krb1.2.3 on win2k using win2k active directory
David Bailey
D.Bailey at Bristol.ac.uk
Tue Mar 19 05:08:37 EST 2002
Hi,
I've checked the times on both machines - all OK, in fact they're both
synchronised from the same time server. The DC I'm trying to authenticate
against is Win2k Server SP2, so that should have 128 bit encryption enabled
by default. The kerberos release was built on an SP2 machine with the latest
SDK, so there shouldn't be any mismatches I hope.
The only thing that might be causing a problem (although I don't know why)
is that the domain is operating in mixed mode (i.e. supporting NT4 clients
too).
I'm going to go build a test domain with a spare machine or two and try
again there. At least I'll be able to completely destroy it without bringing
the campus domain down...
Will keep the group posted...
Cheers,
Dave
""Danilo Almeida"" <dalmeida at mit.edu> wrote in message
news:001c01c1ceb5$d6c10160$1b011212 at mit.edu...
> I don't recall... do you have to set "Use DES encryption types for this
> account" for the user in AD? (It seems that you don't when you have a
> cross-realm trust to an Kerberos realm, but I do not know otherwise.)
>
> - Danilo
>
> -----Original Message-----
> From: kerberos-admin at MIT.EDU [mailto:kerberos-admin at MIT.EDU] On Behalf
> Of David Bailey
> Sent: Monday, March 18, 2002 12:17 PM
> To: kerberos at mit.edu
> Subject: Re: krb1.2.3 on win2k using win2k active directory
>
> Hi,
>
> I've read the MS whitepaper. The supported encryption types are claimed
> to
> be des-cbc-md5 and des-cbc-crc. I've set the default encryption type to
> both
> (separately and together) with the same results as before.
>
> Still stumped...
>
> Cheers,
> Dave
>
> ""Booker C. Bense"" <bbense at networking.stanford.edu> wrote in message
> news:Pine.GSO.4.44.0203180638270.27411-100000 at shred.stanford.edu...
> > On Mon, 18 Mar 2002, David Bailey wrote:
> >
>
> [snipped for readability]
>
> > - This has nothing to do with a keytab. It's saying that you are
> > asking for a kind of key that the KDC doesn't support. There is
> > some mismatch in the configuration between your client and the KDC.
> >
> > - This is just a total guess, but it may be that you're asking for
> > a triple DES key. I have no idea if the W2K KDC supports that or
> > not.
> >
> > - You can control the kind of key you ask for on the MIT client
> > side by using the libdefaults options
> >
> > default_tgs_enctypes = des-cbc-crc
> > default_tkt_enctypes = des-cbc-crc
> >
> > - That's what works here, I suggest you read the MS white paper on
> > kerberos interoperablity for all the available options.
> >
> > - Booker C. Bense
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list