etype 23 on klist -e output when using Windows 2003 KDC to unix

Sam Hartman hartmans at MIT.EDU
Wed Oct 22 12:28:51 EDT 2003

>>>>> "Tim" == Tim Clarke <tim.clarke at> writes:

    Tim> How do I change the tkt etype to be DES-CBC-CRC

You don't.  Or at least a reasonable Kerberos implementation does not
allow the client to influence the tkt enctype.  If it does, then the
client may force the KDC to use a ticket key that is weaker or easier
to attack.

Microsoft's implementation may expose this, but if it does it is only
for interoperability with broken Kerberosenvironments.

More information about the Kerberos mailing list