does spotfire support multiple algorithm in keytab ?

[Chunlai Tao]

from Microsoft, the crypto 

{DES-CBC-CRC|DES-CBC-MD5|RC4-HMAC-NT|AES256-SHA1|AES128-SHA1|All} have multiple values, but from Tibco, i dont see the option, does anyone know if the spotfire support multiple protocol here?

thanks

[Amresh Ashok Vanarse]

Yes, It is possible to use multiple crypto algorithms. The simplest way is to use Crypto parameter with the value "all" and define the encryption types in krb5.conf file. Below is the example of ktpass command to create the Keytab and krb5.conf file.

Command to create Keytab

ktpass /princ HTTP/spotfireserver.test.com@TEST.COM /ptype krb5_nt_principal /

crypto all /out spotfire-database.keytab  -kvno 0 /pass Passw0rd

krb5.conf

default_tkt_enctypes = aes128-cts,aes256-cts

default_tgs_enctypes = aes128-cts,aes256-cts

Also make a note that The des3-hmac-sha1 and rc4-hmac Kerberos encryption types (etypes) are now deprecated and disabled by default in Java 17.

https://support.tibco.com/s/article/Kerberos-authentication-fails-on-TIBCO-Spotfire-Server-when-RC4-HMAC-encryption-type-is-used

[Chunlai Tao]

thank you very much

[Chunlai Tao]

HI Amresh

first thank you for your reply, hope everything is going well, i found this word from Tibco 10.10 website

https://docs.tibco.com/pub/spotfire_server/10.10.0/doc/html/TIB_sfire_server_tsas_admin_help/server/topics/creating_a_keytab_file_for_the_kerberos_service_account.html

it says: crypto algorithmCan be one of  aes128-sha1 or aes256-sha1. Make sure that the selected crypto algorithm is also specified in the krb5.conf file.

why it does not have "all" option? if all is working, what is "Key Type" value while run klist.exe -e spotfire.keytab ?

thank you for you help

Chunlai

[Amresh Ashok Vanarse]

Hello @Chunlai Tao​ 

You can refer to the Microsoft document which says "All" can be used for "Crypto" parameter. "All" States that all supported cryptographic types can be used.

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/ktpass

For example, if you have used AES128 and AES256 encryption types in krb5.conf the Kerberos ticket will be issued by negotiating on any one of the encryption algorithms.

ktpass -e will show you which encryption type was used for generating the credential cache.