krb1.2.3 on win2k using win2k active directory

Salil D me_extra at unisys.com
Tue Mar 19 13:17:09 EST 2002


My setup is working without this flag set for an account.
This flag is only required for service accounts which can only handle DES.
When a client makes a request for a service ticket for such service, using
TGS-Exchange, the Win2K KDC generates a DES service ticket if this flag is
set.

This will also fail for the users who have not changed their passwords after
their domain was moved from a NT server to Win2K server as the KDC does not
have the keying material for the DES key.

You should check the LAN trace and verify the etype list in the AS-Request.

Salil
""Danilo Almeida"" <dalmeida at mit.edu> wrote in message
news:002d01c1cf5f$458dd3d0$1b011212 at mit.edu...
> > That fixed it. You do indeed have to set the "Use DES encryption
> > types for this account" option.
>
> The funny thing is that the "Use DES encryption types for this account"
> setting is apparently not needed when you have a cross-realm to an MIT
> realm.  (i.e., I can still kinit to an account that's only in AD and get
> a des-cbc-crc TGT.)
>
> - Danilo
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos
>





More information about the Kerberos mailing list