Getting a DES-encrypted TGT from AD server
Tim Alsop
Tim.Alsop at CyberSafe.Ltd.UK
Tue Oct 14 15:47:14 EDT 2003
The actual issue is not on the intiial tgt, but on the tgt obtained when the
initial tgt is forwarded. Perhaps the diagram below will help :
Workstation ---> Server running IIS + GSS initiator --> GSS acceptor service
On the Workstation we have IE configured for Kerberos authentication. The
user logs in and is issued with a tgt from AD that uses DES keytype. This is
working as expected because we changed the "Use DES encryption for this
account" in AD.
On IIS we receive the forwarded tgt, but the keytype for the forwarded copy
of the initial tgt seems to be RC4-HMAC and not DES. Our code on the IIS
server is trying to acquire credentials to initiate a security context with
another service. When we do this we get an error 'Key type not recognised'.
If we run the same code that is running on IIS server using the original
initial tgt on the workstation it works as expected, so clearly the keytype
is changed when a forwarded tgt is issued by AD.
"Calimer0" <cryos98 at yahoo.com> wrote in message
news:3e217f40.0310141128.5d00fe23 at posting.google.com...
> Is there any way to force AD server to use only DES encryption type
> for a user? (If this is not the right group for this question, I'd
> appreciate a pointer to a more appropriate forum.)
follow this path:
Start --> Programs --> Administrative Tools --> Active Directory Users
and Computers
Select Properties of the user you want change, then select Account
tab. In Account options check "Use DES encryption for this account".
Consider that this option is used tipically for non-Windows Kerberos
principals.
Hope will work.
Mark
More information about the Kerberos
mailing list