share on other sites More sharing options...
Amresh Ashok Vanarse Posted October 17, 2022 Share Posted October 17, 2022 Yes, It is possible to use multiple crypto algorithms. The simplest way is to use Crypto parameter with the value "all" and define the encryption types in krb5.conf file. Below is the example of ktpass command to create the Keytab and krb5.conf file. Command to create Keytabktpass /princ HTTP/spotfireserver.test.com@TEST.COM /ptype krb5_nt_principal /crypto all /out spotfire-database.keytab -kvno 0 /pass Passw0rdkrb5.conf default_tkt_enctypes = aes128-cts,aes256-ctsdefault_tgs_enctypes = aes128-cts,aes256-ctsAlso make a note that The des3-hmac-sha1 and rc4-hmac Kerberos encryption types (etypes) are now deprecated and disabled by default in Java 17. https://support.tibco.com/s/article/Kerberos-authentication-fails-on-TIBCO-Spotfire-Server-when-RC4-HMAC-encryption-type-is-used Link to comment Share on other sites More sharing options...
Chunlai Tao Posted November 28, 2022 Author Share Posted November 28, 2022 thank you very much Link to comment Share on other sites More sharing options...
Chunlai Tao Posted November 29, 2022 Author Share Posted November 29, 2022 HI Amreshfirst thank you for your reply, hope everything is going well, i found this word from Tibco 10.10 websitehttps://docs.tibco.com/pub/spotfire_server/10.10.0/doc/html/TIB_sfire_server_tsas_admin_help/server/topics/creating_a_keytab_file_for_the_kerberos_service_account.htmlit says: crypto algorithmCan be one of aes128-sha1 or aes256-sha1. Make sure that the selected crypto algorithm is also specified in the krb5.conf file.why it does not have "all" option? if all is working, what is "Key Type" value while run klist.exe -e spotfire.keytab ?thank you for you helpChunlai Link to comment Share on other sites More sharing options...
Amresh Ashok Vanarse Posted December 2, 2022 Share Posted December 2, 2022 Hello @Chunlai Tao You can refer to the Microsoft document which says "All" can be used for "Crypto" parameter. "All" States that all supported cryptographic types can be used.https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/ktpassFor example, if you have used AES128 and AES256 encryption types in krb5.conf the Kerberos ticket will be issued by negotiating on any one of the encryption algorithms. ktpass -e will show you which encryption type was used for generating the credential cache. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now