krb1.2.3 on win2k using win2k active directory

David Bailey D.Bailey at Bristol.ac.uk
Tue Mar 19 07:01:04 EST 2002 

Aha,

That fixed it. You do indeed have to set the "Use DES encryption types for
this account" option.

Cheers,
    Dave

""Danilo Almeida"" <dalmeida at mit.edu> wrote in message
news:001c01c1ceb5$d6c10160$1b011212 at mit.edu...
> I don't recall...  do you have to set "Use DES encryption types for this
> account" for the user in AD?  (It seems that you don't when you have a
> cross-realm trust to an Kerberos realm, but I do not know otherwise.)
>
> - Danilo
>
> -----Original Message-----
> From: kerberos-admin at MIT.EDU [mailto:kerberos-admin at MIT.EDU] On Behalf
> Of David Bailey
> Sent: Monday, March 18, 2002 12:17 PM
> To: kerberos at mit.edu
> Subject: Re: krb1.2.3 on win2k using win2k active directory
>
> Hi,
>
> I've read the MS whitepaper. The supported encryption types are claimed
> to
> be des-cbc-md5 and des-cbc-crc. I've set the default encryption type to
> both
> (separately and together) with the same results as before.
>
> Still stumped...
>
> Cheers,
>     Dave
>
> ""Booker C. Bense"" <bbense at networking.stanford.edu> wrote in message
> news:Pine.GSO.4.44.0203180638270.27411-100000 at shred.stanford.edu...
> > On Mon, 18 Mar 2002, David Bailey wrote:
> >
>
> [snipped for readability]
>
> > - This has nothing to do with a keytab. It's saying that you are
> > asking for a kind of key that the KDC doesn't support. There is
> > some mismatch in the configuration between your client and the KDC.
> >
> > - This is just a total guess, but it may be that you're asking for
> > a triple DES key. I have no idea if the W2K KDC supports that or
> > not.
> >
> > - You can control the kind of key you ask for on the MIT client
> > side by using the libdefaults options
> >
> >     default_tgs_enctypes  = des-cbc-crc
> >     default_tkt_enctypes  = des-cbc-crc
> >
> > - That's what works here, I suggest you read the MS white paper on
> > kerberos interoperablity for all the available options.
> >
> > - Booker C. Bense
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list