Environment
NetIQ Access Manager 3.2
NetIQ Access Manager 4.0
Kerberos KDC on Windows 2012 R2 server
NetIQ Access Manager 4.0
Kerberos KDC on Windows 2012 R2 server
Situation
NAM setup and working well with username/password based authentication. Needed to add a kerberos contract for a number of internal users and set it up per the docs on NAM 4 Sp1 with Windows 2012 servers.
For whatever reason though, when a user with a kerberos token would attempt to authenticate to the IDP, it throw the following error.
Cannot find key of appropriate type to decrypt AP REP
The kpass command used was fairly basic and something that has been used before at another setup:
ktpass /out nidpkey.keytab /princ HTTP/login.novell.com@NOVELL.LOCAL /mapuser login@NOVELL.LOCAL /pass password /crypto RC4-HMAC-NT /ptype KRB5_NT_PRINCIPAL /kvno 0
Resolution
The following ktpass parameters made it work:
ktpass /out nidpkey.keytab /princ HTTP/login.novell.com@NOVELL.LOCAL /mapuser login@NOVELL.LOCAL /pass password /crypto all /ptype KRB5_NT_PRINCIPAL /kvno 0
The issue existed because of a compatibility between the crypto keys defined in ktpass and what was available on the server.
ktpass /out nidpkey.keytab /princ HTTP/login.novell.com@NOVELL.LOCAL /mapuser login@NOVELL.LOCAL /pass password /crypto all /ptype KRB5_NT_PRINCIPAL /kvno 0
The issue existed because of a compatibility between the crypto keys defined in ktpass and what was available on the server.