AD MIT Interoperability rc4-hmac
Jeffrey Altman
jaltman at columbia.edu
Wed Feb 18 23:58:25 EST 2004
Alberto Patino wrote:
> On Wed, 2004-02-18 at 00:49, Jeffrey Altman wrote:
>
>>I have verified with Microsoft that the default configuration of Windows
>>2003 does not allow the use of RC4-HMAC with MIT KDC Trust
>>relationships. There is functionality to support this mode of operation
>>unfortunately there are no tools available to allow you to enable it.
>>
>
> I thougt that the inclusion of support for rc4-hmac encryption types in
> kdcs servers (MIT & Heimdal) was aimed to avoid the use of
> not-very-secure des-cbc-md5 and des-cbc-crc enc-types when you want
> interoperate between Windows and non windows kerberos realms.
The use of RC4-HMAC at present can only be used to obtain TGT and
Service Tickets. It cannot be used for Cross Realm Trusts.
>>I have obtained the necessary information to construct a tool to enable
>>RC4-HMAC support for MIT KDC Trust relationships and will endeavor to
>>build one in the next day or two for inclusion within the final release
>>of KfW 2.6. At the very least this tool will allow you to specify a
>>MIT Realm Name and allow the RC4-HMAC flag to be toggled on or off.
>>
>
> Will this tool work with heimdal too?
As the tool affects the Windows 2003 Server LSA configuration, it should
allow RC4-HMAC cross realm trusts to be configured with any non-MS KDC.
(Assuming I can get it to work.)
Jeffrey Altman
KfW Maintainer
More information about the Kerberos
mailing list