Troubleshooting
Problem
The response of "EUVF06014E - Unable to obtain initial credentials. Status 0x96c73a0e - Encryption type is not supported." to a kinit -k command is an indication that Network Authentication Services (NAS) on the IBM i and the AD user account on the Windows server are not supporting the same encryption types, making it impossible for the two to communicate.
Resolving The Problem
The response of "EUVF06014E - Unable to obtain initial credentials. Status 0x96c73a0e - Encryption type is not supported." is an indication that Network Authentication Services (NAS) on the IBM i and the AD user account on the Windows server are not supporting the same encryption types.
Current Microsoft OS versions have changed to exclusively support AES encryption, making that the primary target encryption type.
If the IBM i already has AES encryption service principals (check by going into QSH and typing keytab list and look for AES encryption type principals), you may need to go into the Active Directory account for the related principal entry and check the "Use AES encryption" box (and clear the "Use DES encryption" box).
The encryption type needs to be verified.
1. On the IBM i from type STRQSH, then type the command keytab list and verify the following key types for the krbsvr400 account
Key type: 128-bit AES
Key type: 256-bit AES
Key type: ARCFOUR
Current Microsoft OS versions have changed to exclusively support AES encryption, making that the primary target encryption type.
If the IBM i already has AES encryption service principals (check by going into QSH and typing keytab list and look for AES encryption type principals), you may need to go into the Active Directory account for the related principal entry and check the "Use AES encryption" box (and clear the "Use DES encryption" box).
The encryption type needs to be verified.
1. On the IBM i from type STRQSH, then type the command keytab list and verify the following key types for the krbsvr400 account
Key type: 128-bit AES
Key type: 256-bit AES
Key type: ARCFOUR
If you do not have these key types you need to remove the current principal and add a new one to get the AES and ARCFOUR keys.
2. Make sure the /QIBM/UserData/OS400/NetworkAuthentication/krb5.conf file contains the following lines under the "default_realm" property.
default_tgs_enctypes = aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96,arcfour-hmac
default_tkt_enctypes = aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96,arcfour-hmac
kdc_use_tcp = 1
3. In STRQSH type the command keytab delete krbsvr400/myservername@MYREALM.COM where the krbsvr400 principal was from the keytab list command ran earlier.
Note: If you do not recall the password used when configuring Network Authentication earlier you will need to reset this on the Active Directory server in step 4
4. In STRQSH run the command keytab add krbsvr400/myservername@MYREALM.COM -p password
Where password is the Active Directory account password
5. On the Windows server, go to the AD Server and then go to the Account tab for the krbsvr400 user.
Clear the Use DES Encryption, and check the box This Account Supports Kerberos AES 128 and 256 Encryption. Reset the password if needed from what was used in step 3.
6. Verify in STRQSH with kinit -k krbsvr400/myservername@MYREALM.COM followed by klist -e
you should see the encryption types of AES or ARCFOUR
Ticket encryption type: aes256-cts-hmac-sha1-96
Session encryption type: aes256-cts-hmac-sha1-96
[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CGrAAM","label":"Single Sign On"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.3.0;7.4.0;7.5.0"}]
Historical Number
638057862
Was this topic helpful?
Document Information
Modified date:
13 February 2023
UID
nas8N1010903