server 2k8r2 is not allowing a unix box to authenticate unless it sends;
•aes256-cts-hmac-sha1-96
•aes128-cts-hmac-sha1-96• des3-cbc-sha1
• rc4-hmac des-cbc-crc
• des-cbc-md5
• des-cbc-md4
in the encryption method. It does however use aes256 but needs to see the older des(not des3) encryption type. If I send a shortened list;•aes256-cts-hmac-sha1-96
•aes128-cts-hmac-sha1-96• des3-cbc-sha1
It will reject the connection with;
While processing an AS request for target service krbtgt, the account “account
name” did not have a suitable key for generating a Kerberos ticket (the missing
key has an ID of 1). The requested etypes : 18 17 16. The accounts
available etypes : 23 -133 -128. Changing or resetting the password
of “User_Name” will generate a proper key.
If you reset the users password this does fix the issue but I cannot reset the password for that many users it is not allowed. By resetting the password the Kerberos key is updated to aes256 as it was previously stored in des on a 2k3 server.
Is there a way to update this Kerberos key on the KDC without having to reset the passwords?