krb1.2.3 on win2k using win2k active directory

Danilo Almeida dalmeida at MIT.EDU
Mon Mar 18 14:48:12 EST 2002


I don't recall...  do you have to set "Use DES encryption types for this
account" for the user in AD?  (It seems that you don't when you have a
cross-realm trust to an Kerberos realm, but I do not know otherwise.)

- Danilo

-----Original Message-----
From: kerberos-admin at MIT.EDU [mailto:kerberos-admin at MIT.EDU] On Behalf
Of David Bailey
Sent: Monday, March 18, 2002 12:17 PM
To: kerberos at mit.edu
Subject: Re: krb1.2.3 on win2k using win2k active directory

Hi,

I've read the MS whitepaper. The supported encryption types are claimed
to
be des-cbc-md5 and des-cbc-crc. I've set the default encryption type to
both
(separately and together) with the same results as before.

Still stumped...

Cheers,
    Dave

""Booker C. Bense"" <bbense at networking.stanford.edu> wrote in message
news:Pine.GSO.4.44.0203180638270.27411-100000 at shred.stanford.edu...
> On Mon, 18 Mar 2002, David Bailey wrote:
>

[snipped for readability]

> - This has nothing to do with a keytab. It's saying that you are
> asking for a kind of key that the KDC doesn't support. There is
> some mismatch in the configuration between your client and the KDC.
>
> - This is just a total guess, but it may be that you're asking for
> a triple DES key. I have no idea if the W2K KDC supports that or
> not.
>
> - You can control the kind of key you ask for on the MIT client
> side by using the libdefaults options
>
>     default_tgs_enctypes  = des-cbc-crc
>     default_tkt_enctypes  = des-cbc-crc
>
> - That's what works here, I suggest you read the MS white paper on
> kerberos interoperablity for all the available options.
>
> - Booker C. Bense





More information about the Kerberos mailing list