MD5 tickets and Windows 2000

[Nathan Ward]

I have got my Windows 2000 machines authenticating with my MIT KRB5 KDC. At present it is using des-cbc-crc.
The Microsoft site tells me that des-cbc-md5 can be used also, has anybody had any experience with this?  Any pointers?

I tried making all my principles have des-cbc-md5 tipes only, but it doesn't work, telling mu additional pre-auth is needed. The principles all seem to have a flag requiring additional preauth.
Is this because they are different types from the master key type (can only be des3-hmac-sha1 and des-cbc-crc iirc)?
How can I fix this?

Is there much security implication with des-cbc-crc vs des-cbc-md5?  Do encryption types matter that much?


Nathan Ward.