AD MIT Interoperability rc4-hmac

Jeffrey Altman jaltman2 at nyc.rr.com
Wed Feb 18 01:49:00 EST 2004


rousset wrote:
> Hello,
> 
> I have established a trust relationship between Active Directory and MIT 
> Kerberos realm, mapped principals, and can successfully logon to a Win2k 
> workstation using a Kerberos principal. This is right with attribute 
> "PRE-AUTH required" enabled and encryption des-cbc-crc, or md5.
> But I'd like to set rc4-hmac as default encryption on MIT principals.
> It fails with "Additionnal Pre-authentication required" log on MIT's 
> side if pre-auth is enabled
> (Work if pre-auth disabled)

I have verified with Microsoft that the default configuration of Windows 
2003 does not allow the use of RC4-HMAC with MIT KDC Trust 
relationships.  There is functionality to support this mode of operation
unfortunately there are no tools available to allow you to enable it.

I have obtained the necessary information to construct a tool to enable
RC4-HMAC support for MIT KDC Trust relationships and will endeavor to
build one in the next day or two for inclusion within the final release
of KfW 2.6.  At the very least this tool will allow you to specify a
MIT Realm Name and allow the RC4-HMAC flag to be toggled on or off.

Jeffrey Altman
KfW Maintainer


More information about the Kerberos mailing list