krb1.2.3 on win2k using win2k active directory
Danilo Almeida
dalmeida at MIT.EDU
Mon Mar 18 14:48:12 EST 2002
I don't recall... do you have to set "Use DES encryption types for this
account" for the user in AD? (It seems that you don't when you have a
cross-realm trust to an Kerberos realm, but I do not know otherwise.)
- Danilo
-----Original Message-----
From: kerberos-admin at MIT.EDU [mailto:kerberos-admin at MIT.EDU] On Behalf
Of David Bailey
Sent: Monday, March 18, 2002 12:17 PM
To: kerberos at mit.edu
Subject: Re: krb1.2.3 on win2k using win2k active directory
Hi,
I've read the MS whitepaper. The supported encryption types are claimed
to
be des-cbc-md5 and des-cbc-crc. I've set the default encryption type to
both
(separately and together) with the same results as before.
Still stumped...
Cheers,
Dave
""Booker C. Bense"" <bbense at networking.stanford.edu> wrote in message
news:Pine.GSO.4.44.0203180638270.27411-100000 at shred.stanford.edu...
> On Mon, 18 Mar 2002, David Bailey wrote:
>
[snipped for readability]
> - This has nothing to do with a keytab. It's saying that you are
> asking for a kind of key that the KDC doesn't support. There is
> some mismatch in the configuration between your client and the KDC.
>
> - This is just a total guess, but it may be that you're asking for
> a triple DES key. I have no idea if the W2K KDC supports that or
> not.
>
> - You can control the kind of key you ask for on the MIT client
> side by using the libdefaults options
>
> default_tgs_enctypes = des-cbc-crc
> default_tkt_enctypes = des-cbc-crc
>
> - That's what works here, I suggest you read the MS white paper on
> kerberos interoperablity for all the available options.
>
> - Booker C. Bense
More information about the Kerberos
mailing list