AD MIT Interoperability rc4-hmac
Alberto Patino
jalbertop at aranea.com.mx
Wed Feb 18 19:44:11 EST 2004
On Wed, 2004-02-18 at 00:49, Jeffrey Altman wrote:
> rousset wrote:
> > Hello,
> >
> > I have established a trust relationship between Active Directory and MIT
> > Kerberos realm, mapped principals, and can successfully logon to a Win2k
> > workstation using a Kerberos principal. This is right with attribute
> > "PRE-AUTH required" enabled and encryption des-cbc-crc, or md5.
> > But I'd like to set rc4-hmac as default encryption on MIT principals.
> > It fails with "Additionnal Pre-authentication required" log on MIT's
> > side if pre-auth is enabled
> > (Work if pre-auth disabled)
>
> I have verified with Microsoft that the default configuration of Windows
> 2003 does not allow the use of RC4-HMAC with MIT KDC Trust
> relationships. There is functionality to support this mode of operation
> unfortunately there are no tools available to allow you to enable it.
>
I thougt that the inclusion of support for rc4-hmac encryption types in
kdcs servers (MIT & Heimdal) was aimed to avoid the use of
not-very-secure des-cbc-md5 and des-cbc-crc enc-types when you want
interoperate between Windows and non windows kerberos realms.
> I have obtained the necessary information to construct a tool to enable
> RC4-HMAC support for MIT KDC Trust relationships and will endeavor to
> build one in the next day or two for inclusion within the final release
> of KfW 2.6. At the very least this tool will allow you to specify a
> MIT Realm Name and allow the RC4-HMAC flag to be toggled on or off.
>
Will this tool work with heimdal too?
> Jeffrey Altman
> KfW Maintainer
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list