Comment 11 for bug 567188

I have encountered this issue as well. I use pam_kerberos and AD for authentication and login authorization; this works fine.

However this issue affects kerberos mediated Single Sign On to apache sites using mod_auth_kerb.so version 5.1 on the web server and the krb5 libraries on 10.04 (this used to work fine in 9.04). The SSO web authetication fails and falls back to less desirable methods (username password)

The issue is resolve by adding "allow_weak_crypto = true" in /etc/krb5.conf

Package: krb5-user
Version: 1.8.1+dfsg-2

Package: firefox
Version: 3.6.3+nobinonly-0ubuntu4

the wireshark trace shows the client doing a TGS-REQ to the kdc where the
padata: PA-TGS-REQ
    -> value .. AP-REQ
        -> Authenticator rc4-hmac
            -> Encryption type: rc4-hmac (23)
            -> Authenticator data: ........

the response is a KRB-ERROR with error code KRB5KDC_ERR_ETYPE_NOSUPP

after adding "allow_weak_crypto = true" the TGS-REQ to the kdc is responded with a TGS-REP which includes a ticket. The SSO session with the apache server continues, and the wireshark trace shows the following in the http headers :

GSS-API
    -> SPNEGO
         -> netTOkenInit
                -> krb5_blob
                       -> Kerberos AP-REQ
                             -> Authenticator des-cbc-crc
                                    -> Encryption type: des-cbc-crc (1)
                                    -> Autheticator data: ....

will add more info if needed. For now the the extra line works. Thank you for the suggestion.