Kerberos Encryption Type Change Fails with "KDC has no support for encryption type" Error

Last updated

Mar 26, 2025
Save as PDF
Share
1. Share
2. Tweet
3. Share

Views:: 105

Visibility:: Public

Votes:: 0

Category:: ontap-9

Specialty:: nas

Last Updated:: 3/26/2025, 4:45:26 AM

Applies to

ONTAP 9
Kerberos encryption types

Issue

When attempting to change the Kerberos encryption types from 'rc4, des' to 'aes-128, aes-256',the following error occurs:

Cluster::> vserver cifs security modify -vserver <Vserver name> -advertised-enc-types aes-128,aes-256 　　　　　　Enter your user ID: Administrator@test.com 　　　　　　Enter your password:

　　　　　　Error: command failed: Password update failed. Reason: Kerberos Error: KDC has no support for encryption type.

Secd log:

00000020.001098b2 04381ec9 Fri Mar 07 2025 09:33:05 +09:00 [kern_secd:info:10862] | [000.010.587] info : [krb5 context 09618400] Retrieving STRG_USER$@SHIMPO.LOCAL from SPINKT:kt:C:12 (vno 0, enctype aes256-cts) with result: -1765328203/Key table entry not found 00000020.001098b3 04381ec9 Fri Mar 07 2025 09:33:05 +09:00 [kern_secd:info:10862] | [000.010.599] info : [krb5 context 09618400] Preauth module encrypted_timestamp (2) (real) returned: -1765328203/Key table entry not found 00000020.001098b4 04381ec9 Fri Mar 07 2025 09:33:05 +09:00 [kern_secd:info:10862] | [000.010.631] ERR : CIFS server could not authenticate as 'STRG_USER$@SHIMPO.LOCAL': Generic preauthentication failure (KRB5_PREAUTH_FAILED) { in getKerberosServerCredentials() at src/utils/secd_krb_utils.cpp:617 } 00000020.001098b5 04381ec9 Fri Mar 07 2025 09:33:05 +09:00 [kern_secd:info:10862] | [000.010.647] ERR : RESULT_ERROR_KERBEROS_UNKNOWN_ERROR:7556 in getKerberosServerCredentials() at src/utils/secd_krb_utils.cpp:633