Error: "Cannot find key of appropriate type to decrypt AP REP" authenticating with Kerberos

  • 7015796
  • 20-Oct-2014
  • 20-Oct-2014

Environment

NetIQ Access Manager 3.2
NetIQ Access Manager 4.0
Kerberos KDC on Windows 2012 R2 server

Situation

NAM setup and working well with username/password based authentication. Needed to add a kerberos contract for a number of internal users and set it up per the docs on NAM 4 Sp1 with Windows 2012 servers.

For whatever reason though, when a user with a kerberos token would attempt to authenticate to the IDP, it throw the following error.

Cannot find key of appropriate type to decrypt AP REP

The kpass command used was fairly basic and something that has been used before at another setup:

ktpass /out nidpkey.keytab /princ HTTP/login.novell.com@NOVELL.LOCAL /mapuser login@NOVELL.LOCAL /pass password /crypto RC4-HMAC-NT /ptype KRB5_NT_PRINCIPAL /kvno 0

Resolution

The following ktpass parameters made it work:

ktpass /out nidpkey.keytab /princ HTTP/login.novell.com@NOVELL.LOCAL /mapuser login@NOVELL.LOCAL /pass password /crypto all /ptype KRB5_NT_PRINCIPAL /kvno 0

The issue existed because of a compatibility between the crypto keys defined in ktpass and what was available on the server.