Changes between Version 10 and Version 12 of Ticket #529


Ignore:
Timestamp:
09/04/10 00:45:57 (11 years ago)
Author:
andersk
Comment:

Also the MIT SECURE wireless network.

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #529

    • Property Priority changed from major to critical
  • Ticket #529 – Description

    v10 v12  
    3131 * I cannot log in to [https://mit-mailsec-cc.mit.edu:41443/brightmail Brightmail]: “Invalid user name or password. Please try again.” 
    3232 * I cannot log in to Windows after starting the Citrix ICA Client from [https://citrix.mit.edu/Citrix/MetaFrameXP/frameset.jsp Citrix MetaFrame XP]: “The system could not log you on.  Make sure your User name and domain are correct, then type your password again.  Letters in passwords must be typed using the correct case.” 
     33 * I cannot log in to the MIT SECURE wireless network: 
     34{{{ 
     35NetworkManager[1083]: <info> (eth1): supplicant connection state:  associating -> associated 
     36wpa_supplicant[1185]: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected 
     37wpa_supplicant[1185]: EAP-TLV: TLV Result - Failure 
     38wpa_supplicant[1185]: CTRL-EVENT-EAP-FAILURE EAP authentication failed 
     39}}} 
    3340 
    3441Given that single-DES is critically weak, is disabled by default in current releases of Kerberos, and will be removed entirely in future releases, we should talk with network and try to get these little problems worked out sooner rather than later. 
     42 
     43== Solution == 
     44 
     45In at least [comment:8 one case] (ca.mit.edu), the problem was that the server’s `/etc/krb5.conf` had the line `default_tkt_enctypes = des-cbc-crc`.  This line [comment:9 should be removed].  Since we think this misconfigured `/etc/krb5.conf` has been copied to many MIT servers, that’s probably all we need to do to fix most or all of these problems.