Okta Array: Type Is Not Supported for Bulk Upload

Skip to chief content

• Article
• 03/31/2022
• iii minutes to read

• Applies to:

  SharePoint Server 2019, SharePoint Server 2016, SharePoint Server 2013, SharePoint Server 2010

Is this page helpful?

Feedback will be sent to Microsoft: By pressing the submit button, your feedback volition be used to improve Microsoft products and services. Privacy policy.

In this article

Original KB number: 4501051

Symptoms

You lot receive errors after you have modified the setting Network Security: Configure encryption types allowed for Kerberos via local policy or GPO from the default values to a value that merely allows the post-obit encryption types:

• AES128_HMAC_SHA1
• AES256_HMAC_SHA1
• Future encryption types

If errors are written to the SharePoint Universal Logging Organization (ULS) logs, they point that the encryption type requested isn't supported by the KDC. Actions that trigger these errors include (but are not limited to):

• Accessing the Manage Service Account page in Fundamental Administration
• Accessing the Search Administration page (the Search Topology may not display)
• Making changes to the search configuration

The underlying error bulletin written to the SharePoint ULS logs is:

Exception : System.ServiceModel.Security.SecurityNegotiationException: A phone call to SSPI failed, run into inner exception.
---> Organization.Security.Authentication.AuthenticationException: A phone call to SSPI failed, see inner exception.
---> System.ComponentModel.Win32Exception: The encryption blazon requested is not supported by the KDC
--- End of inner exception stack trace ---

The Project Server Service Application might also log a similar message:

PWA:https://<SharePoint>/<Site>, ServiceApp:PWA, User:i:0#.w|Domain\UserId,
PSI: failed to transport job notification to queue for site <Guid>, exception System.ServiceModel. Security.SecurityNegotiationException: A telephone call to SSPI failed, see inner exception.
---> System.Security.Hallmark.AuthenticationException: A call to SSPI failed, see inner exception.
---> System.ComponentModel.Win32Exception: The encryption type requested is not supported past the KDC

During the process of provisioning User Profile Services, you lot are unable to showtime the User Contour Synchronization service.

When starting the User Profile Service in Central Administration, the service starts and then stops immediately. Inspection of the SharePoint ULS indicates that the failure to start is a upshot of the following:

"UserProfileApplication.SynchronizeMIIS: Failed to configure ILM, will endeavour to rerun.
Exception: System.Security.SecurityException: The encryption type requested is not supported by the KDC."

Other components might write error messages indicating that the encryption type requested is not supported by the KDC.

Cause

This behavior occurs considering of a disharmonize between the custom local policy or group policy and the service account's properties in Agile Directory. When you configure the property setting Network Security: Configure encryption types allowed for Kerberos so that the server only supports AES encryption types and future encryption types, the server won't support older Kerberos encryption types in Kerberos tickets. It's also of import to note that user account objects created in Agile Directory aren't configured to support Kerberos AES encryption past default.

If the server is configured to require AES encryption types for Kerberos, merely the service account's properties in Agile Directory oasis't been updated to support AES encryption, the result is a scenario where the server is unable to negotiate a common encryption blazon for Kerberos tickets.

Resolution

To resolve this issue, follow these steps:

1. Identify all accounts that are used within SharePoint as application pool accounts and service accounts.

2. Locate the accounts in Active Directory Users and Computers.

3. Select Properties.

4. Select the Business relationship tab.

5. In the section titled Account Options, ensure that one or both of the following options are selected. This will enable support for Kerberos AES encryption on these user objects:

   • This account supports Kerberos AES 128 scrap encryption
   • This account supports Kerberos AES 256 fleck encryption

6. Perform an iisreset on the servers and restart any SharePoint related services that are running in the context of the modified service accounts.

If the issue isn't fixed, try the resolution in SCCM: "The encryption type requested is not supported by the KDC" Error When Running Reports.

More information

To cheque whether your SharePoint server is configured to simply support AES encryption types or newer types:

1. On the server, start the Local Security Policy Editor (secpol.msc).
2. Expand Security Settings > Local Policies > Security Options.
3. Locate Network Security: Configure encryption types allowed for Kerberos.
4. Select Properties.

If merely the following Options are selected:

• AES128_HMAC_SHA1
• AES256_HMAC_SHA1
• Future encryption types

Then you will need to enable Support for Kerberos AES Encryption on the Active Directory user objects that are used to run SharePoint services and awarding pools.

Y'all tin can use the post-obit PowerShell script to identify the SharePoint service accounts and test whether they are configured to support AES encryption types:

              Add-PSSnapin Microsoft.SharePoint.Powershell $AES_128 = 0x8 $AES_256 = 0x10 $Separator="\" $selection = [System.StringSplitOptions]::RemoveEmptyEntries Write-Host "Retrieving SharePoint Managed Accounts" -ForegroundColor White $SharePointAccounts="" $ManagedAccounts=Get-SPManagedAccount foreach ($ManagedAccount in $ManagedAccounts) { Write-Host "Checking Account: "$ManagedAccount.Username $temp=$ManagedAccount.Username $samaccountName=$temp.Split($separator,2, $choice)[1] $userobj=([adsisearcher]"samAccountName=$samaccountName").FindOne() $EncryptionTypes=$userobj.properties.Item('msds-supportedencryptiontypes')[0] #$EncryptionTypes $HexValue='{0:X}' -f $EncryptionTypes if ($EncryptionTypes -band $AES_128) { Write-Host "Business relationship Supports AES128 bit encryption " -ForegroundColor Green } Else { Write-Host "Account Does Non have AES128 bit encryption support enabled" -ForegroundColor Ruby-red } if ($EncryptionTypes -ring $AES_256) { Write-Host "Business relationship Supports AES256 bit encryption " -ForegroundColor Green } Else { Write-Host "Business relationship Does Non have AES256 bit encryption support enabled" -ForegroundColor Cherry } } ====================== END SCRIPT ========================================================                          

juddyoubtlears.blogspot.com

Source: https://docs.microsoft.com/en-us/sharepoint/troubleshoot/security/configuration-to-support-kerberos-aes-encryption