Create a Keytab with AES

Owned by Jon Espen Ingvaldsen (Unlicensed)
Last updated: Sept 10, 2021 by Ole Kristian Aune (Unlicensed)
2 min read

Why should I consider using AES encryption?

While the default RC4-HMAC is the most compatible encryption type, it is no longer considered to offer strong encryption.

For this reason, we recommend that you use AES-128 or AES-256 encryption instead.

Prerequisites for using AES encryption 

Prerequisites / Tasks

 

Prerequisites / Tasks

 

AES must be enabled on the user account that holds the SPN.

Domain functional level must be 2008 or higher.

Domain functional level before 2008 does not support AES encryption.

To find the domain functional level, right-click on the root of the domain, and choose properties.

Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files  must be in place

Replace local_policy.jar and US_export_policy.jar in

$JAVA/HOME/jre/lib/security/ 

The service must be restarted to apply the new policies.

 

Creating a keytab with AES.

  1. Enable AES 128 or AES 256 on the user account

  2. (Re)Create the keytab with support for AES.

     

    ktpass -princ HTTP/issues.example.com@EXAMPLE.LOCAL /mapuser EXAMPLE\svc-jira-sso-pass * /out C:\issues.example.com.keytab /ptype KRB5_NT_PRINCIPAL /crypto AES256-SHA1

  3. Upload the new keytab file to our plugin.

Purge tickets

Recreating keytabs with new versions or different encryption types will make Kerberos fail for clients that already have a ticket. Logging out or running "klist purge" on the command line will make clients acquire a new ticket with AES-256

Example:

The first command in the picture below issues a keytab for issues.example.com. This keytab has "vno 3," meaning key version number (kvno) 3.

The second command is run after the user object has AES256 enabled. A new version of the keytab is issued (vno 4).