encryption type used by windows client for AS-REQ & default_tgs_enctypes, default_tkt_enctypes

Lara Adianto m1r4cle_26 at yahoo.com
Mon Jun 7 05:23:48 EDT 2004 

> In fact, MIT Kerberos 1.3 and higher does support
> RC4-HMAC.
> MIT Kerberos supports the broadest possible set of
> enctypes
> available to ensure interoperability with other
> implementations.
>
Thank you for the reply Jeffrey.

So, can I conclude that the encryption types that is
compatible with Windows Kerberos for the current
release of kerberos are RC4-HMAC, DES-CBC-CRC and
DES-CBC-MD5 ?

Anyway, I'm still clueless which encryption type will
be used by windows client to encrypt the
preauthentication data included in the AS-REQ....
I believe that at that point, the client doesn't know
the encryption type that KDC used to generate its key,
so how does it know which encryption key used to
encrypt the preauth-data ?

Another doubt is the default_tgs_enctypes and
default_tkt_enctypes entries in the /etc/krb5.conf,
which according to step by step guide to kerberos 5
interoperability should be set to des-cbc-crc or
des-cbc-md5. I can't find the usefullness of that two
entries for processing AS-REQ or TGS-REQ though when I
don't specify them in krb5.conf, authentication will
fail. I've read the explanation about the two entries
in the man page of krb5.conf but I still can't see the
point of setting them for processing AS-REQ and
TGS-REQ. To me, setting permitted_enctypes makes more
sense, but from my observation, the authentication
still works though I don't set the permitted_enctypes.

Can somebody shed a light on these matters ?

regards,
lara


=====
------------------------------------------------------------------------------------ 
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
                                                                        - Guy de Maupassant -
------------------------------------------------------------------------------------


	
		
__________________________________
Do you Yahoo!?
Friends.  Fun.  Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/

More information about the Kerberos mailing list