More on enctypes vs. VPN

John Hascall john at
Sun Oct 12 11:39:47 EDT 2003

Thanks all for the help in getting me this far.
(by using:
   supported_enctypes = des-cbc-md5:normal des-cbc-md5:norealm \
                        des-cbc-md5:onlyrealm des-cbc-crc:v4
in my kdc.conf).

Now, in my kdc.log I'm seeing these requests from the VPN server:

Oct 10 06:59:35 krb5kdc[9196](info): \
AS_REQ (7 etypes {3 1 2 16 8 23 0}) \
ISSUE: authtime 1065787175, etypes {rep=3 tkt=1 ses=1}, \
janeuser at IASTATE.EDU for krbtgt/IASTATE.EDU at IASTATE.EDU

I assume the 'AS_REQ (7 etypes ...' means it will accept keys with any
of those 7 enctypes.  (I have no idea what enctype 23 is as it is not
in krb5.h but I'll assume that is unimportant.)

The reply 'ISSUE: ... etypes {rep=3 tkt=1 ses=1}' is not something
I understand completely though (and it seems to be unacceptable
to the VPN).

I assume that means that:
   * the reply itself is encrypted using  ENCTYPE_DES_CBC_MD5(#3),
   * the ticket inside the reply is using ENCTYPE_DES_CBC_CRC(#1),
   * as is the session key

How is it decided what enctype is used for the
reply, ticket, and session key?

Is it a reasonable guess that the VPN wants the tkt to be enctype#3 too?

If so, how to make this happen?


More information about the Kerberos mailing list