Antwort: Re: Encryption types [Virus checked]

Wyllys Ingersoll wyllys.ingersoll at sun.com
Mon Apr 12 08:19:38 EDT 2004


Sam Hartman wrote:
>>>>>>"denis" == denis havlik <denis.havlik at t-mobile.at> writes:
> 
> 
>     >> Make sure that the service principals in the KDC do not contain
>     >> any enctypes other than DES-CBC-CRC or DES-CBC-MD5.  Java
>     >> cannot handle them.
> 
>     denis> Don't understand this. Aren't client programs supposed to
>     denis> choose the encryption types they do understand out of the
>     denis> types that are offered by KDC, and negotiate the strongest
>     denis> encryption supported by both KDC and the client program?
> 
> Not quite.  Not quite.  The KDC chooses the strongest encryption type
> from those offered by the client and those supported by the service
> for which a ticket is being issued.
> 
> But that still leaves both of us confused about why using Java as a
> client would influence the choice of enctypes for the server.


Unfortunately, the Kerberos implementation in Java only supports single DES
enctypes, so that is why they are recommending setting those flags
in AD, so that the Java client will get tickets with an enctype that
they can use.

-Wyllys



More information about the Kerberos mailing list