Getting a DES-encrypted TGT from AD server

Tim Alsop Tim.Alsop at CyberSafe.Ltd.UK
Tue Oct 14 15:47:14 EDT 2003

The actual issue is not on the intiial tgt, but on the tgt obtained when the
initial tgt is forwarded. Perhaps the diagram below will help :

Workstation ---> Server running IIS + GSS initiator --> GSS acceptor service

On the Workstation we have IE configured for Kerberos authentication. The
user logs in and is issued with a tgt from AD that uses DES keytype. This is
working as expected because we changed the "Use DES encryption for this
account" in AD.

On IIS we receive the forwarded tgt, but the keytype for the forwarded copy
of the initial tgt seems to be RC4-HMAC and not DES. Our code on the IIS
server is trying to acquire credentials to initiate a security context with
another service. When we do this we get an error 'Key type not recognised'.

If we run the same code that is running on IIS server using the original
initial tgt on the workstation it works as expected, so clearly the keytype
is changed when a forwarded tgt is issued by AD.

"Calimer0" <cryos98 at> wrote in message
news:3e217f40.0310141128.5d00fe23 at
> Is there any way to force AD server to use only DES encryption type
> for a user? (If this is not the right group for this question, I'd
> appreciate a pointer to a more appropriate forum.)

follow this path:
Start --> Programs --> Administrative Tools --> Active Directory Users
and Computers

Select Properties of the user you want change, then select Account
tab. In Account options check "Use DES encryption for this account".
Consider that this option is used tipically for non-Windows Kerberos
Hope will work.


More information about the Kerberos mailing list