Getting a DES-encrypted TGT from AD server

Tim Alsop Tim.Alsop at CyberSafe.Ltd.UK
Sat Oct 18 03:43:06 EDT 2003


Thankyou. We are aware of this setting and we were already using this. The initial tgt is indeed DES-CBC, but the problem we have is with the forwarded tgt. How can we make the forwarded tgt not use RC4 ?

Thanks, Tim. 

-----Original Message-----
From: Actually davidchr [mailto:davespam at] 
Sent: 17 October 2003 22:35
To: Tim Alsop; kerberos at MIT.EDU
Subject: RE: Getting a DES-encrypted TGT from AD server

You can prevent Windows from issuing RC4 tickets by doing the following:
1. set UF_USE_DES_KEY_ONLY on the accounts involved
2. change the accounts' passwords (to the same password, if you like)

You can set this flag through the MMC Users and Computers snapin...
Under Account, it's a "Use DES for encryption" checkbox that you have to
scroll down a bit to get to, IIRC.

With this, the Windows KDC will only issue DES-CRC or DES-MD5 tickets.

This message is provided "AS IS" with no warranties, and confers no
This message may originate from an unmonitored alias ("davespam") for
spam-reduction purposes.  Use "davidchr" for individual replies.
Any opinions or policies stated within are my own and do not necessarily
constitute those of my employer.
This message originates in the State of Washington (USA), where
unsolicited commercial email is legally actionable (see
Harvesting of this address for purposes of bulk email (including "spam")
is prohibited unless by my expressed prior request.  I retaliate
viciously against spammers and spam sites.

> -----Original Message-----
> From: kerberos-bounces at MIT.EDU 
> [mailto:kerberos-bounces at MIT.EDU] On Behalf Of Tim Alsop
> Sent: Thursday, October 16, 2003 4:31 AM
> To: kerberos at MIT.EDU
> Subject: Re: Getting a DES-encrypted TGT from AD server
> Calimer,
> Thankyou. We have been using kerbtray. I am pleased that you 
> are able to see
> same problem, but was hoping you (or somebody else) could give us a
> solution. I am aware that there are some registry hacks 
> available from MS to
> change the behaiviour of Kerberos, so I wondered if such a 
> registry key
> existed to cause forwarded tgt to be issued using same key 
> types as the
> initial tgt. Also, if we could disable rc4 on Active 
> Directory somehow this
> might help us.
> Tim.
> "Calimer0" <cryos98 at> wrote in message
> news:3e217f40.0310160320.4b454995 at
> > The actual issue is not on the intiial tgt, but on the tgt 
> obtained when
> the
> > initial tgt is forwarded.
> > On IIS we receive the forwarded tgt, but the keytype for 
> the forwarded
> copy
> > of the initial tgt seems to be RC4-HMAC and not DES.
> I've tried in my little test network and I've got the same strange
> behaviour: the forwarded ticket granting ticket is encrypted with RC4,
> even if the session key in still encrypted with DES. Sorry, I'm not
> able to help you.  Just a little tip: if you need to know what tickets
> are in your credential cache you can use kerbtray or a network sniffer
> like ethereal.
> you can find kerbtray from microsoft here:
> sting/kerbtray-o.asp
> ________________________________________________
> Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list