step by step guide for Windows 2003 Server and MIT Kerberos trust?
Jeffrey Altman
jaltman2 at nyc.rr.com
Wed Jun 9 21:53:35 EDT 2004
Douglas E. Engert wrote:
>
> "D. Schikora" wrote:
>
>>Hallo
>>
>>Is there anywhere one guide for Kerberos and Windows 2003 Server. I can only
>>find the old one for W2K and I hope there are some changes between W2K and
>>W2K3.
>
>
>
> Not that I know of. Note that when you use ktpass command and use the DesOnly
> flag, this is saved in the AD. 2000 will the use an enctype of des-cbc-crc,
> where as 2003 will use des-cbc-md5 when generating tickets for a server.
> What this means is that you may need to have two keys in a server's keytab if you are
> converting from 2000 to 2003. one for each enctype. They both have the same key, and
> kvno but different enctypes.
>
> (Microsoft should have had two flags.)
The change in Windows 2003 was not to use DES-CBC-MD5 instead of
DES-CBC-CBC. The change was to use the stronger encryption type
requested by the client instead of the first encryption type requested
by the client. If the client removes DES-CBC-MD5 from the
permitted_enctypes list, Windows 2003 will issue a DES-CBC-CRC ticket.
Jeffrey Altman
--
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu
More information about the Kerberos
mailing list