encryption type used by windows client for AS-REQ & default_tgs_enctypes,

Jeffrey Altman jaltman2 at nyc.rr.com
Mon Jun 7 11:34:22 EDT 2004

Lara Adianto wrote:

>>In fact, MIT Kerberos 1.3 and higher does support
>>MIT Kerberos supports the broadest possible set of
>>available to ensure interoperability with other
> Thank you for the reply Jeffrey.
> So, can I conclude that the encryption types that is
> compatible with Windows Kerberos for the current
> release of kerberos are RC4-HMAC, DES-CBC-CRC and

that is the list of enctypes which are common to both Windows
and MIT Kerberos.

> Anyway, I'm still clueless which encryption type will
> be used by windows client to encrypt the
> preauthentication data included in the AS-REQ....
> I believe that at that point, the client doesn't know
> the encryption type that KDC used to generate its key,
> so how does it know which encryption key used to
> encrypt the preauth-data ?

The KDC tells the client which enctype to use as part of
the KRB_ERROR message which is sent in response to an attempt
to use a non-supported pre-auth mechanism or no pre-auth
mechanism at all.

If the authenticating principal is configured in Active Directory
to "Use DES" then the requested enctype will be DES-CBC-MD5.  If
the "Use DES" flag is off, then the requested enctype will be RC4-HMAC.

> Another doubt is the default_tgs_enctypes and
> default_tkt_enctypes entries in the /etc/krb5.conf,
> which according to step by step guide to kerberos 5
> interoperability should be set to des-cbc-crc or
> des-cbc-md5. I can't find the usefullness of that two
> entries for processing AS-REQ or TGS-REQ though when I
> don't specify them in krb5.conf, authentication will
> fail. I've read the explanation about the two entries
> in the man page of krb5.conf but I still can't see the
> point of setting them for processing AS-REQ and
> TGS-REQ. To me, setting permitted_enctypes makes more
> sense, but from my observation, the authentication
> still works though I don't set the permitted_enctypes.

There is no reason that you should be setting any of these
values.  The default values will work out of the box.
Microsoft's documentation is dated.  It was written against
MIT Kerberos 5 release 1.1 and Windows 2000 without service
packs.  Much has changed since then.

> Can somebody shed a light on these matters ?
> regards,
> lara
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu

More information about the Kerberos mailing list