Description
A local security policy set from the domain controller causes client-Kerberos failure on client machines.
Product
Any ExacqVision NVR
Any client machines or third-party client machines
Steps to Reproduce
- Integrate NVR to your domain controller using LDAP
- Use single sign on to authenticate on client machine
Expected Results
single sign on succeeds and you are successfully logged in
Actual Results
single sign on fails and you get client-side Kerberos failure
Solution
You will need to grab the support diagnostics from the client machine
You will need to look into the client logs
You will need to look for log stating SSPI error: SEC_E_KDC_UNKNOWN_ETYPE (The encryption type requested is not supported by the KDC).
The local security policy on the DC and client machine network security: configure encryption types allowed for kerberos needs to have RC4_HMAC_MD5 enabled along with Future encryption types , AES256_HMAC_SHA1, and AES128_HMAC_SHA1